Thursday, January 26, 2012

Malware Analysis Tutorial 13: Tracing DLL Entry Point

Learning Goals:
  1. Understand C calling convention
  2. Practice reverse engineering
Applicable to:
  1. Operating Systems
  2. Assembly Language
1. Introduction
In Tutorial 11, we have shown you the trick played by Max++ to load its own malicious executable using the "corpse" of another DLL called "lz32.dll".Beginning from this tutorial, we will analyze the functionality of the malicious DLL. In the following, we use "lz32.dll" to refer to this malicious code starting at 0x003C24FB. (In your VBox instance, this entry address might vary. Check Tutorial 11 for how to find out the correct entry address of lz32.dll).

Today, we will discuss some basic background information related to DLL entry point and analyze the first part of lz32.dll (it's not the real "lz32.dll", but the malicious code of Max++ planted into it).

2. Lab Configuration
(1) clear all breakpoints and hardware breakpoints in IMM (see View->Breakpoints and View->Hardware Breakpoints).
(2) Go to 0x4012DC and set a hardware breakpoint there. (why not software bp? Because that region will be self-extracted and overwritten and the software BP will be lost). Pay special attention that once you go to 0x4012DC, directly right click on the line to set hardware BP (currently it's gibberish code).
(3) Press SHIFT+F9 to run to 0x4012DC. Figure 1 shows the code that should be able to see. As you can see, this is right before the call of RtlAddVectoredException, where hardware BP is set to break the LdrLoadDll call (see Tutorial 11 for details). At this point, the code at 0x3C24FB has not been extracted. If you go to 0x3C24FB at this moment, IMM will complain that this address is not accessible.
Figure 1: code at 0x4012DC
(4) Now scroll down about 2 pages and set a SOFTWARE BREAKPOINT at 0x401417. This is right after the call of LdrLoadDll("lz32.dll"), where Max++ finishes the loading of lz32.dll.

Figure 2: code at 0x401407

(6) Now we will set a breakpoint at 0x3C24FB. Follow the instructions below:
Press SHIFT+F9 several times, until you hit 0x7C90D500 (this is somwhere inside ntdll.zwMapViewSection which is being called by LdrLoadDll). Goto 0x3C24FB and set a SOFTWARE BREAKPOINT there. (You will see a warning which says your BP is out of the range. This is because the malware author did not do a good job at resetting the binary PE information (executable code section size messed up - see Tutorial 12 for details). It should be fine, just click ok.

(7) If you hit SHIFT+F9 (probably twice), you will hit 0x3C24FB. If you hit 0x401417 directly, something wrong is with IMM (strangely, I cannot explain). You have to RESTART (Debug->Restart), and repeat steps (1) to (6) [yes, clear all BP and hardBPs). The current sequence should be you hit 0x7C90D500 twice, and then hit 0x3C24FB. This is because the LdrLoadDll will try to call the entry point of the DLL.

(Figure 3 shows the code that you should be able to see. The first instruction at 0x3C24FB should be CMP DWORD PTR SS:[ESP+8], -2. If you execute several steps, you might notice that it soon returns, because the value at [ESP+8] is 1.

Figure 3: code at 0x3C24FB

(9) Shift +F9 again, you will be hitting 0x401417,  and then SHIFT+F9 again, you will be hitting 0x3C24FB again! You might notice that now [ESP+8] has value -2 and if you F7, you will trace into a lot of details of the malicious logic.

Up to this point, you are doing it right. If there is anything messed up, you have to restore the snapshot because Max++ automatically removes its binary executable from the disk drive so that you will not be able to find it again.

2. Background Information of DLL Entry

DLLs, like .exe files, can have an entry point. This entry function will be executed when the DLL is loaded by system calls such as LdrLoadDLL(). MSDN has tons of excellent articles on it and you can read [1] for details. The following sample declaration is from [1], an DLL entry function takes three parameters, see below:

  HINSTANCE hinstDLL, // handle to DLL module 
  DWORD fdwReason, // reason for calling function 
  LPVOID lpReserved ) // reserved {...}

Challenge 1: Note the code at 0x3C24FB (Figure 3) is checking the value of [ESP+8]. Which parameter is stored at ESP+8?

We are particularly interested in the fwdReason. Where is it defined? Reading [1] you can find that there are some macros defined for fwdReason such as DLL_PROCESS_ATTACH (when a process first attaches the DLL), DLL_THREAD_ATTACH (when the thread of a process has it attached) etc. [1] does not provide information on the real integer values of these macros, but a simple google search of "#define DLL_PROCESS_ATTACH" yields the values [again! do the google search in your VM. Many sites hosting MS sources can be harmful!]. These values range from 1 to 8. For example, value 1 denotes DLL_PROCESS_ATTACH. This is the value of [ESP+8] when 0x3C24FB is hit the first time (which is called by LdrLoadDLL).

3. Analysis of Max++

If you pay attention to the first couple of instructions at 0x3C24FB, one natural question is:
Challenge 2: Why is the malware compare [ESP+8] with -2? What is the motivation for doing this?

The motivation is that, when it's a legal invocation (e.g., placed by LdrLoadDLL), the code at 0x3C24FB will return immediately (without doing any harm). Why? because, recall in  Tutorial 12, Max++ cut in LoadLdrDll and actually LoadLdrDll did not finish gracefully (some kernel structure information is not set up correctly). These information has be be properly set up, because the code can NOT call external functions (e.g., those provided by ntdll). Max++ does have to set up all these information by itself, and manually call the entry function at 0x3C24FB. Well, before calling it, it sets up the second parameter (fwdReason) to -2 (which is a value that will NEVER be used by a normal call of DLL entry point), so that the code knows that it's the call from Max++.

Last challenge of the day:
Challenge 3: Can you find out which instruction calls 0x3C24FB the second time (which provides -2 for fwdReason)? [hint: check out the stack contents] Look at how 0x3C24FB is called. Can a static analysis tool find out that 0x3C24FB is called by the Max++ code?

1. Microsoft, "Dynamic-Link Library Entry-Point Function",
available at


    1. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.

      Function Point Estimation Training in Chennai

    2. BlueHost is ultimately one of the best website hosting provider for any hosting plans you might need.

    3. Hello There. I found your weblog using msn. This is an extremely well written article. I will be sure to bookmark it and come back to learn more of your useful information. Thanks for the post. I will certainly comeback.
      Shop Drawings Preparation in UK
      Shop Drawings Preparation in India

    4. Great blog, Get the responsive and dynamic site structuring administrations by ogen info system in Delhi, India.
      Website Development Company in Delhi

    5. Nice blog, thanks for this wonderful and valuable blog. Get the best Mutual Fund Advisor and Investment schemes in best companies.
      Mutual Fund Advisor

    6. If you want to break you marriage so you will do this Dua to break unlawful marriage

    7. Thanks for sharing, very informative blog.

    8. Thanks for the Guide.It really works,following your guide it shows

    9. Great post! I really enjoyed reading it. Keep sharing such articles. Looking forward to learn more from you.
      Mobile app development company in mumbai

    10. Good post....thanks for sharing.. very useful for me i will bookmark this for my future needs. Thanks.
      Attache Handle Manufacturer in Delhi

    11. I think this is one of the best blog for me because this is really helpful for me. Thanks for sharing this valuable information for free...
      packers and movers in deoghar

    12. Thank you very much for this great post. Harley Quinn Blue Blazer

    13. I was very impressed by this post, this site has always been pleasant news Thank you very much for such an interesting post, and I meet them more often then I visited this site.
      squall leonhart jacket

      Kindness is a language which the deaf can hear and the blind can see.

      Saying thank you is more than good manners, it is good spirituality.

    16. Let us be thankful for the fools. But for them the rest of us could not succeed.

    17. God gave us our relatives; thank God we can choose our friends.

    18. The smallest act of kindness is worth more than the grandest intention.

    19. I feel a very unusual sensation—if it is not indigestion, I think it must be gratitude.

    20. Our the purpose is to share the reviews about the latest Jackets,Coats and Vests also share the related Movies,Gaming, Casual,Faux Leather and Leather materials available Crypto Jacket

    21. What a material of un-ambiguity and preserveness of precious experience concerning unexpected emotions.
      Here is the link of Latest animation Software Try & Download it Free!

    22. Nice Blog !
      Here We are Specialist in Manufacturing of Movies, Gaming, Casual, Faux Leather Jackets, Coats And Vests See Hells Angels Vest

    23. Great information about wilderness for beginners giving the opportunity for new people. Usmle Step 2

    24. Pharmacy is the clinical health science that links medical science with chemistry and it is charged with the discovery, production, disposal, safe and effective use, and control of medications and drugs.
      mr 35

    25. Great Article
      Cyber Security Projects

      Networking Security Projects

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training


    26. I really like your post because it helps me a lot and gives me a new perspective


    27. I really like your post because it helps me a lot and gives me a new perspective


    28. I am very impressed with your post because this post is very beneficial for me and provide a new knowledge to me


    29. I really like your post because it helps me a lot and gives me a new perspectiv

    30. get Father son matching dress shirts, father son matching outfits. Valuable daddy baby or mom and son matching outfits

    31. Crack software for Pc available with serial key & patch free download with single click available.

    32. Your source for fun, free mobile and PC download games. Thousands of free ... Download or play free online! ... Here is the Exact Arcade Version of Dig Dug!
      need for speed no limits torrent download


    33. AB Bulk Mailer Crack
      This is a very helpful site for anyone, each and every man can easily operate this site and can get benefistss

    34. Pharaoh Vice Cashmere
      This is a very helpful site for anyone, each and every man can easily operate this site and can get benefistss

    35. For Fashion wear garment of celebrities on affordable price please visit on

    36. This is a very helpful site for anyone, each and every man can easily operate this site and can get benefits:

    37. Great Work


    38. The post was appriciative. This will help reader to get information. Thanking for writing this type of article.If you are looking for a one-stop solution for trading in the Indian Stock Market and share market tips for investment, look no further. We provide highly exclusive technically and fundamentally accurate Stock Market tips customized for Intraday and/or positional traders in Equities Cash and Future/Derivatives. Our services are designed as per customer recommendation.

    39. Love the way you write. Thanks for sharing

    40. The colourful contrast between the dark sky and city lights is definitely captivating!
      Driver Talent Pro Crack

    41. Nice Post I Enjoyed! Can you tell me that how to install this software thanks :) ....
      Tenorshare UltData Crack
      Wise Folder Hider Pro Crack

    42. This is a very helpful site for anyone, each and every man can easily operate this site and can get beneficial

    43. phpmaker-2021-0-

      Thanks for sharing your precious time
      to create this post, It so informative
      and the content makes the post more interesting.
      really appreciated

    44. You are reading One Punch Man manga in English. Read all Chapter of One Punch Man manga online for free One-Punch Man Manga

    45. The world's most popular manga! Read free or become a member. Start your free trial today  - In a world of magic Black Clover

    46. get Father son matching dress shirts, father son matching outfits. Valuable daddy baby or mom and son matching outfits
      dad and son matching outfits

    47. We care for your preferences, be it style or quality. bomber Jackets brings you the most ravishing collection of coats and jackets this season. Revamp your style statement and stand out among the crowd!

    48. Evermolpro Web is an award-winning website development company in noida building feature-packed and interactive web applications for startups, medium and large enterprises.

    49. I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost the past 2 years, but I had no idea of solving some basic issues. But thankfully, I recently visited a website named that has explained an easy way to install all All the Crack software for Windows and Mac.
      Advanced System Optimizer crack
      iPhone Backup Extractor crack
      Epubor DRM Removal crack
      Systweak Advanced Disk Recovery crack
      plist Editor Pro crack
      WinRAR crack
      Nero Platinum crack

    50. Nagaqq Yang Merupakan Agen Bandarq terbaik , Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua

      Bonus yang diberikan NagaQQ :
      * Bonus rollingan 0.5%,setiap senin di bagikannya
      * Bonus Refferal 10% + 10%,seumur hidup
      * Bonus Jackpot, yang dapat anda dapatkan dengan mudah
      * Minimal Depo 15.000
      * Minimal WD 20.000
      * Deposit via Pulsa TELKOMSEL

      Memegang Gelar atau title sebagai AGEN POKER ONLINE Terbaik di masanya

      11 Games Yang di Hadirkan NagaQQ :
      * Poker Online
      * BandarQ
      * Domino99
      * Bandar Poker
      * Bandar66
      * Sakong
      * Capsa Susun
      * AduQ
      * Perang Bacarrat
      * Perang Dadu
      * BD QQ (New Game)

      Info Lebih lanjut Kunjungi :
      Website : NAGAQQ
      Facebook : NagaQQ official
      WHATSAPP : +855977509035
      Line : Cs_nagaQQ
      TELEGRAM :+855967014811