Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: 12. Covert Malware Launching
Дальше: Process Injection

As discussed in the previous chapter, a launcher (also known as a loader) is a type of malware that sets itself or another piece of malware for immediate or future covert execution. The goal of a launcher is to set up things so that the malicious behavior is concealed from a user.

Launchers often contain the malware that they’re designed to load. The most common example is an executable or DLL in its own resource section. The resource section in the Windows PE file format is used by the executable and is not considered part of the executable. Examples of the normal contents of the resource section include icons, images, menus, and strings. Launchers will often store malware within the resource section. When the launcher is run, it extracts an embedded executable or DLL from the resource section before launching it.

As you have seen in previous examples, if the resource section is compressed or encrypted, the malware must perform resource section extraction before loading. This often means that you will see the launcher use resource-manipulation API functions such as FindResource, LoadResource, and SizeofResource.

Malware launchers often must be run with administrator privileges or escalate themselves to have those privileges. Average user processes can’t perform all of the techniques we discuss in this chapter. We discussed privilege escalation in the previous chapter. The fact that launchers may contain privilege-escalation code provides another way to identify them.

Назад: 12. Covert Malware Launching
Дальше: Process Injection

sss
sss