Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

CFF Explorer Missing Many DLLs In VAD.

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
Locked
malhuntr
Junior Member
Posts: 1
Joined: Fri Jan 31, 2014 2:04 am

CFF Explorer Missing Many DLLs In VAD.

Post by malhuntr »

I am new to malware analysis. I recently ran Volatility "malware" and obtained a listing of processes that have one problem or another as it is related to malware. I took one of these processes and in following instructions in the "Malware Analyst's Cookbook" regarding researching IAT's, extracted the process' executable via Volatility's "procexedump". I then compared all of the DLLs in the VAD to the PEB and noted three DLLs not in the PEB. I then compared the DLLs in the VAD to the extracted file opened via CFF Explorer. What I do not understand is why CFF Explorer only shows me two DLLs when there is 70 in the address space. CFF Explorer shows me two of these 70 in it's import address table. When I use PEBrowse64, I see the same two DLLs. Most of these are present in the PEB so they were loaded when the process was started. I'm confused.
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

I think there was a similar thread recently that might explain what you are seeing

http://www.woodmann.com/forum/showthrea ... Not-in-IAT
Locked