, and it was extracted as part of , let’s begin by opening the file with IDA Pro to examine the function imports. The most interesting of the imports is SetWindowsHookExA, an API that allows an application to hook or monitor events within Microsoft Windows.
In , we see that SetWindowsHookExA is called from main at ❶. The MSDN documentation shows that the first parameter, 0Dh, corresponds to WH_KEYBOARD_LL, which enables monitoring of keyboard events using the hook function IDA Pro labeled fn at ❷. The program is probably doing something with keystrokes. The fn function will receive keystrokes.
cmp, in order to process each keypress once. At ❸, the program passes (mov) the virtual key code to the function sub_4010C7 shown later in bold.Examining sub_4010C7, we see that first the program opens a file, practicalmalwareanalysis.log. After this, the malware calls GetForegroundWindow followed by GetWindowTextA, as shown in . First, GetForegroundWindow selects the active window when the key was pressed, and then it grabs the title of the window using GetWindowTextA. This helps the program provide context for where the keystrokes originated.
var_C contains the virtual key code that was passed into the function, we see the virtual key code used as an index to a lookup table at ❷. The value received from the lookup table is used as an index into the jump table off_401441 at ❶.off_401441. This returns the location loc_401249, where we find the string [SHIFT] written to the log file.Example C-80. The offset table for byte_40148D
byte_40148D db 0, 1, 12h, 12h db 12h, 2, 12h, 12h db 3, 4, 12h, 12h
We are able to conclude that this malware is a keylogger that logs keystrokes to the file practicalmalwareanalysis.log. This keylogger uses SetWindowsHookEx to implement its keylogging functionality.
Войти в систему
Войти с помощью соц. сетей:
