Tricks for DLL analysis
Very often I get questions on how to perform analysis on DLL files.
The reason being that it is easier to perform behavioral analysis on executables, either using external sandboxes or a vmware with tools like the ones from the Sysinternals suite .
For DLL, on most of times, you can't just run them, you can use windows applications like rundll32 with right the export, but sometimes it may not work.
At this point if you want something fast to perform some analysis on the DLL you can go for the static analysis, looking for the strings and trying to determine the nature of the malware.
The problem resides on fact that most malware these days are using custom packers, making your job more difficult.
The quick and dirty solution for this would be to force it to memory so it would unpack itself. That would make your job much easier by just using a process dump tool and then check the strings.
Something that I used to do to accomplish it was to use regsvr32 to "load" the DLL on memory. It will throw an error on most cases, but the DLL will be loaded, until you close the error message.
On that period of time, you can use your preferred dump tool and dump the regsvr32 process, and check the DLL strings.
Another way is to simply inject the DLL into a running process, like explorer.exe for example. This simple python script inspired by the Grey Hat Python book seems to do the job quite well!
Simply run it by passing the PID you want to inject the DLL and the DLL file as parameters and it will work.
For example:
python dll_inject.py 618 badll.dll
--> This will inject the baddll.dll into process ID 618.
To find the process ID you can either use tools like Sysinternals process explorer or Windows Task Manager.
Good luck!
------
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago