Lab 12-4 Solutions

Short Answers

  1. The malware checks to see if a given PID is winlogon.exe.

  2. Winlogon.exe is the process injected.

  3. The DLL sfc_os.dll will be used to disable Windows File Protection.

  4. The fourth argument passed to CreateRemoteThread is a function pointer to an unnamed ordinal 2 (SfcTerminateWatcherThread) of sfc_os.dll.

  5. The malware drops a binary from its resource section and overwrites the old Windows Update binary (wupdmgr.exe) with it. Before overwriting the real wupdmgr.exe, the malware copies it to the %TEMP% directory for later usage.

  6. The malware injects a remote thread into winlogon.exe and calls a function exported by sfc_os.dll, ordinal 2 (SfcTerminateWatcherThread), to disable Windows File Protection until the next reboot. The ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.