Loading DLLs
In addition to being able to load and attach to executables, OllyDbg can also debug DLLs.
However, since DLLs cannot be executed directly, OllyDbg uses a dummy program called
loaddll.exe to load them. This technique is extremely useful, because malware
often comes packaged as a DLL, with most of its code contained inside its DllMain
function (the initialization function called when a DLL is loaded into a
process). By default, OllyDbg breaks at the DLL entry point (DllMain
) once the DLL is loaded.
In order to call exported functions with arguments inside the debugged DLL, you first need to
load the DLL with OllyDbg. Then, once it pauses at the DLL entry point, click the play button to run
DllMain
and any other initialization the DLL ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.