Some things about windbg are just great. But often, they come with a little bit of work.
For one, dll load analysis can be performed with ease, even on unusually crafted files. Like the kinds of files you would see from hackers and eventually malware authors. Want to review the entire flow of process creation on a malformed PE? No problem.
You can do it in a snap with windbg. Or rather, you can use windbg to observe and understand how the process loader performs its work, including “loader snaps” (which doesn’t get mention in Russinovich’s Internals books). Unfortunately, I couldn’t get the provided Gflag utility to help enable “Show loader snaps” as Matt Pietrek at wheaty.net informed us way back, when he showed off snappy output from his debugger. But his article is an inspiration to understanding loader internals. It detailed enabling loader snaps using the gflag utility and its results — “captures detailed information about the loading and unloading of executable images and their supporting library modules….For per-process (image file): Whenever a DLL is loaded, this flag writes the loader contents (and data related to DLL loading) to the program debugger console”. This article is a great source of information for trying to analyze these sorts of very unusual binaries.
Windbg can break extremely early in the load process, so we can choose a breakpoint within the dll loaded first into any process, even before kernel32.dll loads — ntdll!LdrpInitialize. When the debugger breaks, we can set ntdll’s ShowSnaps global flag to “1″ early enough to see all the modules loading and their corresponding user-mode debug Snap messages:
0:000> dw ShowSnaps L1
7c97c121 0000
0:000> ew ShowSnaps 1
0:000> dw ShowSnaps L1
7c97c121 0001
Now we run our harmless sample and wait for the loader data we are looking for:
0:000> g
LDR: PID: 0xe38 started – ‘C:\vx\tiny.exe’
LDR: NEW PROCESS
Image Path: C:\vx\tiny.exe (tiny.exe)
Current Directory: C:\Program Files\Debugging Tools for Windows\
Search Path: C:\vx;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\Program Files\Debugging Tools for Windows\winext\arcade;
LDR: LdrLoadDll, loading kernel32.dll from
ModLoad: 7c800000 7c8f5000 C:\WINDOWS\system32\kernel32.dll
LDR: ntdll.dll used by kernel32.dll
LDR: Snapping imports for kernel32.dll from ntdll.dll
LDR: LdrGetProcedureAddress by NAME – BaseProcessInitPostImport
[e38,74c] LDR: Real INIT LIST for process C:\vx\tiny.exe pid 3640 0xe38
[e38,74c] C:\WINDOWS\system32\ntdll.dll init routine 7C913156
[e38,74c] C:\WINDOWS\system32\kernel32.dll init routine 7C80B5AE
[e38,74c] LDR: ntdll.dll loaded – Calling init routine at 7C913156
[e38,74c] LDR: kernel32.dll loaded – Calling init routine at 7C80B5AE
LDR: LdrGetProcedureAddress by NAME – BaseQueryModuleData
LDR: \\66.93.68.6\z used by tiny.exe
LDR: Loading (STATIC, NON_REDIRECTED) \\66.93.68.6\z
ModLoad: 10000000 10000370 \\66.93.68.6\z
LDR: USER32.dll used by z
ModLoad: 7e410000 7e4a0000 C:\WINDOWS\system32\USER32.dll
LDR: GDI32.dll used by USER32.dll
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
LDR: KERNEL32.dll used by GDI32.dll
LDR: Snapping imports for GDI32.dll from KERNEL32.dll
LDR: LdrGetProcedureAddress by NAME – RtlDeleteCriticalSection
LDR: LdrGetProcedureAddress by NAME – RtlLeaveCriticalSection
LDR: LdrGetProcedureAddress by NAME – RtlEnterCriticalSection
LDR: LdrGetProcedureAddress by NAME – RtlSetLastWin32Error
LDR: LdrGetProcedureAddress by NAME – RtlGetLastWin32Error
LDR: ntdll.dll used by GDI32.dll
LDR: Snapping imports for GDI32.dll from ntdll.dll
LDR: USER32.dll used by GDI32.dll
LDR: Snapping imports for GDI32.dll from USER32.dll
LDR: Snapping imports for USER32.dll from GDI32.dll
LDR: KERNEL32.dll used by USER32.dll
LDR: Snapping imports for USER32.dll from KERNEL32.dll
LDR: LdrGetProcedureAddress by NAME – RtlReAllocateHeap
LDR: LdrGetProcedureAddress by NAME – RtlSizeHeap
LDR: LdrGetProcedureAddress by NAME – RtlSetLastWin32Error
LDR: LdrGetProcedureAddress by NAME – RtlGetLastWin32Error
LDR: LdrGetProcedureAddress by NAME – RtlAllocateHeap
LDR: LdrGetProcedureAddress by NAME – RtlFreeHeap
LDR: ntdll.dll used by USER32.dll
LDR: Snapping imports for USER32.dll from ntdll.dll
LDR: Snapping imports for z from USER32.dll
LDR: Snapping imports for tiny.exe from \\66.93.68.6\z
Snap and dll load data of all sorts is provided for further exploration and analysis. We can investigate exactly when and how each dll is loaded from within this malformed PE file with windbg’s help.
An exhaustive source of information on the process of dll loading can be found on the Win2k loader here by Russ Osterlund.
