Debugging Fundamentals Module 4 - DLLs (Patreon)

Further Research

• Why do I get ERROR_INVALID_HANDLE from GetModuleFileNameEx 
• x64dbg source for DLL load 
• GetFinalPathNameByHandleA 
• LOAD_DLL_DEBUG_INFO 

Lab 4 

When launched the debugger will print out the LOAD_DLL_DEBUG event for each loaded DLL along with some additional information about the DLL. Note that we are using the pefile Python module to parse the DLL PE info.

Lab 4 - Exercise

Update the handle_event_load_dll code to check if the loaded DLL is “ntdll.dll”. When “ntdll.dll” is loaded print the virtual address for the export “NtWriteFile”. 

Hint* the DLL export names are byte strings b“NtWriteFile” and the DLL name is a regular string.