Lab 9-3 Solutions

Short Answers

  1. The import table contains kernel32.dll, NetAPI32.dll, DLL1.dll, and DLL2.dll. The malware dynamically loads user32.dll and DLL3.dll.

  2. All three DLLs request the same base address: 0x10000000.

  3. DLL1.dll is loaded at 0x10000000, DLL2.dll is loaded at 0x320000, and DLL3.dll is loaded at 0x380000 (this may be slightly different on your machine).

  4. DLL1Print is called, and it prints “DLL 1 mystery data,” followed by the contents of a global variable.

  5. DLL2ReturnJ returns a filename of temp.txt which is passed to the call to WriteFile.

  6. Lab09-03.exe gets the buffer for the call to NetScheduleJobAdd from DLL3GetStructure, which it dynamically resolves.

  7. Mystery data 1 is the current process identifier, mystery data 2 is the handle to ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial