Poll

How to anlayse bho in ollydbg or ida

NA
0 (0%)
NA
0 (0%)

Total Members Voted: 0

Author Topic: Malware Analyis  (Read 5554 times)

0 Members and 1 Guest are viewing this topic.

October 15, 2008, 03:17:30 pm
Read 5554 times

venkat

  • Newbie

  • Offline
  • *

  • 2
Hi all,

I am new to this formum...

I dont know how to analyse dll files(like BHO) using IDA or Ollydbg.

For e.g., if I scan a dll file in virus total and lot of AV vendors telling as Malware.At that time how to analyse that files using Ollydbg or IDA

In case if a dll is a bho means i'll register it and see the activity in IE browser.Suppose a dll is not a bho then how to analyse that type of dll files using Ollydbg or IDA




October 15, 2008, 06:24:17 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
If the DLL is a BHO it will be started by the browser when the browser is run, like a toolbar. So you could open the browser (iexplore.exe for IE as an example) in OllyDbg.

Alternatively you could go to File -> Open -> "Files of type" = Dynamic-Link Library (*.dll).

Or, open rundll32.exe in OllyDbg and pass the following arguments to it
<dllname>,<entrypoint> <optional arguments>
http://vlaurie.com/computers2/Articles/rundll32.htm

If you don't know the entrypoint (an entrypoint is any function which is defined as DllExport), opening the DLL without the entrypoint will open it with DllMain() by default I think. So from that point you will need to try and reverse engineer it to find the entrypoint that you need. Aswell as any arguments, that you need to pass.