Tricks for DLL analysis

Published: 2015-09-29
Last Updated: 2015-09-29 21:01:50 UTC
by Pedro Bueno (Version: 1)
2 comment(s)

Very often I get questions on how to perform analysis on DLL files.

The reason being that it is easier to perform behavioral analysis on executables, either using external sandboxes or a vmware with tools like the ones from the Sysinternals suite .

For DLL, on most of times, you can't just run them, you can use windows applications like rundll32 with right the export, but sometimes it may not work. 

At this point if you want something fast to perform some analysis on the DLL you can go for the static analysis, looking for the strings and trying to determine the nature of the malware.

The problem resides on fact that most malware these days are using custom packers, making your job more difficult.

The quick and dirty solution for this would be to force it to memory so it would unpack itself. That would make your job much easier by just using a process dump tool and then check the strings.

Something that I used to do to accomplish it was to use regsvr32 to "load" the DLL on memory. It will throw an error on most cases, but the DLL will be loaded, until you close the error message.

On that period of time, you can use your preferred dump tool and dump the regsvr32 process, and check the DLL strings.

Another way is to simply inject the DLL into a running process, like explorer.exe for example. This simple python script inspired by the Grey Hat Python book seems to do the job quite well!

Simply run it by passing the PID you want to inject the DLL and the DLL file as parameters and it will work.

For example:

python dll_inject.py 618 badll.dll  

--> This will inject the baddll.dll into process ID 618. 

To find the process ID you can either use tools like Sysinternals process explorer or Windows Task Manager. 

Good luck!

------

Pedro Bueno (pbueno /%%/ isc. sans. org) 

Twitter: http://twitter.com/besecure

2 comment(s)

Comments

For what it is worth every version of Visual Studio with which I have ever worked includes a utility named "Depends.exe". This will reveal an amazing about of data about the DLL you are studying such as entry points it offers and both DLLs and entry points it uses. You might check it out. The old now more or less freely available VC6 has the tool, although it's not suitable for 64 bit dlls.

{^_^}
Depends.exe is very well-known as "Dependency Walker", and distributed with VC or VS by courtesy of its author; see http://www.dependencywalker.com/

If you need obscure tools like python to inject a DLL into Explorer.exe (or almost any other windows process) you should in the first place dont try to analyze malware at all!
AppInit_DLLs as well as AppCertDLLs exist since the last millenium.
%SystemRoot%\ACLUI.dll are some more DLLs are only loaded by %SystemRoot%\Explorer.exe as well as %SystemRoot%\RegEdit.exe etc.

And these are only the tip of the iceberg!

Diary Archives