Known issues

1) The disassembly of the files in Chapter 2 does not match the output in the book.

This is because we changed all the entrypoints in the PE headers to ensure that none of the .exe, .dll, and .sys files are executable. This was as a precaution, to ensure readers don’t infect themselves. But the side effect of this is that you’ll find that the disassembly output, if you do the exercises in the book, will be different in the VM from what you see in the book.

2) Listing 1-6 is broken and the command lines need slight modification to work. See the fix below:

Here are the correct commands that you need to extract and view the images in the fakepdfmalware.exe binary:

wrestool -x fakepdfmalware.exe -o images

mkdir output

icotool -x -o output/

eog images/fakepdfmalware.exe_14_101_2052.ico

This sequence, and the corresponding output, is given below:

3) In chapter 4, some of the .dot files are missing from the ch4/ directory.

You need to do “bash” in the ch4/ directory to generate the files that are missing.