Example 3 – Analyzing a DLL Accepting Export Arguments

The following example shows how you can analyze a DLL that accepts export arguments. The DLL used in this example was delivered via powerpoint, as described in this link: https://securingtomorrow.mcafee.com/mcafee-labs/threat-actors-use-encrypted-office-binary-format-evade-detection/.

The DLL (SearchCache.dll) consists of an export function, _flushfile@16, whose functionality is to delete a file. This export function accepts an argument, which is the file to delete:

To demonstrate the delete functionality, a test file (file_to_delete.txt) was created, and the monitoring tools were launched. The test file was passed an argument to the export function _flushfile@16 using the following command. After running the following command, the test file was deleted from the disk:

rundll32.exe c:samplesSearchCache.dll,_flushfile@16 C:samplesfile_to_delete.txt

The following is the output from the Noriben logs showing rundll32.exe deleting the file (file_to_delete.txt):

Processes Created:
[CreateProcess] cmd.exe:1100 > "rundll32.exe  c:samplesSearchCache.dll,_flushfile@16 C:samplesfile_to_delete.txt" [Child PID: 3348]

File Activity:
[DeleteFile] rundll32.exe:3348 > C:samplesfile_to_delete.txt
To determine the parameters and the type of parameters accepted by an export function, you will need to perform code analysis. You will be learning code analysis techniques in the upcoming chapters.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.219.14.63