This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Functions within encrypted TCP stream

0

Following an encrypted GET request stream of a downloaded file and find these functions in the body;

GetLocaleInfo SetCurrentDirectory FileTimeToLocalFileTime GetVolumePathName VirtualAllocEx DeleteFile GetStdHandle SetConsoleTitle GetProcessHeap CreateEvent DllUnregisterServer DllRegisterServer DllCanUnloadNow DllGetClassObject

I understand what each function does i.e. dllregisterserver will add a registry entry for the preceding dll but are these functions that are being executed on the system by the download or am I missing something?

Any advice will be appreciated, Thanks

asked 19 Mar '15, 08:07

froggy101's gravatar image

froggy101
6112
accept rate: 0%


One Answer:

0

these functions that are being executed on the system by the download or am I missing something?

Most certainly they are not executed by simply downloading the file. Based on your brief description, this could be almost anything, from a text file containing those string up to a binary with debug symbols showing the strings.

So, (most certainly) no reason to worry.

If you want a more detailed analysis, please upload the capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here. However, as you've mentioned an encrypted connection, I guess the capture file won't help, unless you are able to post the key as well. If that's not possible, you can try to upload whatever you see with "Follow TCP Stream" (ASCII or screenshot), so we can have a look at that.

Regards
Kurt

answered 19 Mar '15, 14:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Mar '15, 14:17