typetechniqueconfidencehighcreated2026-06-04updated2026-06-04defense-evasionmalware-familyloader

PEB-Walking API Resolution

What It Does

Position-independent code resolves Win32 API addresses at runtime by walking the Process Environment Block (PEB) linked list of loaded modules, then traversing the export table of ntdll.dll or kernel32.dll to locate LoadLibraryA, GetProcAddress, and other critical imports. This avoids static IAT entries and defeats naive import-table signatures.

Detection / Fingerprint

Access to gs:[0x60] (x64) or fs:[0x30] (x86) to retrieve the PEB.
Iteration over InMemoryOrderModuleList to locate ntdll.dll and kernel32.dll by hash or string comparison.
Export-table traversal with ROR-13 or custom hash calculation (FNV-1a observed in some SilverFox variants).

Implementation Patterns

Reads PEB.Ldr.InMemoryOrderModuleList.
For each module, compares the Unicode base name against a hash.
Parses the module's export directory, hashes export names, and matches against a hardcoded list of API hashes.

Observed in: silverfox (RC4 loader variant)
Related technique: rc4-in-place-section-decryption

> Technique · PEB-Walking API Resolution_

PEB-Walking API Resolution

What It Does

Detection / Fingerprint

Implementation Patterns

Related