Lab 12-2 Solutions

Short Answers

  1. The purpose of this program is to covertly launch another program.

  2. The program uses process replacement to hide execution.

  3. The malicious payload is stored in the program’s resource section. The resource has type UNICODE and the name LOCALIZATION.

  4. The malicious payload stored in the program’s resource section is XOR-encoded. This decode routine can be found at sub_40132C. The XOR byte is found at 0x0040141B.

  5. The strings are XOR-encoded using the function at sub_401000.

Detailed Analysis

Since we’ve already analyzed this binary in the labs for Chapter 3, let’s begin by opening the file with IDA Pro and looking at the function imports. Many functions in the list provide little information because they are commonly imported ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.