Hello and welcome to the Thursday, September 18th, 2025 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in incident response.

Well, in Diaries today, we do have Xavier talk about Control C DLL hooking. The trick that Xavier is

referring to here is, well, first of all, if you are

reverse analyzing malware, you're trying to introduce breakpoints into the code where you're

able to better analyze what's happening in particular segments of the code. The problem with this

is that you're going to modify some of the code in memory by essentially,

well, adding these software breakpoints to specific API calls.

Now, Malware has a couple different options here in order to bypass this.

They can, like, check whether or not these breakpoints are present.

That's a little bit tricky because they have to go through all the different possible

API calls that you may have added these breakpoints to.

But a simpler solution, it just reloads the code from a disk for that particular DL

with that overriding any modifications that may have made after the DL was loaded into memory.

And that's exactly what Xavier illustrates here and how it is being done in a particular malware sample that Xavi came across.

This malware sample appears to be some prototype not quite finished yet ransomware that's written in

Python so interesting that aspect as well and it just performs this simple trick where it reloads

the DLL in order to basically invalidate whatever breakpoint or other modifications an analyst may have made.

And we got an interesting blog post by Derek Yan Molima about a vulnerability that

Derek Yan did disclose to Microsoft and which was addressed as part of this September's patch Tuesday.

This wasn't Azure vulnerability, so nothing that you have to patch.

...