[Xylitol]

hi

Code: Select all

BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpReserved)
{
  char *v3; // eax@2
  char *v4; // eax@2
  BOOL result; // eax@2
  HANDLE v6; // eax@3

  if ( fdwReason == 1 )
  {
    v3 = GetCommandLineA();
    v4 = strlwr(v3);
    result = (BOOL)strstr(v4, "netsvcs");
    if ( !result )
      return result;
    strncpy(pszPath, (const char *)lpReserved, 0x104u);
    PathRemoveFileSpecA(pszPath);
    sub_100016E4((int)hinstDLL, "cmd");
    v6 = CreateThread(0, 0, StartAddress, 0, 0, 0);
    CloseHandle(v6);
  }
  return 1;
}

i cant understand why malware use lpreserved parametr as const char* and how it could work?

[r2nwcnydc]

http://j00ru.wordpress.com/2009/07/04/d ... sibilites/

Has some ideas about how the parameter may be used.

•Passing information between two or more static modules
As Gynvael Coldwind suggested, the fact that all the libraries being statically loaded into a new process respectively operate on the same piece of memory, could be used in order to let the modules “communicate” with each other, however “passing information” sounds better for me. In order to do this, one could use the extisting main thread stack. I am curious about possible realistic scenarios making use of this idea, waiting for any interesting concepts : P

This suggests it may be part of a larger piece, where the value has been altered to contain other information, which is consumed by this DLL. The parameter is only valid when the DLL is staticly linked, so without the rest of the program, I cannot be sure.

[EP_X0FF]

This is cmd.dll from TDL3 modification that comes from TDL4 authors.
For dropper see http://www.kernelmode.info/forum/viewto ... 6364#p6364

Perhaps this lpReserved value initialized by rootkit while injection.
Btw, nice link :)