The unknown image

At this point, we have the memory dump opened in IDA Pro and have the same unknown image mapped into a Calculator process. We will work with both tools by using IDA Pro for viewing the disassembly code and x86dbg for debugging.

In x86dbg, we have placed a breakpoint at the WinMain address of the unknown image. However, the instruction pointer is still at an NTDLL address. Hit F9 to make it continue and bring us to our WinMain.

Taking a detailed look at the disassembly codes from WinMain, we will notice an SEH anti-debug here: 

call sub_4017CB goes to a subroutine that has a call $+5pop eax, and then a retn instruction.   ...

Get Mastering Reverse Engineering now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.