maldevel/reversing_secrets_of_reverse_engineering.txt

## reversing_secrets_of_reverse_engineering.txt
## List All Functions containing GenericTable in their name from NTDLL.DLL
dumpbin /EXPORTS "C:\Windows\SysWOW64\ntdll.dll" | grep GenericTable | grep -E -v "Avl$|AvlEx$" | awk {'print $4'} > NTDLL_GenericTable_Methods.txt


##Print RVA (Relative Virtual Address)
dumpbin /EXPORTS "C:\Windows\SysWOW64\ntdll.dll" | grep GenericTable | grep -E -v "Avl$|AvlEx$" | awk {'print $3 " " $4'} > NTDLL_GenericTable_Methods.txt


##Find image base
dumpbin /HEADERS "C:\Windows\SysWOW64\ntdll.dll" | grep "image base"


##My RtlInitializeGenericTable is located at address base_address + rva = 4B280000 + 0006A300 = 4B2EA300.
  4B2EA300: 8B FF              mov         edi,edi
  4B2EA302: 55                 push        ebp
  4B2EA303: 8B EC              mov         ebp,esp
  4B2EA305: 8B 4D 08           mov         ecx,dword ptr [ebp+8]
  4B2EA308: 33 D2              xor         edx,edx
  4B2EA30A: 8D 41 04           lea         eax,[ecx+4]
  4B2EA30D: 89 11              mov         dword ptr [ecx],edx
  4B2EA30F: 89 40 04           mov         dword ptr [eax+4],eax
  4B2EA312: 89 00              mov         dword ptr [eax],eax
  4B2EA314: 89 41 0C           mov         dword ptr [ecx+0Ch],eax
  4B2EA317: 8B 45 0C           mov         eax,dword ptr [ebp+0Ch]
  4B2EA31A: 89 41 18           mov         dword ptr [ecx+18h],eax
  4B2EA31D: 8B 45 10           mov         eax,dword ptr [ebp+10h]
  4B2EA320: 89 41 1C           mov         dword ptr [ecx+1Ch],eax
  4B2EA323: 8B 45 14           mov         eax,dword ptr [ebp+14h]
  4B2EA326: 89 41 20           mov         dword ptr [ecx+20h],eax
  4B2EA329: 8B 45 18           mov         eax,dword ptr [ebp+18h]
  4B2EA32C: 89 51 14           mov         dword ptr [ecx+14h],edx
  4B2EA32F: 89 51 10           mov         dword ptr [ecx+10h],edx
  4B2EA332: 89 41 24           mov         dword ptr [ecx+24h],eax
  4B2EA335: 5D                 pop         ebp
  4B2EA336: C2 14 00           ret         14h
	## List All Functions containing GenericTable in their name from NTDLL.DLL
	dumpbin /EXPORTS "C:\Windows\SysWOW64\ntdll.dll" \| grep GenericTable \| grep -E -v "Avl$\|AvlEx$" \| awk {'print $4'} > NTDLL_GenericTable_Methods.txt


	##Print RVA (Relative Virtual Address)
	dumpbin /EXPORTS "C:\Windows\SysWOW64\ntdll.dll" \| grep GenericTable \| grep -E -v "Avl$\|AvlEx$" \| awk {'print $3 " " $4'} > NTDLL_GenericTable_Methods.txt


	##Find image base
	dumpbin /HEADERS "C:\Windows\SysWOW64\ntdll.dll" \| grep "image base"


	##My RtlInitializeGenericTable is located at address base_address + rva = 4B280000 + 0006A300 = 4B2EA300.
	4B2EA300: 8B FF mov edi,edi
	4B2EA302: 55 push ebp
	4B2EA303: 8B EC mov ebp,esp
	4B2EA305: 8B 4D 08 mov ecx,dword ptr [ebp+8]
	4B2EA308: 33 D2 xor edx,edx
	4B2EA30A: 8D 41 04 lea eax,[ecx+4]
	4B2EA30D: 89 11 mov dword ptr [ecx],edx
	4B2EA30F: 89 40 04 mov dword ptr [eax+4],eax
	4B2EA312: 89 00 mov dword ptr [eax],eax
	4B2EA314: 89 41 0C mov dword ptr [ecx+0Ch],eax
	4B2EA317: 8B 45 0C mov eax,dword ptr [ebp+0Ch]
	4B2EA31A: 89 41 18 mov dword ptr [ecx+18h],eax
	4B2EA31D: 8B 45 10 mov eax,dword ptr [ebp+10h]
	4B2EA320: 89 41 1C mov dword ptr [ecx+1Ch],eax
	4B2EA323: 8B 45 14 mov eax,dword ptr [ebp+14h]
	4B2EA326: 89 41 20 mov dword ptr [ecx+20h],eax
	4B2EA329: 8B 45 18 mov eax,dword ptr [ebp+18h]
	4B2EA32C: 89 51 14 mov dword ptr [ecx+14h],edx
	4B2EA32F: 89 51 10 mov dword ptr [ecx+10h],edx
	4B2EA332: 89 41 24 mov dword ptr [ecx+24h],eax
	4B2EA335: 5D pop ebp
	4B2EA336: C2 14 00 ret 14h