Jump to content
Tuts 4 You

DLL debugging

straylight

By straylight
in Malware Reverse Engineering

 Share

Recommended Posts

straylight

straylight

Posted
Posted

Hello All, this is my first post to tuts4you! :)

Hopefully my question is a simple one. I'm trying to load a DLL (dropped by malware) into Olly. I have made the changes to the characteristics section of binary so that olly sees the DLL as a .exe to bypass loaddll.

The following is the EP of the malicious dll when opening in olly:

100037A1 >/$ 8BFF           MOV EDI,EDI                              ;  ntdll.7C910228
100037A3  |. 55             PUSH EBP
100037A4  |. 8BEC           MOV EBP,ESP
100037A6  |. 33C0           XOR EAX,EAX
100037A8  |. 40             INC EAX
100037A9  |. 3945 0C        CMP DWORD PTR SS:[EBP+C],EAX
100037AC  |. 75 09          JNZ SHORT Copy_of_.100037B7
100037AE  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
100037B1  |. 890D A4E50010  MOV DWORD PTR DS:[1000E5A4],ECX
100037B7  |> 5D             POP EBP
100037B8  \. C2 0C00        RETN 0C

I have read the post titled "Unpacking DLLs and Drivers with OllyDbg" however I can't seem to get that method (described in the post) to work. When I hit the "RETN 0C" listed above it jumps off into Kernel32 and terminates.

The DLL seems to be obfuscated in someway as it makes a request out to the internet.... and the address of the requested site is not visible in the strings listing.

Any ideas on how to load and successfully step through this DLL in a debugger?

Thanks!

SunBeam

SunBeam

Posted
Posted

Always provide the target when asking SPECIFIC questions! Do post it..

What

What

Posted
Posted

That is the entrypoint for a dll.

DllMain(HINSTANCE handle, DWORD reason, *VOID reserved);

Dlls do not run like normal applications, you have to call an export of the dll, usually from an executable file. This particular code is just saving the handle of the dll when DLL_PROCESS_ATTACH is the reason. Thats it.

  • 1 month later...
delldell

delldell

Posted
Posted

if you upload the [dll] so we can have a look

to have an idea of the dll

rhboarder

rhboarder

Posted
Posted

when you 1st load it into Olly, do a search of all intermodular calls and set a breakpoint on the call that makes the request. One common networking dll is ws2_32, if it's that look for calls to connect, send, sendto, WSAConnect, etc. Once you find that you can work around it, hopefully.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...