0

English isn't my first language, So I will do my best )

I am trying to analyze some malware NotPetya and I can run the malware by running :

rundll32.exe notpetya.dll #1

I am using Olly and trying to use the LoadDLL feature. I see where the DLL calls some of it's functions, however I am not able to follow and watch it work. I want to be able to debug this DLL and see what is happening as it's working.

As far as I can tell, there doesn't appear to be anything to obfuscate me from doing this.

I hope I have made this clear enough for people to understand. I don't require the answer to use OllyDBG , but I would like to be able to follow this DLL.

Thank you

LUser
  • 783
  • 1
  • 4
  • 22
  • Have a look at this existing answer: https://reverseengineering.stackexchange.com/a/15796/161 – Mick Sep 29 '17 at 20:49

1 Answers1

0

Perhaps the simplest thing would be to find the entrypoint in the DLL, make a note of the byte at that location, and then replace it with an "int 3" (0xcc) instruction. Then you can use a debugger to run the command-line that will cause the DLL to be loaded, and the debugger will regain control. At that point, you can restore the replaced byte with the original value, and single-step or run to breakpoints that you set.

peter ferrie
  • 4,709
  • 4
  • 19
  • 33
  • The answer.was similar. I realized that the dll had two entry points and the first entry just closes the application. Anyway, I just made some assembly that loaded the dll and pulled the exports from.jt and jmped to it. The int 3 helps stop on secondary entry. – LUser Oct 02 '17 at 05:38