Tools Used

  1. IDA Pro


  1. Lab09-03.exe SHA256: 1fc6a471b2a46cd882246d5bdc9d5954bf8efacf68b4e549a9756e6616848884
  2. DLL1.dll SHA256: 5ac89a17fc6225416cde2c3935c277fa9b9db51f5690285e7d565d04719abdce
  3. DLL2.dll SHA256: 9151b583754221ae1bf764d24edfd7c3a4c0377b4118d4d0e13615124059de8c
  4. DLL3.dll SHA256: 2ec8e8f63f298da249268cb6ea347934d200ed75c06886f4f310f4e14d6ebecc


  • Detection Rate: 4/54 (1), 4/54 (2), 4/54 (3), 4/54 (4)
  • Analyzed on 2016-03-05
  • Compilation Date: 2011-05-16 20:43:56(1), 2011-10-01 18:25:55(2), 2011-10-01 18:25:56(3),  2011-10-01 18:26:01(4)
  • View report here(1) & here(2) & here(3) & here(4)

Lab 9-3
Analyze the malware found in the file Lab09-03.exe using OllyDbg and IDA Pro.
This malware loads three included DLLs (DLL1.dll, DLL2.dll, and DLL3.dll)
that are all built to request the same memory load location. Therefore, when
viewing these DLLs in OllyDbg versus IDA Pro, code may appear at different
memory locations. The purpose of this lab is to make you comfortable with
finding the correct location of code within IDA Pro when you are looking at
code in OllyDbg.
1. What DLLs are imported by Lab09-03.exe?

Figure 1. imports

From IDA Pro we can see that DLL1, Dll2, KERNEL32 and NETAPI32 is imported by the malware. During runtime we can see more dlls being imported.

Figure 2. DLL3.dll being imported during runtime

2. What is the base address requested by DLL1.dll, DLL2.dll, and DLL3.dll?

Loading the dll in IDA Pro we can see the base address that each dll requests for. Turns out that all 3 dlls requests for the same image base at address 0x10000000.

Figure 3. Imagebase: 0x10000000

3. When you use OllyDbg to debug Lab09-03.exe, what is the assigned based
address for: DLL1.dll, DLL2.dll, and DLL3.dll?

From figure 2, we can observe that the base address for DLL1.dll is @0x10000000, DLL2.dll is @0x330000 and DLL3.dll is @0x390000.

4. When Lab09-03.exe calls an import function from DLL1.dll, what does
this import function do?

Figure 4. Calling DLL1Print
Figure 5. DLL1Print

From figure 4, we can see that DLL1Print is called. In figure 1, we can see that DLL1Print is imported from DLL1.dll. Opening DLL1.dll in IDA Pro, we can conclude that DLL 1 mystery data %d\n is printed out. However %d is filled with values in dword_1008030 a global variable. xref check on this global variable suggests that it is being set by @0x10001009.

Figure 6. Setting global variable with process id

The above figure shows that once the dll is loaded, it will query its own process id and set the global variable dword_1008030 to the retrieved process id. To conclude DLL1Print will print out “DLL 1 mystery data [CurrentProcess ID]“.

5. When Lab09-03.exe calls WriteFile, what is the filename it writes to?

Figure 7. File Handle from DLL2ReurnJ

Analyzing Lab09-03.exe, we can see that the File Handle is retrieved from DLL2ReurnJ subroutine (imported from DLL2.dll)

Figure 8. DLL2ReturnJ

From the above image, DLL2ReturnJ returns a global variable taken from dword_1000B078.

Figure 9. DLL2’s DLLMain

From the above image, things become clear. The returned File Handle points to temp.txt.

6. When Lab09-03.exe creates a job using NetScheduleJobAdd, where does it get
the data for the second parameter?

According to msdn, NetScheduleJobAdd submits a job to run at a specified future time and date. The second parameter is a pointer to a AT_INFO Structure

NET_API_STATUS NetScheduleJobAdd(
  _In_opt_ LPCWSTR Servername,
  _In_     LPBYTE  Buffer,
  _Out_    LPDWORD JobId


Figure 10. AT_INFO structure

From Lab09-03.exe we can see that it is loading a dll dynamically during runtime by first calling LoadLibraryA(“DLL3.dll”) then GetProcAddress(“DLL3Print”) to get the pointer to the export function. The pointer is then called to get the AT_INFO structure.

Figure 11. Get AT_INFO Structure

7. While running or debugging the program, you will see that it prints out
three pieces of mystery data. What are the following: DLL 1 mystery
data 1, DLL 2 mystery data 2, and DLL 3 mystery data 3?

  • DLL 1 mystery data prints out the current process id
  • DLL 2 mystery data prints out the CreateFileA’s handle
  • DLL 3 mystery data prints out the decimal value of the address to the command string “ping”

8. How can you load DLL2.dll into IDA Pro so that it matches the load
address used by OllyDbg?

Figure 12. Manual Load

Select Manual Load checkbox when opening DLL2.dll in IDA Pro. You will be prompted to enter new image base address.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s