Reverse Engineering Asked by hightower on April 12, 2021
I am rather new to reversing and currently I am trying to reverse and understand one of the malware samples that seem to be used by DPRK actors to target security researchers.
https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/
https://www.vmray.com/cyber-security-blog/analyzing-dll-in-sandbox-apt-implant/
The sample I am looking at is efscore.dll (SHA256: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244). It is called via rundll32.exe with some arguments:
rundll32.exe efscore.dll,CMS_dataFinal Bx9yb37GEcJNK6bt 4901
So from my understanding the Function CMS_dataFinal is called as entry point. But the code of the function contains just a return and nothing more. However there is a wide-character version of the function CMS_dataFinalW which does much more and is the real function that is called. (Debugging confirmed this)
So here is my question which might be basic, but I can’t get it into my head: How does the program know/decide that the wide-character version CMS_dataFinalW has to be called?
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP