PMA - CH 9-3
Analysis of Lab09-02.exe / DLL1 / DLL2 / DLL3
Last updated
Analysis of Lab09-02.exe / DLL1 / DLL2 / DLL3
Last updated
This lab consisted of an executable Lab09-03 and three DLLs (DLL1, DLL2, and DLL3). I started my analysis with the DLLs
Starting with DLL1 we see one export named DLL1Print, other than that there isn't much information. Looking at DLL2 we see the same things except it exports DLL2Print and DLL2ReturnJ and also calls CreateFile and WriteFile. Finally, looking at DLL3 we can see it exports DLL3GetStructure and DLL3Print, we also see a string "ping www.malwareanalysisbook.com"
Looking at Lab09-03 we see it imports netapi32.dll, DLL1.dll, and DLL2.dll, we can see LoadLibrary being called which probably means DLL3 will be dynamically loaded in as we can see DLL3 in the strings of the executable.
Again starting with DLL1 and looking at main we see one call to GetCurrentProcessId and stores it within a dword which I have renamed to process_id.
Looking at DLL1Print, we see our dword process_id being stored in EAX before being pushed onto the stack following another push of a string
Looking at DLL2 Main, we see a call to CreateFile with the file name "temp.txt" and the handle to that file is then stored into a dword which has been renamed to create_file_handle
Looking at DLL2Print we see the same setup the handle that was stored into the dword is being pushed onto the stack before a function call
Looking at DLL2ReturnJ, we see our file handle being moved into EAX before returning
Again looking at DLL3 Main we see a call to MultiByteToWideChar which converts a string to wide characters. The string is "ping www.malwareanalysisbook.com" which we saw in the strings. After we can see the offset of the WideCharStr being moved into a dword.
Again DLL3Print takes the offset of WideCharStr and pushes it to the stack
DLL3GetStructure gets the data we stored into 100B0A0 and stores it in a pointer to EAX. We'll have to look at Lab09-03 before we can see where this data will be used.
Looking at Lab09-03 Main we see two calls to DLL1, DLL2, and DLL2ReturnJ. We then call WriteFile and write the string "malwareanalysisbook.com", if we remember DLL2 created a file called temp.txt so this is where the data will be written.
We then call LoadLibrary on DLL3 and get the procedure address of DLL3Print, and then call DLL3Print. We then do the same thing this time for DLL3GetStructure. Finally, we call NetScheduleJobAdd ("submits a job to run at a specified future time and date"), looking at MSDN, we have three parameters: Servername, Buffer which is a pointer to AT_INFO structure, and then the JobId. If we take a look at the AT_INFO structure on MSDN we'll see it holds a few parameters JobTime, DaysOfMonth, DaysOfWeek, Flags, and Command. (If we remember correctly we stored these parameters in DLL3GetStructure)
The program will then sleep and exit
During dynamic analysis after our call to DLL1Print, we see it prints a number which should be the PID of the Lab09-03.exe
Again for DLL2Print, we should see it print the handle to the file it has opened (temp.txt) 0xF4 is 244 in decimal
We can also see the file created in the current directory, which should have written "malwareanalysisbook.com"
We then call DLL2ReturnJ which just puts the file handle into EAX
We then call LoadLibrary and load DLL3Print and DLL3GetStructure.
Calling DLL3Print, we can see it returns the address in memory of the stored string (again we need to convert the hex 57B0C0 into decimal which is 5746880)
We then call DLL3GetStructure and then call NetScheduleJobAdd, if we remember the Buffer parameter will be the second parameter pushed onto the stack. In this case register, ECX will hold our AT_INFO structure so following it in the dump we will find our parameters within AT_INFO.
These parameters were stored during the call to DLL3GetStructure which stored them into a pointer of EAX. So now that we know the parameters passed to NetScheduleJobAdd we can determine that it will execute the command "ping www.malwareanalysisbook.com" when the time is specified.
DLL1Print: Prints the Process ID of Lab09-03.exe
DLL2Print: Prints the file handle to temp.txt
DLL3Print: Prints the location in memory of our wide-character string
This concludes the analysis of Lab09-03 and its associated DLLs
As always I hope you enjoyed it :)
Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Kindle Locations 5909-5910). No Starch Press.