Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 12-2 Solutions
Дальше: Lab 12-4 Solutions

, and it was extracted as part of , let’s begin by opening the file with IDA Pro to examine the function imports. The most interesting of the imports is SetWindowsHookExA, an API that allows an application to hook or monitor events within Microsoft Windows.

In , we see that SetWindowsHookExA is called from main at . The MSDN documentation shows that the first parameter, 0Dh, corresponds to WH_KEYBOARD_LL, which enables monitoring of keyboard events using the hook function IDA Pro labeled fn at . The program is probably doing something with keystrokes. The fn function will receive keystrokes.

at .

, we see at and that the program checks the type of keypress with cmp, in order to process each keypress once. At , the program passes (mov) the virtual key code to the function sub_4010C7 shown later in bold.

Examining sub_4010C7, we see that first the program opens a file, practicalmalwareanalysis.log. After this, the malware calls GetForegroundWindow followed by GetWindowTextA, as shown in . First, GetForegroundWindow selects the active window when the key was pressed, and then it grabs the title of the window using GetWindowTextA. This helps the program provide context for where the keystrokes originated.

at . Recognizing that var_C contains the virtual key code that was passed into the function, we see the virtual key code used as an index to a lookup table at . The value received from the lookup table is used as an index into the jump table off_401441 at .

, provides the value 3, which is stored in ECX. ECX is then multiplied by 4 at , yielding 0xC, which is used as an offset into off_401441. This returns the location loc_401249, where we find the string [SHIFT] written to the log file.

We are able to conclude that this malware is a keylogger that logs keystrokes to the file practicalmalwareanalysis.log. This keylogger uses SetWindowsHookEx to implement its keylogging functionality.

sss
sss

© RuTLib.com 2015-2018