The Reverser's Draft

Intro & Motivation

The Process Environment Block (PEB) is a user-mode data structure created by the Windows kernel for each process in the NT family of operating systems. It stores process-wide state used by ntdll/user32/loader internals — things like a pointer to the list of loaded modules, process startup parameters, and a BeingDebugged flag. The PEB is not a public, stable Windows API — Microsoft documents only a few fields (and warns that the layout may change). Still, the structure has been studied extensively by researchers and reverse engineers because it is accessible from user mode and contains the module lists that shellcode and malware often rely on.

A short overview of x64dbg

The Definition

Everyone interested in programming probably has run into the too-famous “try-catch” thing. It is not something new. So, it is basically what we will talk about today. I used to say that it is always good to understand what happens behind the scenes; I mean, speaking about try-catch, it is nothing mysterious; it is kind of easy and simple to understand. But most of the time, we are talking about the surface of this, we are not digging into the details. If you would like to get the “core” of details, it is time to stop being only on the surface of this and take a look at the structure behind it. To start, let’s define what it Exception Handling.

The Qakbot Malware Family

QBot is a modular information stealer also known as Oakboat, Pinkslipbot, Qbot or Quakbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

Binary Ninja Plugin

To start this second part of the custom sample analysis, I would like to add the script created using Binary Ninja. You can find the doc here.

The IR Case

Hi there,