6.3 Analyzing a DLL with Process Checks

Most of the time, launching a DLL with rundll32.exe will work fine, but some DLLs check if they are running under a particular process (such as explorer.exe or iexplore.exe) and might change their behavior or terminate themselves if they are running under any other process (including rundll32.exe). In such cases, you will have to inject the DLL into the specific process to trigger the behavior.

A tool such as RemoteDLL (http://securityxploded.com/remotedll.php) allows you to inject a DLL into any running process on the system. It allows you to inject a DLL using three different methods; this is useful because if one method fails, you can try another method.

The DLL (tdl.dll) used in the following example, is a component of TDSS Rootkit. This DLL does not contain any exports; all of the malicious behavior is implemented in the DLL's entry point function. Running the DLL using the following command generated an error stating that the DLL initialization routine failed, this is an indication that the DLL entry point function was not successfully executed:

To understand the condition that triggered the error, static code analysis (reverse engineering) was carried out. After analyzing the code, it was found that the DLL, in its entry point function, performed a check to determine if it is running under spoolsv.exe (the print spooler service). If it is running under any other process, the DLL initialization fails:

For now, don't worry about how to perform code analysis. You will learn the techniques to perform code analysis in the upcoming chapters.

To trigger the behavior, malicious DLL had to be injected into the spoolsv.exe process using the RemoteDLL tool. After injecting the DLL into spoolsv.exe, the following activities were captured by the monitoring tools. The malware created a folder (resycled) and a file autorun.inf on the C: drive. It then dropped a file boot.com in the newly created folder C: esycled:

[CreateFile] spoolsv.exe:1340 > C:autorun.inf
[CreateFolder] spoolsv.exe:1340 > C:resycled
[CreateFile] spoolsv.exe:1340 > C:resycledoot.com

The malware added the following registry entries; from the added entries you can tell that the malware is storing some encrypted or configuration data in the registry:

[RegSetValue] spoolsv.exe:1340 > HKCRextravideoCLSID(Default) = {6BF52A52-394A-11D3-B153-00C04F79FAA6}
[RegSetValue] spoolsv.exe:1340 > HKCRmsqpdxvxmsqpdxpff = 8379
[RegSetValue] spoolsv.exe:1340 > HKCRmsqpdxvxmsqpdxaff = 3368
[RegSetValue] spoolsv.exe:1340 > HKCRmsqpdxvxmsqpdxinfo =}gx~yc~dedomcyjloumllqYPbc
[RegSetValue] spoolsv.exe:1340 > HKCRmsqpdxvxmsqpdxid = qfx|uagbhkmohgn""YQVSVW_,(+
[RegSetValue] spoolsv.exe:1340 > HKCRmsqpdxvxmsqpdxsrv = 1745024793

The following screenshot shows malware's C2 communication on port 80:

During malware investigation, you will come across DLL, that will run only when it is loaded as a service. This type of DLL is called a service DLL. To fully understand the working of a service DLL, knowledge of code analysis and the Windows API is required, which will be covered in later chapters.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.203.143