Lab 16-3 Solutions

Short Answers

  1. There aren’t many useful strings in the malware other than import functions and the strings cmd and cmd.exe.

  2. When you run this malware, it appears to do nothing other than terminate.

  3. You must rename the malware to peo.exe for it to run properly.

  4. This malware uses three different anti-debugging timing techniques: rdtsc, GetTickCount, and QueryPerformanceCounter.

  5. If the QueryPerformanceCounter check is successful, the malware modifies the string needed for the program to run properly. If the GetTickCount check is successful, the malware causes an unhandled exception that crashes the program. If the rdtsc check is successful, the malware will attempt to delete itself from disk.

  6. The anti-debugging timing checks are successful ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.