Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Feature: call $+5
See original GitHub issueSummary
Add (one-off) feature to match on call $+5; often used in shellcode or for obfuscation.
Motivation
Help to detect shellcode and anti-disassembly techniques.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Screen your calls before you answer them - Phone app Help
You can use Call Screen to find out who's calling and why before you pick up a call. Call Screen works on your...
Read more >Use Emergency SOS on your iPhone - Apple Support
With Emergency SOS, you can quickly and easily call for help and alert your emergency contacts.
Read more >5 smart call center software features you should leverage
Call center software features are what distinguishes virtual call centers from traditional landlines. Here's a list of call center features ...
Read more >Top 5 Video Call Features - YouTube
We've lived through the shift to remote work and communicating mostly through video calls, now you're probably thinking...it's time to add ...
Read more >How to Stop Unwanted Calls | Consumer Advice
That's why your best defense against unwanted calls is call blocking. Which type of call-blocking or call-labeling technology you use will depend on...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I think this should be extracted at instruction scope, like how fs/gs access is extracted.
There’s potentially a minor performance difference, but I think without profiling results that show this is a bottleneck, we should use Instruction scope when appropriate.
Awesome, thanks for looking into this!
In the test files I could locate this file:
946a99f36a46d335dec080d9a4371940.dll_:0x100015C7On Virustotal I found the following (packed) files (attached with password infected call5.zip):
5b1102b10f8d0dee41b592bea0892ac78cecee1a3f5bc55c5176359634c6c002efbf3f3546130f3a00304eb1873fb0b72b27988f162f5599024e49b3df864f2af99c836e89a6a181d292e1aad24d8667c6b53b870548dada3694e474b259d3e9I hope that helps a bit. Please let me know otherwise.
We can add the IDA extractor, if you don’t have IDAPython available.