3. Analysing Malicious Windows Programs
(a) List three Windows file system functions that are commonly used by malware.
Explain what each does.

(b) Figure 3 shows the code listing for some malware. Explain in detail what it is doing.
Why is it doing this?

(c) Figure 4 shows the first few lines of a piece of malware along with the function
definition for CreateThread. Complete the rest of the code so that the malware can
send all information to a socket in order to communicate seamlessly with a running
application.

eax offset Subkey HKEY_LOCAL_MACHINE esi RegOpenKeyExW eax, eax short loc_4026C5 ecx, (esp+424h +Data] bl, 1 0040286 push 004

eax, (ebp+58h+Tid] eax, lea push push push push offset ThreadFunction1 (a) HANDLE WINAPI CreateThread _In_opt_ LPSECURITY_ATT

eax offset Subkey HKEY_LOCAL_MACHINE esi RegOpenKeyExW eax, eax short loc_4026C5 ecx, (esp+424h +Data] bl, 1 0040286 push 00402871 push 00402872 push 00402877 push 00402870 call 00402870 test 00402880 inz 00402882 00402882 loc_402882: 00402882 lea 00402886 push 00402887 mov 00402889 call 0040288F lea 00402893 push 00402894 mov 00402898 lea 0040289C push 0040289D push 0040289 00402811 lea 004028AB push 00402849 push 004028AA call ds:lstrlen edx, [еaxteax+21 edx edx, [esp+428h+hKey] eax, (esp+428h+Data] eax push ecx, (esp+434h+ValueName) ecx edx ds: RegSetValueExW Figure 3: Malware code listing. eax, (ebp+58h+Tid] eax, lea push push push push offset ThreadFunction1 (a) HANDLE WINAPI CreateThread _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ SIZE_T dwStackSize, _In_ LPTHREAD_START_ROUTINE lpStartAddress, In_opt LPVOID 1p Parameter, In DWORD dwCreation Flags, _Out_opt_ LPDWORD 1pThreadId (D) Figure 4: First few lines of malware code, (a), and syntax for Create Thread function (b).



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *