Malware Journey Day 27
I understand how running a dll with rundll32.exe goes.
Its as simple as rundll32.exe dll.dll, HellWorld. As seen in the below example. Though I am having a difficult time currently with dynamically loading a dll into a program I created. Currently this dll exporting HelloWorld function.
From the previous blog it was learned there are multiple ways to load a dll and import a function. LoadLibraryA and GetModuleHandleA are 2 popular ways of doing this.
Really what I need to first call LoadLibrary and then GetProcAddress since this retrieves the function from an export.
In my main exe file
I tried to follow the microsoft docs, though it seems FARPROC is not appropriate for this main function.
Instead I will use a pointer
Ah, this is much better. Time to reverse this and the dll created.
Lets start with the dll.
As expected my DLL is only exporting one function
In IDA I will as per usual hit the _stdcall DLLMain function first. Though this is not anything special. I want to start at the entrypoint first.
What catches my attention from above is the JMC flag. Though after digging a bit more into this it appears to be nothing. Its just a placeholder for a memory address of the JMC flag. This part of the block isnt what im really interested in either though. Below is what I should be investigating.
From above I can see it is referencing any Text from the .text section which in my case would be “Hello World”
Really underwhelming, time to move to the exe.
Analyzing the exe file in x64dbg I see another reference to a JMC flag, this time for the project I created which is ConsoleApplication. My String to the dll file is referenced as LibFileName and is passed to rcx. LibFileName is apparently a procedure for information files.
From the above screenshot I can see my two functions I referenced from the winapi are present along with the values passed. What gets my interest is the base pointer is referenced with an addition to getProcAddress. Im guessing this is due to it needing to fit on the stack.
