![]() Explain what is the intention of that call. Inspect the parameters that are being sent to ShellExecuteA. Use your breakpoint/step into/ step abilities to execute the program until just before the call to ShellExecuteA (in the sub_4010000). ![]() Did the execution hit the first CALL sub_4010000? Put a breakpoint in the first CALL to sub_4010000, then click the run button on OllyDbg. Open Lab16-01.exe in OllyDbg (in your Windows 2008 VM). Lets find out what sub_4010000 does, using dynamic analysis. Lab16-01.exe is just a toy malware, but just in case something goes wrong with its contents, create a copy of the file Lab16-01.exe before the next step. Under what condition is the THIRD call to sub_4010000 (at address 0x004035B0) made? is executed if: The code block that begins at address 0x403594, also reads the PEB. Under what condition is the second call to sub_4010000 (at address 0x0040358F) made? The code block that begins at address 0x403573, also accesses the PEB. Under what conditions is the first call to sub_4010000 (at address 0x0040356E) made? Offset +2 is the first that is checked by the Lab16-01.exe binary. In the class presentation we saw that one of the techniques that malware uses to detect if its being run by the debugger is by reading the Process Environment Block (PEB) at fs. This lab is an adaptation of Lab16-1 from the book. It will not modify or harm your Windows VM. The binary we will be analyzing is from the Practical Malware Analysis book and is available at.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |