Malware Analysis Tools and Techniques: Windows Malware

Play an AI-generated podcast conversation about this lesson

What does a handle point to in memory?

File content

I/O devices

Arithmetic operations

Location in memory (correct)

Which function is used to create or open files?

CreateWindowEx

WriteFile

ReadFile

CreateFile (correct)

What do ReadFile and WriteFile operate on as a stream?

Memory locations

Files (correct)

Pointers

Handles

What does CreateFileMapping allow for?

Direct file manipulation Signup and view all the answers

What does MapViewOfFile return a pointer to?

Base address of the mapping Signup and view all the answers

Can arithmetic operations be performed on handles?

No Signup and view all the answers

What term is used to refer to the base address in the Windows registry?

Root Key Signup and view all the answers

What is the primary purpose of using the pointer to the base address in the Windows registry?

Jump around the file easily Signup and view all the answers

Which of the following is NOT a common use of the Windows registry according to the text?

Application installation Signup and view all the answers

How many top-level sections are there in the Windows registry referred to as root keys or hives?

Five Signup and view all the answers

What is a Key in the Windows registry analogous to?

Subfolder Signup and view all the answers

How does malware interact with the operating system?

Via Application Programing Interface (API) Signup and view all the answers

Which naming convention does Windows use for API function identifiers?

Hungarian Notation Signup and view all the answers

What is the purpose of Handles in Windows OS?

To represent opened items like windows, processes, files, etc. Signup and view all the answers

Which type does the prefix 'dw' indicate in Hungarian Notation used by Windows?

Double Word (DWORD) variables Signup and view all the answers

What makes it easy to identify the type of a variable in Hungarian Notation?

Using a prefix naming scheme Signup and view all the answers

Which of the following represents 16 bits according to Hungarian Notation in Windows?

WORD Signup and view all the answers

What API call is used to initialise a connection to the internet?

InternetOpen Signup and view all the answers

What function is typically used to download a file from the internet in two steps?

URLDownloadToFile() Signup and view all the answers

Which WIN32 API function is commonly used to create a new process?

CreateProcess Signup and view all the answers

What does the STARTUPINFO parameter in CreateProcess include?

Handle to standard input, output and error messages Signup and view all the answers

How can malicious programs use standard input, output, and error messages?

Set them to a socket for remote shell execution Signup and view all the answers

What type of properties can a parent process specify for its child process?

Window properties Signup and view all the answers

What is the primary purpose of key loggers?

Monitor user key strokes Signup and view all the answers

What are the two most common methods used by key loggers?

Install a hook for keyboard events and poll keyboard state with GetAsyncKeyState() Signup and view all the answers

What is the purpose of a hook procedure in the context of key loggers?

Intercept events like messages, mouse actions, and keystrokes Signup and view all the answers

Which API function is used to intercept keyboard events and relay them to a malicious function?

SetWindowsHookExA with WH_KEYBOARD parameter Signup and view all the answers

What does malware do in the context of polling the keyboard?

Goes into a loop and polls the state of every key Signup and view all the answers

Which function is called to get the state of a specific key during polling?

GetAsyncKeyState Signup and view all the answers