Logo
RSS Feed

👈🏞 Back to
Analysis Tips and Tricks

Troubleshooting Malware

Created: 28.07.2022

This is about … .

Windows

If it’s a dll, it can be still run independently. Though there are no guarantees, there are two ways to accomplish that (either can work for you):

  • Use rundll32 (rundll32 [dllname].dll, [function name or ordeal]). For example, a malware.dll has the function InstallService which requires an argument service name. We want to launch it, and call this function to create a service with the name “MaliciousService”: rundll32 malware.dll, MaliciousService. In Dependency Walker we can peek the function’s ordeal and run this command like this (if the ordeal is, say, 5): rundll32 malware.dll, #5.
  • Patch PE header of the dll + change its extension. IMAGE_FILE_HEADER -> CHARACTERISTICS –> IMAGE_FILE_DLL flag 0x2000 set to 0x0000.
  • ServiceMain without any Install function.
    • Use sc command
    • HKLM/SYSTEM/CurrentControlSet\Services - modify the registry
  • Check for possible anti-debugging or anti-VM techniques. For this determine at which point it crashes.
  • For .NET malware, when reversing with dnspy, if the malware keeps running but the debugger keeps unattached itself, check what tricks are on in the settings. dnspy has a weird thing about these options. When there are no anti-debugging techniques in place and you’ve turned anti-debugging prevention in the settings, this shit happens.

References

Expand… [1] Practical Malware Analysis, M. Silkorski, A. Honig