Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Conclusion
Дальше: A. Important Windows Functions

, but tweaked and compiled for a 64-bit system.

Q:

1. What happens when you run this program without any parameters?

Q:

2. Depending on your version of IDA Pro, main may not be recognized automatically. How can you identify the call to the main function?

Q:

3. What is being stored on the stack in the instructions from 0x0000000140001150 to 0x0000000140001161?

Q:

4. How can you get this program to run its payload without changing the filename of the executable?

Q:

5. Which two strings are being compared by the call to strncmp at 0x0000000140001205?

Q:

6. Does the function at 0x00000001400013C8 take any parameters?

Q:

7. How many arguments are passed to the call to CreateProcess at 0x0000000140001093? How do you know?

Analyze the malware found in Lab21-02.exe on both x86 and x64 virtual machines. This malware is similar to Lab12-01.exe, with an added x64 component.

Q:

1. What is interesting about the malware’s resource sections?

Q:

2. Is this malware compiled for x64 or x86?

Q:

3. How does the malware determine the type of environment in which it is running?

Q:

4. What does this malware do differently in an x64 environment versus an x86 environment?

Q:

5. Which files does the malware drop when running on an x86 machine? Where would you find the file or files?

Q:

6. Which files does the malware drop when running on an x64 machine? Where would you find the file or files?

Q:

7. What type of process does the malware launch when run on an x64 system?

Q:

8. What does the malware do?

Назад: Conclusion
Дальше: A. Important Windows Functions

sss
sss

© RuTLib.com 2015-2018