This post is part of the series of Practical Malware Analysis Exercises.
Hijacking the import table of all executables on the system, forcing them to load a malicious DLL whenever run.
- File:
kerne132.dll
- Mutex:
SADFHUHF
Backdoor for running programs on the command line.
The EXE:
- Copies DLL to bogus
kerne132.dll
. - Goes through file system looking for
.exe
files. - Loads exe file into RAM.
- Looks at PE headers, and import tables for
kernel32.dll
- Overwrites
kernel32.dll
withkerne132.dll
in import table.
The DLL:
- DLL checks mutex:
SADFHUHF
- DLL creates socket:
127.26.152.13:80/tcp
- DLL tries to connect to server and send
hello
command. - DLL gets
sleep
,exec
, orq
command.
sleep
sleep 6 minexec
create processq
quit
Good luck. Wipe/reinstall, or write an "undo" program.