Smart DLL execution for Malware Analysis in Sandbox Systems

by Oct 4, 2014

While analysing several suspicious DLL files I noticed that some of these files (which were obviously malicious) didn’t perform their malicious activity unless a certain function was triggered. The malware used a registry entry to execute a certain function that is exported by the DLL called “InstallM”. I had to run “rundll32.exe malware.dll,InstallM” to trigger the malicious activity.
In order to automate the process of A) analyzing the exported functions and B) run the various DLL functions I created a script called “DLLRunner”. What it does is rather simple:

  1. First, it uses the Python module pefile to analyze the PE and retrieve a list of all exported functions with name and ordinal.
  2. Second, it executes the various exported functions by name or ordinal
  3. Third, it passes a set of parameters to the function in order to satisfy requirements and trigger any activity (simple “fuzzing”)

This is what it does:

rundll32.exe path/to/file.dll,exportedfunc1
rundll32.exe path/to/file.dll,exportedfunc2
rundll32.exe path/to/file.dll,exportedfunc3

The simple fuzzing mode looks like this:

rundll32.exe path/to/file.dll,exportedfunc1 "0"
rundll32.exe path/to/file.dll,exportedfunc1 "1"
rundll32.exe path/to/file.dll,exportedfunc1 "http://evil.local"
rundll32.exe path/to/file.dll,exportedfunc1 "Install"
...

Examples

I tested the script on “url.dll” which is typically located in the system32 folder.

python dllrunner.py -f C:\Testing\url.dll --debug

Run DLL in Sandbox

DLLRunner executing all exported functions

It caused a function called “TelnetProtocolHandler” and “TelnetProtocolHandlerA” to pop a telnet shell.

DLL in Sandbox

DLLRunner popping telnet windows via exported function “TelnetProtocolHandler”

If you pass “–fuzz” DLLRunner will pass several params to the functions. This caused a function in “url.dll” to pop browser windows with a fuzz parameter “http://evil.local”.

python dllrunner.py -f C:\Testing\url.dll --debug --fuzz

DLLRunner in Fuzzing

Running DLLRunner in Fuzzing mode

I am still not sure if this is something useful. I have to do further testing to improve the fuzzing idea. I am open to any advice and would like to see something like this integrated in common sandboxes like cuckoo.

Download

DLLRunner on Github

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner