
Checking Malware Name
Some analysts rename the malware as “malware.exe” or “sample.exe” or even with the file hash. Malware can detect the name before fully executing on the infected machine. If any of the blacklisted names are detected, the sample will run differently or end its process.
Code Snippets
#include <iostream>
#include <cstring>
#include <windows.h>
using namespace std;
int main(int argc, char** argv)
{
TCHAR szExeFileName[MAX_PATH];
GetModuleFileName(NULL, szExeFileName, MAX_PATH);
// full path
cout << "[+] Fulle Path: " << szExeFileName << endl;
//convert tchar to string
std:string filename (szExeFileName);
// Remove directory if present.
const size_t last_slash_idx = filename.find_last_of("\\/");
if (std::string::npos != last_slash_idx)
{
filename.erase(0, last_slash_idx + 1);
}
// Blacklist
LPSTR fname[] = {"sample.exe",
"malware.exe",
// ADD YOUR PROCESS NAME HERE!
};
for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)
{
if ((fname[i] == filename ))
{
cout << " [!] Filename is blacklisted: " << (fname[i]) << endl;
exit(0);
}
}
return 0;
}