Lab 19-1 Solutions

Short Answers

  1. The shellcode is stored with an alphabetic encoding; each payload byte is stored in the low nibble of two encoded bytes.

  2. The shellcode resolves the following functions:

    • LoadLibraryA

    • GetSystemDirectoryA

    • TerminateProcess

    • GetCurrentProcess

    • WinExec

    • URLDownloadToFileA

  3. The shellcode downloads this URL:

    http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe

  4. The shellcode writes %SystemRoot%\System32\1.exe and executes it.

  5. The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk, and executes it.

Detailed Analysis

You can perform dynamic analysis with the shellcode_launcher.exe utility with the following command line:

shellcode_launcher.exe –i Lab19-01.bin -bp

The –bp option causes the program ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial