Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Tricks for DLL analysis InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tricks for DLL analysis

Published: 2015-09-29
Last Updated: 2015-09-29 21:01:50 UTC
by Pedro Bueno (Version: 1)
2 comment(s)

Very often I get questions on how to perform analysis on DLL files.

The reason being that it is easier to perform behavioral analysis on executables, either using external sandboxes or a vmware with tools like the ones from the Sysinternals suite .

For DLL, on most of times, you can't just run them, you can use windows applications like rundll32 with right the export, but sometimes it may not work. 

At this point if you want something fast to perform some analysis on the DLL you can go for the static analysis, looking for the strings and trying to determine the nature of the malware.

The problem resides on fact that most malware these days are using custom packers, making your job more difficult.

The quick and dirty solution for this would be to force it to memory so it would unpack itself. That would make your job much easier by just using a process dump tool and then check the strings.

Something that I used to do to accomplish it was to use regsvr32 to "load" the DLL on memory. It will throw an error on most cases, but the DLL will be loaded, until you close the error message.

On that period of time, you can use your preferred dump tool and dump the regsvr32 process, and check the DLL strings.

Another way is to simply inject the DLL into a running process, like explorer.exe for example. This simple python script inspired by the Grey Hat Python book seems to do the job quite well!

Simply run it by passing the PID you want to inject the DLL and the DLL file as parameters and it will work.

For example:

python dll_inject.py 618 badll.dll  

--> This will inject the baddll.dll into process ID 618. 

To find the process ID you can either use tools like Sysinternals process explorer or Windows Task Manager. 

Good luck!

------

Pedro Bueno (pbueno /%%/ isc. sans. org) 

Twitter: http://twitter.com/besecure

2 comment(s)
Diary Archives