Results 1 to 2 of 2

Thread: CFF Explorer Missing Many DLLs In VAD.

  1. #1

    CFF Explorer Missing Many DLLs In VAD.

    I am new to malware analysis. I recently ran Volatility "malware" and obtained a listing of processes that have one problem or another as it is related to malware. I took one of these processes and in following instructions in the "Malware Analyst's Cookbook" regarding researching IAT's, extracted the process' executable via Volatility's "procexedump". I then compared all of the DLLs in the VAD to the PEB and noted three DLLs not in the PEB. I then compared the DLLs in the VAD to the extracted file opened via CFF Explorer. What I do not understand is why CFF Explorer only shows me two DLLs when there is 70 in the address space. CFF Explorer shows me two of these 70 in it's import address table. When I use PEBrowse64, I see the same two DLLs. Most of these are present in the PEB so they were loaded when the process was started. I'm confused.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    I think there was a similar thread recently that might explain what you are seeing

    http://www.woodmann.com/forum/showthread.php?14625-All-DLLs-Not-in-IAT

Similar Threads

  1. Packed Executable but with Missing DLLs
    By live_dont_exist in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: November 16th, 2011, 10:27
  2. Explorer Suite III (CFF Explorer VII)
    By Daniel Pistelli in forum Blogs Forum
    Replies: 7
    Last Post: January 25th, 2008, 05:57
  3. Missing something in this code...
    By Silver in forum The Newbie Forum
    Replies: 20
    Last Post: July 22nd, 2004, 15:19
  4. Missing address
    By catalis in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: October 11th, 2001, 09:21
  5. Missing SoftIce Commands!!
    By Mans in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 20th, 2001, 06:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •