Showing posts with label fdicopy. Show all posts
Showing posts with label fdicopy. Show all posts

Thursday, February 16, 2023

CAB files FDICreate FDICopy

 call ds:__imp__FDICreate (creates context for extracting Microsoft .CAB Cabinet files)

...

push offset pszCabPath 

call ds:__imp__FDICopy


You should see memory for the Cabinet (or CAB archive-file format) recognized by their first four bytes (also called their magic number) MSCF

After the FDICopy you'll see extracted files (possibly .exe malware) in the file path that was in pszCabPath