For this Blog Post I will cover how to use Dependency Walker. Dependency Walker is a tool our group is using during Static Analysis. It helps determine if there are any dynamically linked functions for a piece of software. We want to understand what functions are being imported by the malware we analyze so we can determine what it does within our analysis lab.
Figure 1. The 5 pane layout of Dependency Walker
After loading the malware LAB01-04.EXE into Dependency Walker we can see 4 panes.
The first pane shows the dynamically linked libraries (DLLs) imported by the malware. The second pane will show the functions imported by the malware from a particular DLL. The third shows all possible functions available in the DLL. The fourth pane demonstrates information about the DLL versions that are loaded. In the fifth we can see any errors reported after loading the program. For this blog post we will focus on the first and second pane to gain an understanding of what the malware will utilize when it runs.
Figure 2. DLLs imported by Lab01-04.exe
As seen in Figure 2, Lab 01-04 imports 3 DLLs: KERNEL32.DLL, ADVAPI32.DLL, and MSVCRT.
KERNEL32.DLL is a dynamic link library tasked with functions like memory management, input/ouput operations and interrupts. It runs as part of the kernel module
ADVAPI32.DLL is a library supporting security and registry calls.
MSVCRT.DLL is an executable file that has standard C library functions such as printf, memcpy, and cos. To gain more detail as to what the malware is doing we can see the functions imported from each of these libraries in the second pane.
Figure 3. Functions imported from KERNEL32.DLL by Lab 01-04.exe
Already the function names offer insight. The malware will be creating files, threads, loading resources, moving files, running applications, and writing to files. Of course this is common for any piece of software. However, it signals to me that I should observe whether any files are moved or created by the malware during dynamic analysis.
Figure 4. Functions imported from ADVAPI32.DLL by Lab 01-04.exe
Here the malware is modifying the access tokens. Access tokens include information about the user account associated with a process or thread. This is interesting as it hints that the malware intends on behaving as the user.
Figure 5. Functions imported from MSVCRT.DLL by Lab 01-04.exe
Finally we can see the C library functions used. This module does not provide as much information as to what the malware may be doing to our computer. It is formatting strings using _snprintf, comparing stricmp using _stricmp, and other boilerplate code such as __getmainargs is included.
The next steps for this will be to examine the PEfile metadata using PEView and the resource section of the PEfile using resource hacker. These tools will inform us of the resources needed by the malware.
Afterwards with an understanding of the malware file we can observe the actions taken by the malware by viewing Processes in the machine using Process Monitor, observing changes to the registry using Registry Snapshot, and observing its behavior in the network with Wireshark and iNetSim
Source Cited
- https://www.techopedia.com/definition/3379/kernel32dll#:~:text=operations%20and%20interrupts.-,Kernel32.,other%20system%20or%20user%20processes
- https://www.processlibrary.com/en/directory/files/advapi32/22015/
- https://www.processlibrary.com/en/directory/files/msvcrt/20015/
- https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
- geeksforgeeks.org/snprintf-c-library/
- https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/stricmp-wcsicmp-mbsicmp-stricmp-l-wcsicmp-l-mbsicmp-l?view=msvc-170
- https://docs.microsoft.com/en-us/cpp/c-runtime-library/getmainargs-wgetmainargs?view=msvc-170