Professional Documents
Culture Documents
Mapviewoffile (: Maps A File Into Memory and Makes The Contents of The File Accessible Via Memory Addresses)
Mapviewoffile (: Maps A File Into Memory and Makes The Contents of The File Accessible Via Memory Addresses)
BSE153006
Assignment 1
Malware analaysis
Task 1
CloseHandle(this closes open objects e.g communication devices, event, file, process, socket, thread,
token etc) so the object is removed from the system after this
unMapViewOfFile(it unmaps the address space of a process and makes the space available for other
allocations)
isBadReaderPtr(this is used with pointers, so it verifies that the calling process has only th “read acess”
to a specified range of memory)
MapViewOfFile(Maps a file into memory and makes the contents of the file accessible via
memory addresses)
CreateFileA(Creates or opens a file or I/O device. The most commonly used I/O devices are as
follows: file, file stream, directory, physical disk, volume, console buffer, tape drive,
communications resource, mailslot, and pipe. The function returns a handle that can be used to
access the file or device for various types of I/O depending on the file or device and the flags
and attributes specified.)
FindNextFileA( The FindNextFile function continues a file search from a previous call to
the “findFirstFile” function.)
FindFirstFileA(The FindFirstFile function searches a directory for a file whose name
matches the specified filename. The FindFirstFile function opens a search handle and
returns information about the first file whose name matches the specified pattern.)
also (Once the search handle is established, you can use the FindNextFilefunction to
search for other files that match the same pattern. When the search handle is no
longer needed, close it by using the FindClose function.)
CopyFileA(Copies an existing file to a new file.)
…………..> lab01.dll
CloseHandle(this closes open objects e.g communication devices, event, file, process, socket, thread,
token etc) so the object is removed from the system after this
Sleep(places a thread or a process into an inactive state for a period of time) (until time-out
period)
Free(releases a chunk of dynamically allocated memory from the heap region of the process
address space)
Exec(replace the pervious executable with itself and runs in context of the previous already
existing file)
Sleep(places a thread or a process into an inactive state for a period of time) (until time-out
period)
Task 2
First of all this is unpacked malware so first I will compress them all and
compare them.
At -1 level
String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
At -2
String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
At -3
String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
At -4
String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
And so the entryPoint and Offset are also same at each level, means both are different but are
same on each level.
Unpacking level by level
Unpacking -1 level ( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)
Unpacking -2 level ( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)
Unpacking -3 level ( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)
Unpacking -4 level( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)