How to Analysis Dll file.



  • Hi all,
    I need u people help , can u plz tell me how to analyse DLL’s file 'cuz as it’s not a directly executable file. How can we check DLL’s to analyse and to find it’s beahviour
    Thanks.


  • administrators

    @rohit_secres said in How to Analysis Dll file.:

    Hi all,
    I need u people help , can u plz tell me how to analyse DLL’s file 'cuz as it’s not a directly executable file. How can we check DLL’s to analyse and to find it’s beahviour
    Thanks.

    For this, you can use several options.

    DLL file, as you may know contains code functions, it just doesn’t have a “main” function which the OS loader can load directly. However, another program can load the DLL file and thus there is one supplied with Windows called rundll32.exe. If you run rundll32.exe at the commandline and pass to it the dll file followed by , followed by either a function name or an ordinal number, then rundll32.exe will execute the function specified.

    You can also analyze DLL files with IDA Pro, x64Dbg, and OllyDbg. OllyDbg has its own DLL loader but if you want, you could always load rundll32.exe in another debugger and simply pass to it the argument to load the DLL that you want… Then, you can tell the debugger to “break on module load” and keep pressing Continue until the dll you want is loaded, then step through the code that way.

    There are a few other caveats to note with DLL files: Earlier I said DLL files don’t have a “main” like exes. This isn’t really true. DLLs actually do have a main and it’s called DllMain. DllMain is run whenever the DLL is loaded into a program so it is important to note that a DLL file can execute code which is outside of the function being imported to another exe by placing it in DllMain or jumping to it from DllMain.

    Another thing, you will note that when you use rundll32.exe, you don’t really have nice options to pass multiple arguments to a function. For example, the function CreateProcess() takes more than 1 argument and if you wanted to run it so that it actually works, you’d have to supply all of those args. You cannot do that with rundll32 unfortunately. The OllyDbg DLL loader has better support for more arguments than rundll32.exe does.



  • Thanks so much I will try it.
    and share with u , if problem occur.
    If possible only for u , can u give me demo in video, else.I will do myself n let u know

    Thanks once again.



  • Check out this video to see a demo: https://www.youtube.com/watch?v=uWzQr8PFbfA&t=300s



  • @rohit_secres if it’s a .NET DLL you can use a tool like IlSpy also to view its contents https://github.com/icsharpcode/ILSpy#ilspy-------



  • @struppigel thanks




Log in to reply
 

Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.