O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Namespace

As usual a new pattern arises with the need to communicate analysis findings. Most often when analyzing malware we don't have symbol files (No Component Symbols, Volume 1, page 298) for an Unknown Module (Volume 1, page 367). By looking at IAT (if any present) we can guess the module purpose. Sometimes a module itself is not malicious but is used in a larger malicious context such as screen grabbing:

 [...] 10002000 76376101 gdi32!CreateCompatibleDC 10002004 763793d6 gdi32!StretchBlt 10002008 76377461 gdi32!CreateDIBSection 1000200c 763762a0 gdi32!SelectObject 10002010 00000000 10002024 77429ced user32!ReleaseDC 10002028 77423ba7 user32!NtUserGetWindowDC 1000202c 77430e21 user32!GetWindowRect 10002030 00000000 10002034 744a75e9 GdiPlus!GdiplusStartup ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required