O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 12-1 Solutions

Short Answers

  1. After you run the malware, pop-up messages are displayed on the screen every minute.

  2. The process being injected is explorer.exe.

  3. You can restart the explorer.exe process.

  4. The malware performs DLL injection to launch Lab12-01.dll within explorer.exe. Once Lab12-01.dll is injected, it displays a message box on the screen every minute with a counter that shows how many minutes have elapsed.

Detailed Analysis

Let’s begin with basic static analysis. Examining the imports for Lab12-01.exe, we see CreateRemoteThread, WriteProcessMemory, and VirtualAllocEx. Based on the discussion in Chapter 12, we know that we are probably dealing with some form of process injection. Therefore, our first goal should be to determine the code ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required