O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 6-3 Solutions

Short Answers

  1. The functions at 0x401000 and 0x401040 are the same as those in Lab 6-2 Solutions. At 0x401271 is printf. The 0x401130 function is new to this lab.

  2. The new function takes two parameters. The first is the command character parsed from the HTML comment, and the second is the program name argv[0], the standard main parameter.

  3. The new function contains a switch statement with a jump table.

  4. The new function can print error messages, delete a file, create a directory, set a registry value, copy a file, or sleep for 100 seconds.

  5. The registry key Software\Microsoft\Windows\CurrentVersion\Run\Malware and the file location C:\Temp\cc.exe can both be host-based indicators.

  6. The program first checks for an active Internet connection. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required