O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 19-2 Solutions

Short Answers

  1. The program process-injects the default web browser, Internet Explorer.

  2. The shellcode buffer is located at 0x407030.

  3. The shellcode is XOR’ed with the byte 0xe7.

  4. The shellcode manually imports the following functions:

    • LoadLibraryA

    • CreateProcessA

    • TerminateProcess

    • GetCurrentProcess

    • WSAStartup

    • WSASocketA

    • connect

  5. The shellcode connects to IP 192.168.200.2 on TCP port 13330.

  6. The shellcode provides a remote shell (cmd.exe).

Detailed Analysis

The malware starts by determining the default web browser by reading the registry value HKCR\http\shell\open\command. The browser is created as a new process whose StartupInfo.wShowWindow value is set to SW_HIDE, so the process is hidden from the user interface. Process-injecting the default web ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required