Chapter 3 : Basic Dynamic Analysis

Sandbox Drawbacks

Malware can detects Virtual machines. may behave differently
some malware requires the presence of certain registry keys.
if the malware is DLL, certain exported functions will not be invoked properly.
sandbox environment OS may not be correct for the malware.

Analyzing the DLLs

How to launch DLLs exported functions in Windows

rundll32.exe is included it will provide a container for running a DLL using this syntax.

C:\\\\rundll32.exe DLLname, Export arguments.

Changing DLL file to EXE file

modify the PE header, wipe the IMAGE_FILE_DLL(0x2000) flag from IMAGE_FILE_HEADER
it will run DLLMain method

DllMain entry point (Process.h) - Win32 apps

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,  // handle to DLL module
    DWORD fdwReason,     // reason for calling function
    LPVOID lpReserved )  // reserved
{
    // Perform actions based on the reason for calling.
    switch( fdwReason ) 
    { 
        case DLL_PROCESS_ATTACH:
         // Initialize once for each new process.
         // Return FALSE to fail DLL load.
            break;

        case DLL_THREAD_ATTACH:
         // Do thread-specific initialization.
            break;

        case DLL_THREAD_DETACH:
         // Do thread-specific cleanup.
            break;

        case DLL_PROCESS_DETACH:
         // Perform any necessary cleanup.
            break;
    }
    return TRUE;  // Successful DLL_PROCESS_ATTACH.
}

DLL malware may also be installed as a service. with a convenient export function such as Install... InstallService.

Sandbox Drawbacks

Analyzing the DLLs

How to launch DLLs exported functions in Windows

Changing DLL file to EXE file

Install ServiceMain manually