Jump to content
Tuts 4 You

How to Analyze a BHO?


pichoo

Recommended Posts

Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Link to comment
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Hi pichoo,

You can attach to iexplore.exe process with a debugger and set your breakpoints. Hope that helps.

Link to comment
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Hi pichoo,

You can attach to iexplore.exe process with a debugger and set your breakpoints. Hope that helps.

Thank you D1N. Is there an easy way to set a breakpoint where iexplore accesses the BHO dll?

Link to comment
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object?

I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe.

Any help would be appreciated, I'm really just looking for a starting point.

Hi pichoo,

You can attach to iexplore.exe process with a debugger and set your breakpoints. Hope that helps.

Thank you D1N. Is there an easy way to set a breakpoint where iexplore accesses the BHO dll?

yes brother setting breakpoints are simple. Take a look at this article //www.openrce.org/articles/full_view/17 he talks about Submithook trojan BHO dll. I would run iexplore.exe inside of olly and trace into until BHO is run then dump a snapshot of the memory. If the BHO is using sockets to communicate there is a socket plugin which can be downloaded on the main page You can use it to sniff data. I would also use an api plugin and set bp on the ones of interest API Finder 0.3 by ap0x is what I use. You can grab virtually everything you need here. Olly Plugins!

The memory snapshots should tell you everything you need to know about the BHO. ;-)

Good Luck!

Edited by D1N
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...