Tricks for DLL analysis
Last Updated: 2015-09-29 21:01:50 UTC
by Pedro Bueno (Version: 1)
Very often I get questions on how to perform analysis on DLL files.
The reason being that it is easier to perform behavioral analysis on executables, either using external sandboxes or a vmware with tools like the ones from the Sysinternals suite .
For DLL, on most of times, you can't just run them, you can use windows applications like rundll32 with right the export, but sometimes it may not work.
At this point if you want something fast to perform some analysis on the DLL you can go for the static analysis, looking for the strings and trying to determine the nature of the malware.
The problem resides on fact that most malware these days are using custom packers, making your job more difficult.
The quick and dirty solution for this would be to force it to memory so it would unpack itself. That would make your job much easier by just using a process dump tool and then check the strings.
Something that I used to do to accomplish it was to use regsvr32 to "load" the DLL on memory. It will throw an error on most cases, but the DLL will be loaded, until you close the error message.
On that period of time, you can use your preferred dump tool and dump the regsvr32 process, and check the DLL strings.
Another way is to simply inject the DLL into a running process, like explorer.exe for example. This simple python script inspired by the Grey Hat Python book seems to do the job quite well!
Simply run it by passing the PID you want to inject the DLL and the DLL file as parameters and it will work.
python dll_inject.py 618 badll.dll
--> This will inject the baddll.dll into process ID 618.
To find the process ID you can either use tools like Sysinternals process explorer or Windows Task Manager.
Pedro Bueno (pbueno /%%/ isc. sans. org)
Sep 30th 2015
7 years ago
If you need obscure tools like python to inject a DLL into Explorer.exe (or almost any other windows process) you should in the first place dont try to analyze malware at all!
AppInit_DLLs as well as AppCertDLLs exist since the last millenium.
%SystemRoot%\ACLUI.dll are some more DLLs are only loaded by %SystemRoot%\Explorer.exe as well as %SystemRoot%\RegEdit.exe etc.
And these are only the tip of the iceberg!
Oct 1st 2015
7 years ago