O'Reilly logo

Windows Malware Analysis Essentials by Victor Marak

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Post infection

The shutdown function is executed as follows:

0040211F  /. 55    PUSH EBP
00402120  |. 8BEC  MOV EBP,ESP
00402122  |. 83EC >SUB ESP,10
00402125  |. 56    PUSH ESI
00402126  |. 8B75 >MOV ESI,DWORD PTR SS:[EBP+8]
00402129  |. 57    PUSH EDI
0040212A  |. 33FF  XOR EDI,EDI
0040212C  |. 57    PUSH EDI
0040212D  |. 8D86 >LEA EAX,DWORD PTR DS:[ESI+58E]
00402133  |. 50    PUSH EAX
00402134  |. FF96 >CALL DWORD PTR DS:[ESI+394]
;kernel32.WinExec

With parameters:

Post infection

Nopping that part out (select the code area in the CPU window, press space, type nop in the dialog box, and then press Enter), so that it does not execute, we reach:

0040213A |. 68 10>PUSH 2710 0040213F |. FF96 >CALL ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required