1

I'm studying the source code of malware developed in c++ and I have two questions in the source code below

This is probably code that loads malicious dlls into memory.

typedef BOOL (WINAPI *VirtualFreeT)(
    __in LPVOID lpAddress, 
    __in SIZE_T dwSize, 
    __in DWORD dwFreeType
    );

char dllA[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'};
char dllB[] = {'V','i','r','t','u','a','l','F','r','e','e','\0'};

VirtualFreeT pVirtualFree=(VirtualFreeT)GetProcAddress(LoadLibrary(dllA),dllB);

_asm nop;
_asm nop;
_asm nop;
_asm nop;
_asm nop;
_asm nop;
_asm nop;
...
..
.
  1. Why not declare the name of dll as below?
    Is it just a certain insertion of a null char?
char dllA[] = "KERNEL32.dll";
char dllB[] = "VirtualFree";
  1. It doesn't do anything. Why need this code?
_asm nop
nobody
  • 11,251
  • 1
  • 41
  • 60
useeffect
  • 13
  • 2

1 Answers1

2
  1. Why not declare the name of dll as below? Is it just a certain insertion of a null char?

No, these two lines of code create identical null-terminated strings in the resultant binary:

char dllA[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'};

and

char dllA[] = "KERNEL32.dll";

Perhaps the malware author believed there was a difference, but more likely, it's a style choice only.

  1. It doesn't do anything. Why need this code?

It's almost certainly a NOP Sled. When placing a buffer overflow, it may be difficult to calculate exactly where the instruction pointer will land. By preceding the meat of the overflow code with a series of No-Op instructions (which do nothing) that instruction pointer can slide smoothly along until it reaches the exploit code, as long as it lands anywhere in the NOP Sled.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198