O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 5-1 Solutions

Short Answers

  1. DllMain is found at 0x1000D02E in the .text section.

  2. The import for gethostbyname is found at 0x100163CC in the .idata section.

  3. The gethostbyname import is called nine times by five different functions throughout the malware.

  4. A DNS request for pics.practicalmalwareanalysis.com will be made by the malware if the call to gethostbyname at 0x10001757 succeeds.

  5. IDA Pro has recognized 23 local variables for the function at 0x10001656.

  6. IDA Pro has recognized one parameter for the function at 0x10001656.

  7. The string \cmd.exe /c is located at 0x10095B34.

  8. That area of code appears to be creating a remote shell session for the attacker.

  9. The OS version is stored in the global variable dword_1008E5C4.

  10. The registry values located at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkTime ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required