Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Analyzing Without Fully Unpacking
Дальше: Conclusion

There are additional complications associated with packing DLLs, so this capability is not supported by all packers. Handling the exports of the DLL is one complication. The export table in the DLL points to the address of the exported functions, and if the DLL is packed, then the exported functions are also packed. The packer must account for this to ensure that the DLL operates properly.

Unpacking a DLL is not much different from unpacking an EXE. The key thing to remember is that DLLs have an OEP, just like executables. All DLLs have a function called DllMain, which is called when the DLL is loaded. The OEP in a DLL is the original start of DllMain. The start address listed in the packed DLL is the address of the unpacking stub, which is placed into DllMain rather than into the main method. OllyDbg can load DLLs, and OllyDbg has a tool called loadDll.exe, which allows you to load and debug DLLs. The problem is that the DllMain method will be called prior to breaking in OllyDbg. By the time the break occurs, the unpacking stub will have already executed, and it will be very difficult to find the OEP.

To get around this, open the PE file and locate the Characteristics field in the IMAGE_FILE_HEADER section. The bit in the 0x2000 place in the IMAGE_FILE_HEADER is set to 1 for DLLs. If this field is changed to a 0, then the file will be interpreted as an executable. OllyDbg will open the program as an EXE, and you will be able to apply all of the unpacking strategies discussed in this chapter. After you’ve found the OEP, change the bit back so that the program will be treated as a DLL again.

Назад: Analyzing Without Fully Unpacking
Дальше: Conclusion

sss
sss