Loading DLLs

In addition to being able to load and attach to executables, OllyDbg can also debug DLLs. However, since DLLs cannot be executed directly, OllyDbg uses a dummy program called loaddll.exe to load them. This technique is extremely useful, because malware often comes packaged as a DLL, with most of its code contained inside its DllMain function (the initialization function called when a DLL is loaded into a process). By default, OllyDbg breaks at the DLL entry point (DllMain) once the DLL is loaded.

In order to call exported functions with arguments inside the debugged DLL, you first need to load the DLL with OllyDbg. Then, once it pauses at the DLL entry point, click the play button to run DllMain and any other initialization the DLL ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Loading DLLs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly