Because malicious DLLs frequently run most of their code in DLLMain
(called from the DLL entry point), and because DLLMain is executed whenever
the DLL is loaded, you can often get information dynamically by forcing the
DLL to load using rundll32.exe. Alternatively, you can even turn a DLL into
an executable by modifying the PE header and changing its extension to
force Windows to load the DLL as it would an executable.
To modify the PE header, wipe the IMAGE_FILE_DLL (0x2000) flag from the
Characteristics field in the IMAGE_FILE_HEADER. While this change won’t run any
imported functions, it will run the DLLMain method, and it may cause the mal-
ware to crash or terminate unexpectedly. However, as long as your changes
cause the malware to execute its malicious payload, and you can collect infor-
mation for your analysis, the rest doesn’t matter.
DLL malware may also need to be installed as a service, sometimes with a
convenient export such as InstallService, as listed in ipr32x.dll:
C:\>rundll32 ipr32x.dll,InstallService ServiceName
C:\>net start ServiceName
The ServiceName argument must be provided to the malware so it can be
installed and run. The net start command is used to start a service on a Win-
dows system.
NOTE When you see a ServiceMain function without a convenient exported function such as
Install or InstallService, you may need to install the service manually. You can do
this by using the Windows sc command or by modifying the registry for an unused ser-
vice, and then using net start on that service. The service entries are located in the
registry at HKLM\SYSTEM\CurrentControlSet\Services.
