O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 16-3 Solutions

Short Answers

  1. There aren’t many useful strings in the malware other than import functions and the strings cmd and cmd.exe.

  2. When you run this malware, it appears to do nothing other than terminate.

  3. You must rename the malware to peo.exe for it to run properly.

  4. This malware uses three different anti-debugging timing techniques: rdtsc, GetTickCount, and QueryPerformanceCounter.

  5. If the QueryPerformanceCounter check is successful, the malware modifies the string needed for the program to run properly. If the GetTickCount check is successful, the malware causes an unhandled exception that crashes the program. If the rdtsc check is successful, the malware will attempt to delete itself from disk.

  6. The anti-debugging timing checks are successful ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required