Conversation
buherator
buherator
Edited 1 month ago
As you probably know loadlibrary by @taviso can load Windows DLL's - including Windows Defenders mpengine.dll - on Linux.
Since the loader needed some debugging I ended up figuring out how to load the Linux-native mpclient into #Ghidra's debugger and use it to debug the PE module too:
https://github.com/v-p-b/loadlibrary/blob/x64_waffle/GHIDRA.md
This can spare an IDA license and performing dark arts with awk and gas...which is actually pretty badass, so if you want to keep doing that without IDA here's a Ghidra script too:
https://gist.github.com/v-p-b/c7d934234297158047b678f655c7d99f
Since the loader needed some debugging I ended up figuring out how to load the Linux-native mpclient into #Ghidra's debugger and use it to debug the PE module too:
https://github.com/v-p-b/loadlibrary/blob/x64_waffle/GHIDRA.md
This can spare an IDA license and performing dark arts with awk and gas...which is actually pretty badass, so if you want to keep doing that without IDA here's a Ghidra script too:
https://gist.github.com/v-p-b/c7d934234297158047b678f655c7d99f
3
9
24
NixFREAK -
nixfreak@hackers.town@buherator @taviso Holy shit this is cool and I can't believe I haven't heard of this, I to rather debug , reverse win apps on linux.
0
0
1