O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 19-3 Solutions

Short Answers

  1. The PDF contains an example of CVE-2008-2992: buffer overflow related to Adobe Reader’s util.printf JavaScript implementation.

  2. The shellcode is encoded using JavaScript’s percent-encoding and is stored along with the JavaScript in the PDF.

  3. The shellcode manually imports the following functions:

    • LoadLibraryA

    • CreateProcessA

    • TerminateProcess

    • GetCurrentProcess

    • GetTempPathA

    • SetCurrentDirectoryA

    • CreateFileA

    • GetFileSize

    • SetFilePointer

    • ReadFile

    • WriteFile

    • CloseHandle

    • GlobalAlloc

    • GlobalFree

    • ShellExecuteA

  4. The shellcode creates the files %TEMP%\foo.exe and %TEMP%\bar.pdf.

  5. The shellcode extracts two files stored encoded within the malicious PDF and writes them to the user’s %TEMP% directory. It executes the foo.exe file and opens the bar.pdf

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required