Listen to this Post
Introduction
Malware and LOLBINs (Living-Off-the-Land Binaries) often call DLL functions by ordinal instead of by name, making analysis harder. For example, `rundll32.exe comsvcs.dll,24` invokes `MiniDumpW` without explicitly naming it. Attackers exploit this to hide malicious actions, as ordinals can point to seemingly harmless functions with dangerous behaviors.
Learning Objectives
- Understand how DLL function ordinals work and why attackers use them.
- Learn to map ordinals to function names for malware analysis.
- Detect and mitigate risks associated with ordinal-based DLL calls.
1. How DLL Function Ordinals Work
Verified PowerShell Command:
(Get-Command -Module Microsoft.PowerShell.Utility).ExportedCommands
Step-by-Step Guide:
- DLLs contain export tables listing functions by name and ordinal (numeric index).
- Attackers call functions via ordinals (
24) to evade string-based detection. - Use tools like `dumpbin.exe /exports
` or PowerShell scripts to map ordinals to names.
2. Analyzing Suspicious DLL Calls
Verified Command (Windows):
dumpbin.exe /exports C:\Windows\System32\comsvcs.dll
Step-by-Step Guide:
- Run `dumpbin` on the suspected DLL to list exports.
- Locate the ordinal (e.g.,
24) to confirm it maps toMiniDumpW. - Compare with legitimate DLLs to detect tampering (e.g., attacker-modified DLLs).
3. Detecting Malicious Ordinal Usage
Verified PowerShell Script:
Get-Process -Name rundll32 | Select-Object -ExpandProperty Modules | Where-Object {$_.ModuleName -eq "comsvcs.dll"}
Step-by-Step Guide:
1. Monitor processes calling `rundll32` with suspicious DLLs.
- Check loaded modules for known malicious DLLs (e.g.,
comsvcs.dll). - Correlate with ordinal-based calls in logs (e.g., Sysmon Event ID 7).
4. Mitigating Ordinal-Based Attacks
Verified Windows Hardening Command:
icacls C:\Windows\System32\comsvcs.dll /deny S-1-1-0:(RX)
Step-by-Step Guide:
1. Restrict execute permissions on critical DLLs.
- Use application whitelisting (e.g., AppLocker) to block unauthorized `rundll32` calls.
- Deploy EDR solutions to flag ordinal-based LSASS dumping.
5. Reverse Engineering Custom DLLs
Verified Command (Linux/Windows):
objdump -x malicious.dll | grep "Ordinal"
Step-by-Step Guide:
- Use `objdump` or Ghidra to inspect custom DLLs.
2. Verify if ordinals match legitimate DLL layouts.
- Check for unexpected functions (e.g., registry edits, token theft).
What Undercode Say
- Key Takeaway 1: Ordinals obfuscate malicious intent—always map them to function names during analysis.
- Key Takeaway 2: Attackers abuse ordinal consistency—validate DLLs hashes and behavior.
Analysis:
Ordinal-based attacks bypass traditional detection relying on function names. Defenders must adopt tools like static analysis (Ghidra) and runtime monitoring (Sysmon). Future malware may randomize ordinals, requiring machine learning-based detection.
Prediction
As detection improves, attackers will shift to dynamic ordinal generation or DLL sideloading. Proactive hunting for anomalous `rundll32` activity and stricter permissions will become critical.
IT/Security Reporter URL:
Reported By: Activity 7342358097513934850 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
