Debugging a DLL in x64dbg and Sync with IDA

Intro:

Hello,

This will be short post on how to debug an exported DLL function and also sync the addresses from the debugger with the ones shown in the IDA Pro tool.

Unfortunately x64dbg has some missing features, one of them is the option to load a DLL and call an exported function. I don’t know why, but looks like nobody wants to implement this feature (see here).

If you don’t want to go back to Olly and use the “CallExport” feature, you can still use the “rundll32.exe” from the Windows OS inside x64dbg.

The debug:

Get yourself a DLL with some exports of interest, I’ve got one for this demo that has the following export table (IDA Pro screenshot) :

exporttable

From the list of functions above, I’m interested in calling the one named “NG61WXCKCNI7UOARV13H6GIFD8BA”. Let’s fire up the debugger and get things done.

In the debugger open rundll32 from “C:\Windows\SysWOW64\rundll32.exe” (or System32 if you want to run a x64 DLL). After loading the PE, go to the “Debug” menu and chose “Change command line” as shown in the next image.

Since the name of the exported function is pretty ugly and I’m lazy, I’ll use the ordinal value. It’s not mandatory for the exported DLL functions to have names and that’s why ordinals exist, thus calling can be done by using “#4” (the ordinal associated with the “NG61WXCKCNI7UOARV13H6GIFD8BA” function).

Use the following syntax as a command line for rundll32:

RUNDLL.EXE <dllname>,<entrypoint> <optional arguments>

cmdlinechanged

Press Ok, then go to “Options”->”Preferences” and check the “DLL Entry” option under the “Events” tab. This places a breakpoint on the entrypoint (EP) of each loaded DLL.

dllentrypoint

Great, we’re almost done. You just have to hit Run (F9) until we reach the EP of our DLL (module). We can see this info in the title bar of the debugger.

dllname

So sync the addresses of the debugger with the ones from IDA, we have to get the address at which the DLL was loaded into memory. Right click and follow the code into the Memory Map tab of the debugger.

followmemmap

Get the address at which the “malicious.dll” has loaded and use it to rebase the disassembly in IDA.

memaddr

In IDA, Go to “Edit”->”Segments”->”Rebase program” and paste the address there (my addr. is: “0x01FD0000”)

rebase

Wait a few moments and now you got your synchronised addresses between the debugger and IDA. The last step now is go inside the debugger at (CTRL+G) the EP address of the exported function, place a breakpoint, run the BP is hit.

synced

Eureka, we are now inside the exported function and we can continue the analysis of our DLL inside X64dbg.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s