Push offset unk call sub add esp
After successfully changing the data in Listing 15-17L to code, it is dis-played as shown in Listing 15-18L.
004014C0 mov esp, [esp+8]
004014C4 mov eax, large fs:0
004014CA mov eax, [eax]
004014CC mov eax, [eax]
004014CE mov large fs:0, eax
004014D4 add esp, 8
004014D7 jmp short near ptr loc_4014D7+1 Listing 15-19L: Downloading a file from a URL
The second and third arguments to URLDownloadToFileA are the URL and filename, respectively. It seems that the global memory locations unk_403010 and unk_403040 are being used at and , respectively. If you examine this memory with IDA Pro, the data does not appear to be ASCII text. These same locations are also passed to sub_401534 at and . We should examine this function to see if it decodes this data. Careful analysis of this function (not shown here) will find that it takes a pointer to a buffer and modifies it in place by XOR’ing each byte with the value 0xFF. If we XOR the data at unk_403010, we get the strings http://www.practicalmalwareanalysis.com/tt.html and spoolsrv.exe for unk_403040.
00401515 jz short near ptr loc_401519+1
00401517 jnz short near ptr loc_401519+1
00401519
00401519 loc_401519: ; CODE XREF: 00401515j 00401519 ; 00401517j
00401519 call near ptr 40A81588h
0040151E xor [eax+0], al
00401521 call ds:WinExecListing 15-20L: The final anti-disassembly technique encountered in the malware
Lab 16-1 Solutions
|
16 | |
|---|---|---|
| 1. | ||
4. See the detailed analysis for a step-by-step way to dump and modify the structures in OllyDbg.
5. Both the OllyDbg plug-in PhantOm and the ImmDbg PyCommand hidedebug will thwart this malware’s checks.
