Skip to content

Latest commit

 

History

History
75 lines (45 loc) · 1.82 KB

lab-09-3.md

File metadata and controls

75 lines (45 loc) · 1.82 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) What DLLs imported by EXE?

WinAPI: KERNEL32, NETAPI32, USER32 Other: DLL1, DLL2, DLL3

2) What is the base address requested by DLL 1, 2, 3?

  • DLL 1) 10000000
  • DLL 2) 10000000
  • DLL 3) 10000000

3) In Olly, what is assigned address for DLL 1, 2, 3?

  • DLL 1)    10000000
  • DLL 2)    00330000
  • DLL 3)    00390000

4) When EXE calls an import from DLL1, what does the function do?

Prints the PID.

Console:

DLL 1 mystery data 7132
DLL 1 mystery data 7760
  • Number changes each run.
  • In IDA, 2 functions reference 10008030:
    • DLL1Print
    • DLLMain.
  • DLLMain gets the PID.
  • The number is the PID, stored in the DLL's memory.

5) When EXE calls WriteFile, what is the filename?

Filename is temp.txt

  1. File handle opened and returned by DLL2.DLL2ReturnJ.
  2. In DLL2.DllMain(), creates file temp.txt and stores.
  3. The file handle is returned by DLL2.DLL2ReturnJ.

6) When EXE creates job using NetScheduleJobAdd, where does second parameter come from?

Passes the buffer in a call to DLL3.DLL3GetStructure. Returns the parameter.

DLL3GetStructure returns a pointer to a generated ATINFO` structure.

  • 8 bytes: ptr to job time (0036EE80)
  • 8 bytes: days of month (NULL)
  • 1 byte:  days of week (0x7f=1111111), run every day.
  • 1 byte:  flags (0x11), JOB_NONINTERACTIVE & JOB_RUN_PERIODICALLY
  • 64 bytes: unicode command string ping www.malwareanalysisbook.com

7) EXE will print 3 pieces of mystery data. What are mystery data for DLL 1, 2, 3?

  • DLL1: PID
  • DLL2: File handle
  • DLL3: Unicode string as integer.

8) How can DLL2 be loaded in Olly to match address in IDA?

Manual loading, specifying address base 00330000.