I am learning how malware(Blackhole Exploit) works. I extracted the shellcode from a malicious code. I figured out everything except a search for the Byte String. Can anyone help me with this? Why does this shellcode (most of the malicious shellcodes) search for this particular string? The searching code goes like this:
mov eax, 0C330408BH;
inc esi
cmp dword ptr [esi], eax
jne //back to top//
If you take the magic bytes, convert them to little-endian format and disassemble, you get the following:
8B 40 30 mov eax, [eax+30h]
C3 retn
So, the shellcode is searching for this sequence of instructions. I'm not 100% sure but I think it's used to find kernel32 image in memory (since this sequence usually occurs there).