I'm interested in learning how how some malware works.
The malware uses 3 dlls attached to explorer.exe

How does someone debug a dll attached to explorer.exe on vista ?

I'm using OllyDbg right now, but I don't think attaching to explorer.exe
and setting breakpoints is a good idea

Thanks!

You have two choices:
1. when the malware calls the OpenProcess API to open the explorer.exe process in order to inject the dlls, you can change the process id to another process, such as notepad.exe, this is my choice;
2. follows this knowledgebase article:
How to debug a Windows Shell Extension using Visual C++
http://support.microsoft.com/kb/138942

use a virtual machine (vmware- etc), make a snapshot and put the malware, debug explorer.exe and the dll as usual and when you finish, revert to the stored snapshot, and the image will be clean.

ricnar

How can I debug as usuall, wouldn't everything crash by adding any breakpoints ?

What about a tool like MHS, http://www.memoryhacking.com/ ?
Although its probably very limited on the debugging side.

As zhzhtst points out, maybe I can try injecting the dlls into say notepad.exe.
Are there any programs that can do that ?
If I'm able to do that, would the dll run normally ?

thanks!

you might wanna try set a breakpoint on loadlibrary and see if you can debug till it breaks on the dll

what will you achieve by injecting dlls into notepad?
i think zhzhtst meant hook the api

"How can I debug as usuall, wouldn't everything crash by adding any breakpoints ?"

-----------------------------------------------------------------------------------------

If you debug a ring3 process, a breakpoint only work in the context of the aplication no all process, maybe i don't understand well (my english is bad)

ricnar

well attaching to explorer.exe and stopping on a breakpoint means you have no gui support
it would look like the hell froze over
though cmd.exe will work and ctrl+shift+ESC alt+tab etc will work

you can attach to explorer.exe but keep running it use f9 and use runtraces

This being a newbie forum, and me being a newbie, I'd like to ask some basic questions related to this....

I've read a lot about injecting or hooking the dll with another process, say notepad.
Can this be done, and if so, can anyone direct me to some detailed information on how its done ?

Information from the process must pass to the dll (atleast with this dll).
I used OllyDbg and tried to search for all intermodule calls, but didn't find anything going to/from that dll. Where/how would I find those calls ?