Lab 19-1 Solutions

Short Answers

  1. The shellcode is stored with an alphabetic encoding; each payload byte is stored in the low nibble of two encoded bytes.

  2. The shellcode resolves the following functions:

    • LoadLibraryA

    • GetSystemDirectoryA

    • TerminateProcess

    • GetCurrentProcess

    • WinExec

    • URLDownloadToFileA

  3. The shellcode downloads this URL:

    http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe

  4. The shellcode writes %SystemRoot%\System32\1.exe and executes it.

  5. The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk, and executes it.

Detailed Analysis

You can perform dynamic analysis with the shellcode_launcher.exe utility with the following command line:

shellcode_launcher.exe –i Lab19-01.bin -bp

The –bp option causes the program ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.