Lab 6-3 Solutions

Short Answers

  1. The functions at 0x401000 and 0x401040 are the same as those in Lab 6-2 Solutions. At 0x401271 is printf. The 0x401130 function is new to this lab.

  2. The new function takes two parameters. The first is the command character parsed from the HTML comment, and the second is the program name argv[0], the standard main parameter.

  3. The new function contains a switch statement with a jump table.

  4. The new function can print error messages, delete a file, create a directory, set a registry value, copy a file, or sleep for 100 seconds.

  5. The registry key Software\Microsoft\Windows\CurrentVersion\Run\Malware and the file location C:\Temp\cc.exe can both be host-based indicators.

  6. The program first checks for an active Internet connection. ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.