June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
3.6 Debugging Malware Executables
In this section, we will look at how to use IDA to debug a malware binary. Consider the disassembly listing from a 32-bit malware sample. The malware calls the CreateFileW API to create a file, but, just by looking at the disassembly listing, it is not clear what file the malware creates. From the MSDN documentation for CreateFile, you can tell that the first parameter to CreateFile will contain the name of the file; also, the suffix W in the CreateFile specifies that the name of the file is a UNICODE string (details regarding the API were covered in the previous chapter). To determine the name of the file, we can set a breakpoint at the address where the call to the CreateFileW ➊ is made, and then run the ...