If like me you’re an OllyDbg user, I’m sure you’ve heard of the LoadDLL utility… This is just a utility that loads a DLL file within OllyDbg using the LoadLibrary() function.
For some reason I’ve never really liked this utility, at times it can be problematic.
Wouldn’t it be easier to be able to load the DLL file into OllyDbg as if it were a normal PE file? If like me, you answered yes, then continue reading.
To do this you’ll need a PE editor, I recommend PE Tools or something similar.
If we check the IMAGE_FILE_HEADER structure, we see the following:
| ushort | Machine |
| Identifies the target machine of the object file. | |
| ushort | NumberOfSections |
| Number of sections in the section table. | |
| uint | TimeDateStamp |
| The low 32-bits of the number of seconds since 00:00 January 1, 1970 that indicates when the file was created. | |
| uint | PointerToSymbolTable |
| The file offset of the COFF symbol table. | |
| uint | NumberOfSymbols |
| The number of entries in the symbol table. | |
| ushort | SizeOfOptionalHeader |
| The size of the optional header. | |
| ushort | Characteristics |
| Set of flags, that indicate the attributes of the object file. |
The Characteristics member of the structure is what interests us, we can modify its value to force OllyDbg to load the DLL as if it were a “normal” executable simply by zeroing the IMAGE_FILE_DLL bit.
In PETools you can make this change via loading up your DLL into the PETools PE editor then navigating to “File Header>Characteristics” and unticking the checked “DLL” check box.
You may want to note that a DLL may check its arguments to see if its attaching to a process or not and only continue execution if it’s being attached… In order to circumvent this behaviour you can push 3 DWORDS onto the stack before execution, where the second one is set to 1.
That just about covers it for the moment.
As always, any questions, feel free to leave a comment.
KOrUPt.
Thanks! Good work.
Comment by Twink — September 11, 2009 @ 22:03