View Full Version : Is it possible to debug a dll on explorer.exe with OllyDbg ?
Maze
February 26th, 2009, 20:28
I'm interested in learning how how some malware works.
The malware uses 3 dlls attached to explorer.exe
How does someone debug a dll attached to explorer.exe on vista ?
I'm using OllyDbg right now, but I don't think attaching to explorer.exe
and setting breakpoints is a good idea
Thanks!
zhzhtst
February 26th, 2009, 22:04
You have two choices:
1. when the malware calls the OpenProcess API to open the explorer.exe process in order to inject the dlls, you can change the process id to another process, such as notepad.exe, this is my choice;
2. follows this knowledgebase article:
How to debug a Windows Shell Extension using Visual C++
http://support.microsoft.com/kb/138942
Ricardo Narvaja
February 27th, 2009, 02:48
use a virtual machine (vmware- etc), make a snapshot and put the malware, debug explorer.exe and the dll as usual and when you finish, revert to the stored snapshot, and the image will be clean.
ricnar
Maze
February 27th, 2009, 09:22
Quote:
[Originally Posted by Ricardo Narvaja;79516]use a virtual machine (vmware- etc), make a snapshot and put the malware, debug explorer.exe and the dll as usual and when you finish, revert to the stored snapshot, and the image will be clean.
ricnar |
How can I debug as usuall, wouldn't everything crash by adding any breakpoints ?
What about a tool like MHS, http://www.memoryhacking.com/ ?
Although its probably very limited on the debugging side.
As zhzhtst points out, maybe I can try injecting the dlls into say notepad.exe.
Are there any programs that can do that ?
If I'm able to do that, would the dll run normally ?
thanks!
esther
February 27th, 2009, 11:14
you might wanna try set a breakpoint on loadlibrary and see if you can debug till it breaks on the dll
GEEK
February 27th, 2009, 12:17
what will you achieve by injecting dlls into notepad?
i think zhzhtst meant hook the api
Ricardo Narvaja
February 27th, 2009, 18:12
"How can I debug as usuall, wouldn't everything crash by adding any breakpoints ?"
-----------------------------------------------------------------------------------------
If you debug a ring3 process, a breakpoint only work in the context of the aplication no all process, maybe i don't understand well (my english is bad)
ricnar
blabberer
February 28th, 2009, 12:49
well attaching to explorer.exe and stopping on a breakpoint means you have no gui support
it would look like the hell froze over
though cmd.exe will work and ctrl+shift+ESC alt+tab etc will work
you can attach to explorer.exe but keep running it use f9 and use runtraces
Maze
March 1st, 2009, 00:00
This being a newbie forum, and me being a newbie, I'd like to ask some basic questions related to this....
I've read a lot about injecting or hooking the dll with another process, say notepad.
Can this be done, and if so, can anyone direct me to some detailed information on how its done ?
Information from the process must pass to the dll (atleast with this dll).
I used OllyDbg and tried to search for all intermodule calls, but didn't find anything going to/from that dll. Where/how would I find those calls ?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.