Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

C. Solutions to Labs > Lab 19-2 Solutions

Lab 19-2 Solutions

Short Answers

  1. The program process-injects the default web browser, Internet Explorer.

  2. The shellcode buffer is located at 0x407030.

  3. The shellcode is XOR’ed with the byte 0xe7.

  4. The shellcode manually imports the following functions:

    • LoadLibraryA

    • CreateProcessA

    • TerminateProcess

    • GetCurrentProcess

    • WSAStartup

    • WSASocketA

    • connect

  5. The shellcode connects to IP 192.168.200.2 on TCP port 13330.

  6. The shellcode provides a remote shell (cmd.exe).

Detailed Analysis

The malware starts by determining the default web browser by reading the registry value HKCR\http\shell\open\command. The browser is created as a new process whose StartupInfo.wShowWindow value is set to SW_HIDE, so the process is hidden from the user interface. Process-injecting the default web browser is a common malware trick because it is normal for the web browser to perform network communications.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint