[Buster_BSA]

They are DLLs, not EXEs.

[TwinHeadedEagle]

Ok, and how to load dll?

[Buster_BSA]

You must find out what is the function used to install or run things. Then you can use rundll32 to run it.

[Horgh]

Ok, and how to load dll?

Ollydbg can load dlls with loaddll.exe, but if it doesn't work you can modify the PE Header to delete the IMAGE_FILE_DLL characteristic (I do this to unpack Simda dlls for example).

[r3shl4k1sh]

if you want just to run the dll file you should know which exported function it has and which function is used to start the file.
In order to see the exported functions you can use CFF Explorer like this:



Then use rundll32 from the Command Prompt to run the dll like that:

Code: Select all

rundll32 cbva.dll, DllRegisterServer

As mentioned above in case you want to run the dll under OllyDbg you open it then go to Debug->Call Dll export, there you should choose which function you want to run.

[Fulrem]

Other than what has already been mentioned, If you don't need to run it from an export but just off dllmain there's the lazy option of changing the extension to .cpl

[Munsta]

After I stumbled upon this code I was currious is my memory still good because I remembered that trigger was "rundll32 trash.ext,unexistent_export" but that just gives errors. What I don't understand is how they stopped rundll32 from displaying these errors about missing export and more importanly error when you return FALSE from DllMain? I compiled this code and later figured out that DllMain must return otherwise some deadlock down the road will happen. I took some samples from here but they are packed so it will take some time before I figure it out. Any info is welcome :) and sorry for bumping dead thread of (not so?) dead malware family.

http://vxheaven.org/forum/viewtopic.php?id=130 Conficker tribute source code (well just DllMain()):

Code: Select all

BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    char        pszMutexName[32];
    HANDLE        hMutex_1;
    DWORD        dwVer;

    if( DLL_PROCESS_ATTACH == ul_reason_for_call ) {

        hCurrentModule = (HMODULE)hModule;

        if( DisableThreadLibraryCalls( (HMODULE)hModule ) )
        {
            srand( GetCurrentProcessId() ^ 0x630063 );
            GenStr( pszMutexName,(rand() % 7) + 10 );
            if( hMutex_1 = CreateMutex( NULL,FALSE,pszMutexName ) )
            {
                if( ERROR_ALREADY_EXISTS == GetLastError() )
                {
                    CloseHandle( hMutex_1 );
                    return FALSE;
                }
            }
            dwVer = GetVersion();
            if( (dwVer & 0xff) >= 5 )
            {
                RunConficker();
            }
        }
    }
    return TRUE;
}

PS Maybe they unpack main payload.dll on heap and copy it to some remote process and inject LoadLibrary code or something and call TerminateProcess to kill rundll32 and prevent DllMain deadlocks?

[EP_X0FF]

It terminate parent(host) process with ExitProcess after executing payload code. You actually can reveal this yourself, wasting your time on copy-paste from script-kiddie forum.

1) Take http://www.kernelmode.info/forum/viewto ... 1301#p1301 Conficker sample.

2) Load it in OllyDbg, set break on CreateThread. Make sure you run it in prepared VM or real machine, because Conficker has rdtsc VM detection (and sldt in some variants). Make sure fdwReason in DllMain is not zero.

3) Run malware with bp set. Once bp hit 2 time, it is all unpacked.

4) Find region thread start address belongs and dump it to the disk. Enjoy reversing shellcode full of string data and even driver inside.