Lab 12-3 Solutions

Short Answers

The program is a keylogger.
The program uses hook injection to steal keystrokes.
The program creates the file practicalmalwareanalysis.log to store the keystrokes.

Detailed Analysis

Since we’ve already analyzed this binary in the labs for Chapter 3, and it was extracted as part of Lab 12-2 Solutions, let’s begin by opening the file with IDA Pro to examine the function imports. The most interesting of the imports is SetWindowsHookExA, an API that allows an application to hook or monitor events within Microsoft Windows.

In Example C-76, we see that SetWindowsHookExA is called from main at ❶. The MSDN documentation shows that the first parameter, 0Dh, corresponds to WH_KEYBOARD_LL, which enables monitoring of keyboard events ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Lab 12-3 Solutions

Short Answers

Detailed Analysis

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly