A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18375  by Horgh
 Thu Feb 28, 2013 12:40 pm
MAXS wrote:Ok, and how to load dll?
Ollydbg can load dlls with loaddll.exe, but if it doesn't work you can modify the PE Header to delete the IMAGE_FILE_DLL characteristic (I do this to unpack Simda dlls for example).
 #18376  by r3shl4k1sh
 Thu Feb 28, 2013 3:13 pm
if you want just to run the dll file you should know which exported function it has and which function is used to start the file.
In order to see the exported functions you can use CFF Explorer like this:
Image


Then use rundll32 from the Command Prompt to run the dll like that:
Code: Select all
rundll32 cbva.dll, DllRegisterServer
As mentioned above in case you want to run the dll under OllyDbg you open it then go to Debug->Call Dll export, there you should choose which function you want to run.
 #18378  by Fulrem
 Thu Feb 28, 2013 10:14 pm
Other than what has already been mentioned, If you don't need to run it from an export but just off dllmain there's the lazy option of changing the extension to .cpl
 #25437  by Munsta
 Wed Mar 11, 2015 6:08 pm
After I stumbled upon this code I was currious is my memory still good because I remembered that trigger was "rundll32 trash.ext,unexistent_export" but that just gives errors. What I don't understand is how they stopped rundll32 from displaying these errors about missing export and more importanly error when you return FALSE from DllMain? I compiled this code and later figured out that DllMain must return otherwise some deadlock down the road will happen. I took some samples from here but they are packed so it will take some time before I figure it out. Any info is welcome :) and sorry for bumping dead thread of (not so?) dead malware family.

http://vxheaven.org/forum/viewtopic.php?id=130 Conficker tribute source code (well just DllMain()):
Code: Select all
BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    char        pszMutexName[32];
    HANDLE        hMutex_1;
    DWORD        dwVer;

    if( DLL_PROCESS_ATTACH == ul_reason_for_call ) {

        hCurrentModule = (HMODULE)hModule;

        if( DisableThreadLibraryCalls( (HMODULE)hModule ) )
        {
            srand( GetCurrentProcessId() ^ 0x630063 );
            GenStr( pszMutexName,(rand() % 7) + 10 );
            if( hMutex_1 = CreateMutex( NULL,FALSE,pszMutexName ) )
            {
                if( ERROR_ALREADY_EXISTS == GetLastError() )
                {
                    CloseHandle( hMutex_1 );
                    return FALSE;
                }
            }
            dwVer = GetVersion();
            if( (dwVer & 0xff) >= 5 )
            {
                RunConficker();
            }
        }
    }
    return TRUE;
}
PS Maybe they unpack main payload.dll on heap and copy it to some remote process and inject LoadLibrary code or something and call TerminateProcess to kill rundll32 and prevent DllMain deadlocks?
 #25453  by EP_X0FF
 Thu Mar 12, 2015 11:15 am
It terminate parent(host) process with ExitProcess after executing payload code. You actually can reveal this yourself, wasting your time on copy-paste from script-kiddie forum.

1) Take http://www.kernelmode.info/forum/viewto ... 1301#p1301 Conficker sample.

2) Load it in OllyDbg, set break on CreateThread. Make sure you run it in prepared VM or real machine, because Conficker has rdtsc VM detection (and sldt in some variants). Make sure fdwReason in DllMain is not zero.

3) Run malware with bp set. Once bp hit 2 time, it is all unpacked.

4) Find region thread start address belongs and dump it to the disk. Enjoy reversing shellcode full of string data and even driver inside.