#tips of the day: #reverseengineering with #x64dbg, you can automatically breakpoint on the next call. Go in "Tracing" -> "Trace Over" (or ctrl+alt+F8) and in the break condition put "dis.iscall(EIP)". It will automatically break at the next call.

You can also directly use this command line: "TraceOverConditional dis.iscall(EIP)" and do arrow up + Enter to go from call to call...

Something I often use this command line: "TraceOverConditional dis.iscall(EIP) || dis.isret(EIP)" and the debugger will stop at each Call or Ret. Nice if you want to quickly look at the API call without loosing the control ;)

Replace EIP by RIP in x64.

RT @_n1ghtw0lf@twitter.com

I've published 2 quick tutorials about writing #x64dbg scripts and plugins, hope you learn something new :)

https://n1ght-w0lf.github.io/tutorials/writing-x64dbg-scripts/

https://n1ght-w0lf.github.io/tutorials/writing-x64dbg-plugins/

🐦🔗: https://twitter.com/_n1ghtw0lf/status/1604146469032038400

I've published 2 quick tutorials about writing #x64dbg scripts and plugins, hope you learn something new :)

https://n1ght-w0lf.github.io/tutorials/writing-x64dbg-scripts/

https://n1ght-w0lf.github.io/tutorials/writing-x64dbg-plugins/

Aujourd'hui sors la quatrième édition de mon livre sur l'analyse de malware aux éditions ENI. Les nouveautés: un co-auteur (@Sebdraven), #ghidra, #rizin, #cutter, #x64dbg... Mais surtout un tout nouveau chapitre dédié à la Threat Intelligence (avec du #MISP, #yeti, etc.).

L'intégralité de la table des matières est disponible ici: https://www.editions-eni.fr/livre/cybersecurite-et-malwares-detection-analyse-et-threat-intelligence-4e-edition-9782409038105

#tip of the day #reverse: #x64dbg does not "follow" the newly created processes. However you can install this plugin to be able to do so: https://github.com/therealdreg/DbgChild

You simply have to copy the Releases files in the plugins repository. it will execute a watcher looking for the new created processes and it will automatically attach a new debugger on it.

#HappyDebug

#tip of the day #reverse: in #x64dbg you can search for a string (or hexadecimal value) in memory. The command is:

- findallmem 0x0,"73616d706c652e657865"

The first argument is the address to start searching from (0x0 in my example) and the second argument is what you are looking for ("sample.exe" in hex in my example).
x64dbg will display the number of occurrences. Each occurence can be shown by using ref.addr(0), ref.addr(1), ref.addr(2), etc. And you can click on the address to jump to it in the Dump view.

#tips of the day: in #x64dbg, in the "symbols" tab you cannot set a breakpoint on a library with is not aldready loaded. For example, a malware that dynamically loads wininet.dll to perform network queries. Or a shellcode.

First approach: you can go in "Options" -> "Preferences" and check "System DLL Load". The limitation is you will have a break for each loaded library...
Second approach: the command line, simply run "bpdll wininet.dll" and x64dbg will breakpoint only when wininet will be loaded.

#tips of day #reverse: #x64dbg supports Python extensions. You simple need to install : https://github.com/x64dbg/x64dbgpy. Take the precompiled binaries and copy the files in the x64dbg Plugin repository.

Here is an example of script to switch from HTTPS (port 443) to HTTP (port 80) when InternetConnectW() is called. The logic is simple:
- I create a breakpoint on this API,
- I set a callback function
- this function will be called when the API is called
- if the 3rd argument of InternetConnectW() (stored in R8 in x64 arch) is 443, I change it by 80
- finally, the debugged file continues its execution.

Here is a screenshot:

Any good #x64dbg tutorials anywhere?