O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 21-1 Solutions

Short Answers

  1. When you run the program without any parameters, it exits immediately.

  2. The main function is located at 0x00000001400010C0. You can spot the call to main by looking for a function call that accepts an integer and two pointers as parameters.

  3. The string ocl.exe is stored on the stack.

  4. To have this program run its payload without changing the filename of the executable, you can patch the jump instruction at 0x0000000140001213 so that it is a NOP instead.

  5. The name of the executable is being compared against the string jzm.exe by the call to strncmp at 0x0000000140001205.

  6. The function at 0x00000001400013C8 takes one parameter, which contains the socket created to the remote host.

  7. The call to CreateProcess takes 10 parameters. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required