Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Sandboxes: The Quick-and-Dirty Approach
Дальше: Monitoring with Process Monitor

.)

Let’s take a look at how you can launch DLLs to be successful in performing dynamic analysis.

The program rundll32.exe is included with all modern versions of Windows. It provides a container for running a DLL using this syntax:

, you can use a tool such as PEview or PE Explorer to view the Export table. For example, the file rip.dll has the following exports:

. In this case, you can still call those functions with rundll32.exe using the following command, where 5 is the ordinal number that you want to call, prepended with the # character:

C:\>rundll32.exe xyzzy.dll, #5

Because malicious DLLs frequently run most of their code in DLLMain (called from the DLL entry point), and because DLLMain is executed whenever the DLL is loaded, you can often get information dynamically by forcing the DLL to load using rundll32.exe. Alternatively, you can even turn a DLL into an executable by modifying the PE header and changing its extension to force Windows to load the DLL as it would an executable.

To modify the PE header, wipe the IMAGE_FILE_DLL (0x2000) flag from the Characteristics field in the IMAGE_FILE_HEADER. While this change won’t run any imported functions, it will run the DLLMain method, and it may cause the malware to crash or terminate unexpectedly. However, as long as your changes cause the malware to execute its malicious payload, and you can collect information for your analysis, the rest doesn’t matter.

DLL malware may also need to be installed as a service, sometimes with a convenient export such as InstallService, as listed in ipr32x.dll:

C:\>rundll32 ipr32x.dll,InstallService ServiceName C:\>net start ServiceName

The ServiceName argument must be provided to the malware so it can be installed and run. The net start command is used to start a service on a Windows system.

sss
sss

© RuTLib.com 2015-2018