I'm studying the source code of malware developed in c++ and I have two questions in the source code below
This is probably code that loads malicious dlls into memory.
typedef BOOL (WINAPI *VirtualFreeT)(
__in LPVOID lpAddress,
__in SIZE_T dwSize,
__in DWORD dwFreeType
);
char dllA[] = {'K','E','R','N','E','L','3','2','.','d','l','l','\0'};
char dllB[] = {'V','i','r','t','u','a','l','F','r','e','e','\0'};
VirtualFreeT pVirtualFree=(VirtualFreeT)GetProcAddress(LoadLibrary(dllA),dllB);
_asm nop;
_asm nop;
_asm nop;
_asm nop;
_asm nop;
_asm nop;
_asm nop;
...
..
.
- Why not declare the name of dll as below?
Is it just a certain insertion of a null char?
char dllA[] = "KERNEL32.dll";
char dllB[] = "VirtualFree";
- It doesn't do anything. Why need this code?
_asm nop