O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 12-3 Solutions

Short Answers

  1. The program is a keylogger.

  2. The program uses hook injection to steal keystrokes.

  3. The program creates the file practicalmalwareanalysis.log to store the keystrokes.

Detailed Analysis

Since we’ve already analyzed this binary in the labs for Chapter 3, and it was extracted as part of Lab 12-2 Solutions, let’s begin by opening the file with IDA Pro to examine the function imports. The most interesting of the imports is SetWindowsHookExA, an API that allows an application to hook or monitor events within Microsoft Windows.

In Example C-76, we see that SetWindowsHookExA is called from main at . The MSDN documentation shows that the first parameter, 0Dh, corresponds to WH_KEYBOARD_LL, which enables monitoring of keyboard events ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required