Basic dynamic analysis techniques will be rendered useless if you can’t get the malware running. Here we focus on running the majority of malware you will encounter (EXEs and DLLs). Although you’ll usually find it simple enough to run executable malware by double-clicking the executable or running the file from the command line, it can be tricky to launch malicious DLLs because Windows doesn’t know how to run them automatically. (We’ll discuss DLL internals in depth in Chapter 7.)
Let’s take a look at how you can launch DLLs to be successful in performing dynamic analysis.
The program rundll32.exe is included with all modern versions of Windows. It provides a container for running a DLL using this syntax:
C:>rundll32.exeDLLname,Export arguments
The Export value must be a function
name or ordinal selected from the exported function table in the DLL. As you learned in Chapter 1, you can use a tool such as PEview or PE Explorer to view the
Export table. For example, the file rip.dll has the following exports:
Install Uninstall
Install appears to be a likely way to launch
rip.dll, so let’s launch the malware as follows:
C:>rundll32.exe rip.dll, InstallMalware can also have functions that are exported by ordinal—that is, as an
exported function with only an ordinal number, which we discussed in depth in Chapter 1. In this case, you can still call those functions with
rundll32.exe using the following command, where 5 is the ordinal number that you want to call, prepended with the # character:
C:>rundll32.exe xyzzy.dll, #5Because malicious DLLs frequently run most of their code in DLLMain (called from the DLL entry point), and because DLLMain is executed whenever the DLL is loaded, you can often get information dynamically
by forcing the DLL to load using rundll32.exe. Alternatively, you can even turn
a DLL into an executable by modifying the PE header and changing its extension to force Windows to
load the DLL as it would an executable.
To modify the PE header, wipe the IMAGE_FILE_DLL (0x2000)
flag from the Characteristics field in the IMAGE_FILE_HEADER.
While this change won’t run any imported functions, it will run the DLLMain method, and it may cause the malware to crash or terminate unexpectedly. However,
as long as your changes cause the malware to execute its malicious payload, and you can collect
information for your analysis, the rest doesn’t matter.
DLL malware may also need to be installed as a service, sometimes with a convenient export
such as InstallService, as listed in
ipr32x.dll:
C:>rundll32 ipr32x.dll,InstallServiceServiceNameC:>net startServiceName
The ServiceName argument must be
provided to the malware so it can be installed and run. The net
start command is used to start a service on a Windows system.
Note
When you see a ServiceMain function without a
convenient exported function such as Install or InstallService, you may need to install the service manually. You can do
this by using the Windows sc command or by modifying the registry
for an unused service, and then using net start on that service.
The service entries are located in the registry at HKLMSYSTEMCurrentControlSetServices.