O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 12-4 Solutions

Short Answers

  1. The malware checks to see if a given PID is winlogon.exe.

  2. Winlogon.exe is the process injected.

  3. The DLL sfc_os.dll will be used to disable Windows File Protection.

  4. The fourth argument passed to CreateRemoteThread is a function pointer to an unnamed ordinal 2 (SfcTerminateWatcherThread) of sfc_os.dll.

  5. The malware drops a binary from its resource section and overwrites the old Windows Update binary (wupdmgr.exe) with it. Before overwriting the real wupdmgr.exe, the malware copies it to the %TEMP% directory for later usage.

  6. The malware injects a remote thread into winlogon.exe and calls a function exported by sfc_os.dll, ordinal 2 (SfcTerminateWatcherThread), to disable Windows File Protection until the next reboot. The ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required