. Our goal here is to show you how to recognize and understand common network functions, so you can identify what a malicious program is doing when these functions are used.. shows an example of a server socket program.Note
This example leaves out all error handling and parameter setup. A realistic example would be littered with calls to WSAGetLastError and other error-handling functions.
Example 7-3. A simplified program with a server socket
00401041 push ecx ; lpWSAData 00401042 push 202h ; wVersionRequested 00401047 mov word ptr [esp+250h+name.sa_data], ax 0040104C call ds:WSAStartup 00401052 push 0 ; protocol 00401054 push 1 ; type 00401056 push 2 ; af 00401058 call ds:socket 0040105E push 10h ; namelen 00401060 lea edx, [esp+24Ch+name] 00401064 mov ebx, eax 00401066 push edx ; name 00401067 push ebx ; s 00401068 call ds:bind 0040106E mov esi, ds:listen 00401074 push 5 ; backlog 00401076 push ebx ; s 00401077 call esi ; listen 00401079 lea eax, [esp+248h+addrlen] 0040107D push eax ; addrlen 0040107E lea ecx, [esp+24Ch+hostshort] 00401082 push ecx ; addr 00401083 push ebx ; s 00401084 call ds:accept
First, WSAStartup initializes the Win32 sockets system, and then a socket is created with socket. The bind function attaches the socket to a port, the listen call sets up the socket to listen, and the accept call hangs, waiting for a connection from a remote socket.
In addition to the Winsock API, there is a higher-level API called the WinINet API. The WinINet API functions are stored in Wininet.dll. If a program imports functions from this DLL, it’s using higher-level networking APIs.
The WinINet API implements protocols, such as HTTP and FTP, at the application layer. You can gain an understanding of what malware is doing based on the connections that it opens.
InternetOpen is used to initialize a connection to the Internet.
InternetOpenUrl is used to connect to a URL (which can be an HTTP page or an FTP resource).
InternetReadFile works much like the ReadFile function, allowing the program to read the data from a file downloaded from the Internet.
Malware can use the WinINet API to connect to a remote server and get further instructions for execution.
Назад: The Windows Registry
Дальше: Following Running Malware
Войти в систему
Войти с помощью соц. сетей:
. shows an example of a server socket program.Note
This example leaves out all error handling and parameter setup. A realistic example would be littered with calls to WSAGetLastError and other error-handling functions.
Example 7-3. A simplified program with a server socket
00401041 push ecx ; lpWSAData 00401042 push 202h ; wVersionRequested 00401047 mov word ptr [esp+250h+name.sa_data], ax 0040104C call ds:WSAStartup 00401052 push 0 ; protocol 00401054 push 1 ; type 00401056 push 2 ; af 00401058 call ds:socket 0040105E push 10h ; namelen 00401060 lea edx, [esp+24Ch+name] 00401064 mov ebx, eax 00401066 push edx ; name 00401067 push ebx ; s 00401068 call ds:bind 0040106E mov esi, ds:listen 00401074 push 5 ; backlog 00401076 push ebx ; s 00401077 call esi ; listen 00401079 lea eax, [esp+248h+addrlen] 0040107D push eax ; addrlen 0040107E lea ecx, [esp+24Ch+hostshort] 00401082 push ecx ; addr 00401083 push ebx ; s 00401084 call ds:accept
First, WSAStartup initializes the Win32 sockets system, and then a socket is created with socket. The bind function attaches the socket to a port, the listen call sets up the socket to listen, and the accept call hangs, waiting for a connection from a remote socket.
In addition to the Winsock API, there is a higher-level API called the WinINet API. The WinINet API functions are stored in Wininet.dll. If a program imports functions from this DLL, it’s using higher-level networking APIs.
The WinINet API implements protocols, such as HTTP and FTP, at the application layer. You can gain an understanding of what malware is doing based on the connections that it opens.
InternetOpen is used to initialize a connection to the Internet.
InternetOpenUrl is used to connect to a URL (which can be an HTTP page or an FTP resource).
InternetReadFile works much like the ReadFile function, allowing the program to read the data from a file downloaded from the Internet.
Malware can use the WinINet API to connect to a remote server and get further instructions for execution.
Note
This example leaves out all error handling and parameter setup. A realistic example would be littered with calls to WSAGetLastError and other error-handling functions.
Example 7-3. A simplified program with a server socket
00401041 push ecx ; lpWSAData 00401042 push 202h ; wVersionRequested 00401047 mov word ptr [esp+250h+name.sa_data], ax 0040104C call ds:WSAStartup00401052 push 0 ; protocol 00401054 push 1 ; type 00401056 push 2 ; af 00401058 call ds:socket0040105E push 10h ; namelen 00401060 lea edx, [esp+24Ch+name] 00401064 mov ebx, eax 00401066 push edx ; name 00401067 push ebx ; s 00401068 call ds:bind0040106E mov esi, ds:listen00401074 push 5 ; backlog 00401076 push ebx ; s 00401077 call esi ;listen00401079 lea eax, [esp+248h+addrlen] 0040107D push eax ; addrlen 0040107E lea ecx, [esp+24Ch+hostshort] 00401082 push ecx ; addr 00401083 push ebx ; s 00401084 call ds:accept
First, WSAStartup initializes the Win32 sockets system, and then a socket is created with socket. The bind function attaches the socket to a port, the listen call sets up the socket to listen, and the accept call hangs, waiting for a connection from a remote socket.
In addition to the Winsock API, there is a higher-level API called the WinINet API. The WinINet API functions are stored in Wininet.dll. If a program imports functions from this DLL, it’s using higher-level networking APIs.
The WinINet API implements protocols, such as HTTP and FTP, at the application layer. You can gain an understanding of what malware is doing based on the connections that it opens.
InternetOpenis used to initialize a connection to the Internet.InternetOpenUrlis used to connect to a URL (which can be an HTTP page or an FTP resource).InternetReadFileworks much like theReadFilefunction, allowing the program to read the data from a file downloaded from the Internet.
Malware can use the WinINet API to connect to a remote server and get further instructions for execution.
Войти в систему
Войти с помощью соц. сетей: