.
The filename used by the program is spoolsrv.exe.

as code, and has chosen instead to represent it as a series of DWORDs. Place your cursor on the first DWORD and press the C key to change this into code.

to code, it is displayed as shown in .

unlinks the structured exception handler and removes the exception record from the stack. The last line of the code is an anti-disassembly countermeasure in the form of an inward-pointing jmp instruction at ❶. Convert the jmp to data by placing your cursor at 0x4014D7 and pressing the D key. Then select line 0x004014D8 and convert it to code with the C key.

After correcting the anti-disassembly countermeasure shown in , we see that the rest of the code is properly disassembled with a call to URLDownloadToFileA, seen at ❶ in .

. This is a .

Example C-140. Using WinExec to launch the downloaded file

0040151A                 push    0 0040151C                 push    offset unk_403040 00401521                 call    ds:WinExec ❶ 00401527                 push    0 00401529                 call    ds:ExitProcess

The call to WinExec at ❶ will launch whatever is specified by the buffer unk_403040, which will contain the value spoolsrv.exe. The program then terminates manually with ExitProcess.

Назад: Lab 15-2 Solutions

Дальше: Lab 16-1 Solutions

.The filename used by the program is spoolsrv.exe.

.
The filename used by the program is spoolsrv.exe.