O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 9-3 Solutions

Short Answers

  1. The import table contains kernel32.dll, NetAPI32.dll, DLL1.dll, and DLL2.dll. The malware dynamically loads user32.dll and DLL3.dll.

  2. All three DLLs request the same base address: 0x10000000.

  3. DLL1.dll is loaded at 0x10000000, DLL2.dll is loaded at 0x320000, and DLL3.dll is loaded at 0x380000 (this may be slightly different on your machine).

  4. DLL1Print is called, and it prints “DLL 1 mystery data,” followed by the contents of a global variable.

  5. DLL2ReturnJ returns a filename of temp.txt which is passed to the call to WriteFile.

  6. Lab09-03.exe gets the buffer for the call to NetScheduleJobAdd from DLL3GetStructure, which it dynamically resolves.

  7. Mystery data 1 is the current process identifier, mystery data 2 is the handle to ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required