Mar 23, 2024, 04:33 AM
HTB Reversing Challenge - Iterative Virus(Quick writeup)
Flag#
- Use the 'file' command to provide an overview of the file type.
- Open the file in PEBear to find detailed information. Discover a strange section named ivir and Timestamp = deadc0de.
- Open the program in IDA64 for code analysis.
- The function retrieves a pointer to the linked list of modules through NtCurrentTeb() and accesses information about the process and the kernel32_GetProcAddress module.
- The main function copies text strings to memory based on the input value and ensures the strings are terminated with a null character.
- Rename variables to make the program clearer and easier to understand, create a memory-mapped view of the file.
- Check conditions to determine if the file could be malicious or not, and perform necessary operations to create or modify sections in the file.
- Encode data in the victim file and perform various operations to cause harm when the victim file is executed.
- Import important functions from kernel32.dll and user32.dll and execute system API functions like GetUserNameA and MessageBoxA to perform specific tasks.
Flag#
