A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #6387  by Xylitol
 Wed May 18, 2011 8:17 am
hi
Code: Select all
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpReserved)
{
  char *v3; // eax@2
  char *v4; // eax@2
  BOOL result; // eax@2
  HANDLE v6; // eax@3

  if ( fdwReason == 1 )
  {
    v3 = GetCommandLineA();
    v4 = strlwr(v3);
    result = (BOOL)strstr(v4, "netsvcs");
    if ( !result )
      return result;
    strncpy(pszPath, (const char *)lpReserved, 0x104u);
    PathRemoveFileSpecA(pszPath);
    sub_100016E4((int)hinstDLL, "cmd");
    v6 = CreateThread(0, 0, StartAddress, 0, 0, 0);
    CloseHandle(v6);
  }
  return 1;
}
i cant understand why malware use lpreserved parametr as const char* and how it could work?
Attachments
pwd: infected
(5.49 KiB) Downloaded 29 times
 #6396  by r2nwcnydc
 Wed May 18, 2011 1:06 pm
http://j00ru.wordpress.com/2009/07/04/d ... sibilites/

Has some ideas about how the parameter may be used.
•Passing information between two or more static modules
As Gynvael Coldwind suggested, the fact that all the libraries being statically loaded into a new process respectively operate on the same piece of memory, could be used in order to let the modules “communicate” with each other, however “passing information” sounds better for me. In order to do this, one could use the extisting main thread stack. I am curious about possible realistic scenarios making use of this idea, waiting for any interesting concepts : P
This suggests it may be part of a larger piece, where the value has been altered to contain other information, which is consumed by this DLL. The parameter is only valid when the DLL is staticly linked, so without the rest of the program, I cannot be sure.
 #6404  by EP_X0FF
 Wed May 18, 2011 2:23 pm
This is cmd.dll from TDL3 modification that comes from TDL4 authors.
For dropper see http://www.kernelmode.info/forum/viewto ... 6364#p6364

Perhaps this lpReserved value initialized by rootkit while injection.
Btw, nice link :)