Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DLL debugging

straylight
straylight
in Malware Reverse Engineering

Featured Replies

Posted

Hello All, this is my first post to tuts4you! :)

Hopefully my question is a simple one. I'm trying to load a DLL (dropped by malware) into Olly. I have made the changes to the characteristics section of binary so that olly sees the DLL as a .exe to bypass loaddll.

The following is the EP of the malicious dll when opening in olly:

100037A1 >/$ 8BFF           MOV EDI,EDI                              ;  ntdll.7C910228
100037A3  |. 55             PUSH EBP
100037A4  |. 8BEC           MOV EBP,ESP
100037A6  |. 33C0           XOR EAX,EAX
100037A8  |. 40             INC EAX
100037A9  |. 3945 0C        CMP DWORD PTR SS:[EBP+C],EAX
100037AC  |. 75 09          JNZ SHORT Copy_of_.100037B7
100037AE  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
100037B1  |. 890D A4E50010  MOV DWORD PTR DS:[1000E5A4],ECX
100037B7  |> 5D             POP EBP
100037B8  \. C2 0C00        RETN 0C

I have read the post titled "Unpacking DLLs and Drivers with OllyDbg" however I can't seem to get that method (described in the post) to work. When I hit the "RETN 0C" listed above it jumps off into Kernel32 and terminates.

The DLL seems to be obfuscated in someway as it makes a request out to the internet.... and the address of the requested site is not visible in the strings listing.

Any ideas on how to load and successfully step through this DLL in a debugger?

Thanks!

Always provide the target when asking SPECIFIC questions! Do post it..

That is the entrypoint for a dll.

DllMain(HINSTANCE handle, DWORD reason, *VOID reserved);

Dlls do not run like normal applications, you have to call an export of the dll, usually from an executable file. This particular code is just saving the handle of the dll when DLL_PROCESS_ATTACH is the reason. Thats it.

  • 1 month later...

if you upload the [dll] so we can have a look

to have an idea of the dll

when you 1st load it into Olly, do a search of all intermodular calls and set a breakpoint on the call that makes the request. One common networking dll is ws2_32, if it's that look for calls to connect, send, sendto, WSAConnect, etc. Once you find that you can work around it, hopefully.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.