O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 21-2 Solutions

Short Answers

  1. The malware contains the resource sections X64, X64DLL, and X86. Each of the resources contains an embedded PE file.

  2. Lab21-02.exe is compiled for a 32-bit system. This is shown in the PE header’s Characteristics field, where the IMAGE_FILE_32BIT_MACHINE flag is set.

  3. The malware attempts to resolve and call IsWow64Process to determine if it is running on an x64 system.

  4. On an x86 machine, the malware drops the X86 resource to disk and injects it into explorer.exe. On an x64 machine, the malware drops two files from the X64 and X64DLL resource sections to disk and launches the executable as a 64-bit process.

  5. On an x86 system, the malware drops Lab21-02.dll into the Windows system directory, which will typically be C:\Windows\System32\ ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required