Fork me on GitHub

First steps in malware reversing

The previous article described was a small descritpion of the loading process through the LDR_DATA structure. We got the information that the process tries to load 'ntdll.dll'. Now we have to solve what exact functions will be used in this program.

0x0040105c   push dword [eax+0x8]
0x0040105f   call 0x401077
  • eax contains the LDR_MODULE struct and the addition of 0x8 will get the BaseAddress. After that we call 0x40177 and push 0x00401064 to the stack.