The unknown image

At this point, we have the memory dump opened in IDA Pro and have the same unknown image mapped into a Calculator process. We will work with both tools by using IDA Pro for viewing the disassembly code and x86dbg for debugging.

In x86dbg, we have placed a breakpoint at the WinMain address of the unknown image. However, the instruction pointer is still at an NTDLL address. Hit F9 to make it continue and bring us to our WinMain.

Taking a detailed look at the disassembly codes from WinMain, we will notice an SEH anti-debug here: 

call sub_4017CB goes to a subroutine that has a call $+5pop eax, and then a retn instruction.   ...

Get Mastering Reverse Engineering now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.