1

I am trying to reverse engineer a DLL that may contain malware. One thing I noticed is that it hides itself from the DLL LDR_MODULE list. So, when I use Ollydbg or smiler tools I do not see it and cannot dump it.

I don't have the DLL file. I just have an executable file that injects the DLL into a certain process.

Improve this question

1 Answer 1

Reset to default
4

I'll list some ways to do it. Obviously there are many others and most likely other fellows here will add. Start with those as they are ones of the mostly used.

  1. While debugging a malicious process, BP on WriteProcessMemory/NtMapViewOfSection API. Those are used to copy/map potential DLL into the remote process. Before the copying or mapping is done, you can dump the buffer to disk. Check the manual of the above APIs to find the local buffer which will be copied to remote process.
  2. Alternatively, if you have s little understanding what malicious code is doing you can follow it by inspecting the log of procmon. Once you see something in the log that is 100% done by the mal-DLL, you can open that log line and inspect the stack. The stack will tell you at what page the mal-DLL resides. If you know at what memory page the DLL resides in the infected process, you can use for example Process Hacker for dumping this specific memory page by clicking on the process and inspecting memory tab.
  3. Alternatively, you can dump the whole memory of the infected machine and use tool - Volatility to inspect the memory of a specific process or all the processes.
Improve this answer
1
  • Find something interesting. This sample actually dumps a randomized copy to disk then injects that. Cool :) Commented Jan 2, 2014 at 1:03

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.