Lab LoadingDLLs - The various ways of loading a LoadingDLLs

The binary for this lab is not malware (not even a toy malware). It is meant to illustrate how DLLs are loaded when a binary is executed.

The binary and some of the DLLs that it uses are in: http://ccom.uprrp.edu/~rarce/ccom4995/misc/loadingDLLs.zip

  1. Use PEView to see the IMPORT Address Table of the ada.exe (under SECTION .rdata). What four DLLs are mentioned in this table?

  2. What is the name of the imported function from DLL1.dll?

  3. What are the names of the imported functions from DLL2.dll?

  4. Load the binary in OllyDbg and pause on the first instruction of the main function. You may use IDA to find out what instruction that is. Use the E button (the E stands for Executable Modules ) in OllyDbg to see the memory map of the program. Notice that both DLL1.dll and DLL2.dll have been loaded and assigned addresses within the memory map.

    1. What is the base address for DLL1?

    2. What is the base address for DLL2?

  5. What does the DLL1print function do?

  6. Explain your answer to the previous question.

  7. What function assigns a value to the variable that is printed by DLL1print?

  8. To what does that value printed by DLL1Print correspond?

  9. Explain your answer to the previous question.

  10. The second subroutine that is called is DLL2Print. It prints "DLL 2 mystery data " followed by an integer which corresponds to what?

  11. Explain your answer to the previous question.

  12. What is the name of the file that is created during the DLLMain of DLL2.dll?

  13. What is the name of the variable that IDA assigns to handle of the file?

  14. What text is being written to the file when the function WriteFile is invoked?

  15. Explain your answer to the previous question.

  16. Run the program in OllyDbg until just after the call to LoadLibraryA. This is the function that loads the DLL3.dll. What base address is assigned to DLL3.dll. (Hint: see it in the Executable Modules window in OllyDbg)

  17. What are the two DLL3.dll functions invoked by the binary?

  18. What function is used for finding the address of the functions in DLL3.dll?

  19. The subroutine DLL3Print prints "DLL 3 mystery data " followed by the content of a global variable. Explain what this integer means, i.e. what function's result is used for changing the value of the global variable.