June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
4.1 Patching Program Bytes
Consider the code excerpt from the 32-bit malware DLL (TDSS rootkit), which is performing a check to make sure that it is running under spoolsv.exe. This check is performed using string comparison at ➊; if the string comparison fails, then the code jumps to end of the function ➋ and returns from the function. To be specific, this DLL generates malicious behavior only when it is loaded by spoolsv.exe; otherwise, it just returns from the function:
10001BF2 push offset aSpoolsv_exe ; "spoolsv.exe"10001BF7 push edi ; char *10001BF8 call _stricmp ➊ 10001BFD test eax, eax10001BFF pop ecx10001C00 pop ecx10001C01 jnz loc_10001CF9[REMOVED]10001CF9 loc_10001CF9: ➋ ; CODE XREF: DllEntryPoint+10j10001CF9 xor eax, eax10001CFB ...