O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 19-1 Solutions

Short Answers

  1. The shellcode is stored with an alphabetic encoding; each payload byte is stored in the low nibble of two encoded bytes.

  2. The shellcode resolves the following functions:

    • LoadLibraryA

    • GetSystemDirectoryA

    • TerminateProcess

    • GetCurrentProcess

    • WinExec

    • URLDownloadToFileA

  3. The shellcode downloads this URL:

    http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe

  4. The shellcode writes %SystemRoot%\System32\1.exe and executes it.

  5. The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk, and executes it.

Detailed Analysis

You can perform dynamic analysis with the shellcode_launcher.exe utility with the following command line:

shellcode_launcher.exe –i Lab19-01.bin -bp

The –bp option causes the program ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required