O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 16-2 Solutions

Short Answers

  1. When you run Lab16-02.exe from the command line, it prints a usage string asking for a four-character password.

  2. If you input an incorrect password, the program will respond “Incorrect password, Try again.”

  3. The correct command-line password is byrr.

  4. The strncmp function is called at 0x40123A.

  5. The program immediately terminates when loaded into OllyDbg using the default settings.

  6. The program contains a .tls section.

  7. The TLS callback starts at 0x401060.

  8. The FindWindowA function is used to terminate the malware. It looks for a window with the class name OLLYDBG and terminates the program if it is found. You can change the window class name using an OllyDbg plug-in like PhantOm, or NOP-out the call to exit at 0x40107C.

  9. At first, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required