Jump to content
Tuts 4 You

How to Analyze a BHO?

pichoo

By pichoo
in Malware Reverse Engineering

 Share

Recommended Posts

pichoo

pichoo

Posted
Posted

Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Link to comment
Share on other sites
D1N

D1N

Posted
Posted
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Hi pichoo,

You can attach to iexplore.exe process with a debugger and set your breakpoints. Hope that helps.

Link to comment
Share on other sites
pichoo

pichoo

Posted
  • Author
Posted
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Hi pichoo,

You can attach to iexplore.exe process with a debugger and set your breakpoints. Hope that helps.

Thank you D1N. Is there an easy way to set a breakpoint where iexplore accesses the BHO dll?

Link to comment
Share on other sites
D1N

D1N

Posted
Posted (edited)
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Hi pichoo,

You can attach to iexplore.exe process with a debugger and set your breakpoints. Hope that helps.

Thank you D1N. Is there an easy way to set a breakpoint where iexplore accesses the BHO dll?

yes brother setting breakpoints are simple. Take a look at this article //www.openrce.org/articles/full_view/17 he talks about Submithook trojan BHO dll. I would run iexplore.exe inside of olly and trace into until BHO is run then dump a snapshot of the memory. If the BHO is using sockets to communicate there is a socket plugin which can be downloaded on the main page You can use it to sniff data. I would also use an api plugin and set bp on the ones of interest API Finder 0.3 by ap0x is what I use. You can grab virtually everything you need here. Olly Plugins!

The memory snapshots should tell you everything you need to know about the BHO. ;-)

Good Luck!

Edited by D1N
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...