O'Reilly logo

Learning Malware Analysis by Monnappa K A

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

3.2 Windows API 32-Bit and 64-Bit Comparison

Let's look at an example of a 32-bit malware to understand how malware uses multiple API functions to interact with the operating system, and let's also try to understand how to interpret disassembly code to understand the operations performed by the malware. In the following disassembly output, the 32-bit malware calls the RegOpenKeyEx API to open a handle to the Run registry key. Since we are dealing with 32-bit malware, all the parameters to the RegOpenKeyEx API are pushed onto the stack. As per the documentation at https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897(v=vs.85).aspx, the output parameter phkResult is a pointer variable (output parameter is indicated by the _Out_ ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required