The import table contains kernel32.dll, NetAPI32.dll, DLL1.dll, and DLL2.dll. The malware dynamically loads user32.dll and DLL3.dll.
All three DLLs request the same base address: 0x10000000.
DLL1.dll is loaded at 0x10000000, DLL2.dll is loaded at 0x320000, and DLL3.dll is loaded at 0x380000 (this may be slightly different on your machine).
DLL1Print is called, and it prints “DLL 1 mystery
data,” followed by the contents of a global variable.
DLL2ReturnJ returns a filename of
temp.txt which is passed to the call to
Lab09-03.exe gets the buffer for the call to
DLL3GetStructure, which it
Mystery data 1 is the current process identifier, mystery data 2 is the handle to ...