Transcript Labs

Setup
Install cygwin with sharutils, binutils, zip/unzip, upx, p7zip, and nc
Install Sysinternals tools (Process Explorer, Process Monitor) (technet.microsoft.com)
Install PEView (wjradburn.com)
Install Resource Hacker (angusj.com)
Install Dependency Walker (dependencywalker.com)
Install IDA Pro 5.0 Freeware (hex-rays.com)
Install Wireshark (wireshark.org)
Install Apate DNS (mandiant.com)
Install OllyDbg 1.10 (ollydbg.de) and its Phant0m plug-in (woodmann.com)
Install WinHex (winhex.com)
Install PEiD (softpedia.com) <= CAUTION, it is a zip file not an installer
Install Regshot (code.google.com/p/regshot/)
Install labs from textbook (practicalmalwareanalysis.com)
–
Encrypted zipfile (password: malware)
–
Will set off Windows defender alarms
–
Make two copies, a working one and a read-only one
Lab assignments
Labs are to be completed immediately after lecture
•
Create numbered screenshot images or numbered text files
corresponding to each bullet in the lab (1.jpg, 2.txt, 3.jpg, etc.)
•
•
Create a tarball with all your images in it
•
•
•
•
Ensure your OdinID appears on each screenshot
Create directory OdinID-Lab# (mkdir wuchang-1.1)
Place all your images in it (mv [0-9]*.jpg wuchang-1.1)
Create tarball (tar czpf wuchang-1.1.tar.gz wuchang-1.1)
Upload tarball to appropriate dropbox on D2L before next class
Chapter 1
Lab 1-1
1.
2.
3.
4.
5.
Show the results of virustotal.com
In PEView, show the timestamps
Show the list of imported system library calls. From these calls, what might this
executable be doing?
Show the list of imported calls from Lab01-01.dll. From these calls, what might
this DLL be doing?
Show where the malware is attempting to create its malicious file
Lab 1-2
1.
2.
3.
4.
5.
Show the results of virustotal.com
In PEView, show the sections that contain the packed executable code
Run UPX to unpack the code and load unpacked executable in PEView
Show the functions imported from Wininet.dll. What might this executable be
doing?
Show the URL the malware connects to in memory
Chapter 3
Lab 3-2
1.
2.
3.
Find the functions this DLL exports (Figure 3-5L)
Find the imported functions that are used to modify the registry, create
services, and make network connections. Which DLLs are they loaded from?
Use strings to reconstruct the URL being requested
Lab 3-4
1.
2.
3.
Copy binary to Desktop and run it. What happens?
Examine the binary's strings using a tool of your choice to find the cmd.exe
command used
Use Process Monitor (procmon) to monitor events from this binary to generate
Figure 3-11L
Chapter 5
Lab 5-1 (Steps 1-17)
1.
2.
3.
4.
5.
6.
7.
8.
Use IDA Pro to bring up the code of DllMain
Bring up Figures 5-1L, the equivalent of 5-2L, and 5-3L
Find the remote shell routine in which memcmp is used to compare
command strings received over the network
Show the code for the function called if the command robotwork is
invoked
Show IDA Pro graphs of DLLMain and sub_10004E79
Explain what the assembly code on p. 499 does
Find the socket call referred to in Table 5-1L and change its integer
constants to symbolic ones
Show the assembly on p. 500. Find the routine that calls this assembly
which shows that it is an anti-VM check.
Chapter 6
Lab 6-1
1.
2.
3.
Show the imported network functions in any tool
Show the output of executing the binary
Load binary in IDA Pro to generate Figure 6-1L
1.
Generate Listing 6-1L and 6-2L using a tool of your choice. What calls
hint at this code's function?
Using either Wireshark or netcat with Apate DNS, execute the malware
to generate Listing 6-3L
In IDA Pro, show the functions called by main. What does each one do?
In IDA Pro, show the order that the WinINet calls are used and explain
what each one does.
Generate Listing 6-5L and explain what each cmp does.
Lab 6-2
2.
3.
4.
5.
Chapter 7
Lab 7-2
1.
Using strings, identify the network resource being used by the
malware
2.
What imports give away the mechanism this malware uses to launch
the browser?
3.
Go to the code snippet shown on p. 518. Follow the references to
show the values of rclsid and riid in memory.
4.
Debug the program and break at the call shown on p. 519. Run the
call to show the browser being launched with the embedded URL
Chapter 9
Lab 9-2
1.
2.
3.
4.
5.
6.
In OllyDbg, perform the Follow in Dump step to display
1qaz2wsx and ocl.exe
Generate Listing 9-6L in IDA Pro. In OllyDbg, set a
breakpoint at the strcmp and identify the strings being
compared
In IDA Pro, show where the network calls are located
Change the name of the file to enable the malware to
execute
Step through and show the DNS name as it is being
decoded
Within Wireshark, show the connect and its result
Chapter 11
Lab 11-1
1.
2.
3.
4.
5.
6.
7.
8.
Use strings to identify potential target of malware
Generate Figure 11-1L (Show TGAD section)
Show Resource Hacker extracting TGAD
In IDA Pro, show the routine that performs the extraction
Generate Listing 11-2L in the extracted DLL
Show Listing 11-3L and explain why a jmp is used
Show Listing 11-4L and explain why a call is used
Show Listing 11-5L and explain the purpose of
msutil32.sys
Chapter 12
Lab 12-1
1.
2.
3.
4.
Show the imports and strings
Rename the three imports (see Listing 12-1L)
Generate Listing 12-2L and explain what its function is
Explain how Listing 12-4L uses what is performed in Listing
12-3L
5. Use ProcessExplorer to show injection for Figure 12-1L
6. Generate Listing 12-5L and explain the parameters
Chapter 12
Lab 12-3
1.
2.
3.
4.
Show the imports that indicate the program's function
Generate Listing 12-14L and explain what “fn” is
Navigate fn to generate Listing 12-15L
Follow the function called after a “KEYDOWN” event.
What does the code in Listing 12-16L do?
Chapter 13
Lab 13-1
1.
2.
Show strings output
Show web request listed in Listing 13-1L in Wireshark (turn off promiscuous
mode)
3. In IDA Pro, search for all xor, then bring up Figure 13-1L, rename xorEncode
4. Bring up xrefs to xorEncode to get to Listing 13-2L
5. Bring up binary in PEView to find resource section with type and name
listed in Listing 13-2L
6. Install WinHex (winhex.com), open binary, and perform Figure 13-2L
7. Install PEiD (softpedia.com) with caution (should be a Zip file), open binary,
and run KANAL at bottom right arrow to obtain Listing 13-3L
8. Bring up Figure 13-3L in IDA Pro
9. From xref to top-level function, bring up and rename base64index function
10. From xref to base64index, bring up Listing 13-4L
11. What does the string in the URL being requested represent?
Chapter 14
Lab 14-1
1. Run malware and capture the HTTP request it produces shown
in Listing 14-1L. Is it different?
2. Find the networking API call this malware uses for its request in
IDA Pro
3. Find where the URL string template is stored
4. Generate Figure 14-1L
5. Generate Figure 14-2L by redefining data location where string
is stored
6. Locate where the two parts of the URL string are generated (in
the %s-%s sprintf)
7. Map out how the character “6” is generated in the encoded
URL
8. How could malware break the first Snort rule shown?
Chapter 15
Lab 15-1
1.
2.
In IDA Pro, what anti-disassembly technique is used and how
many times is it used? Undo the anti-disassembly in IDA Pro
What order is the input checked?
Chapter 15
Lab 15-2
1.
2.
3.
4.
5.
6.
Explain the false conditional at 0x0040115A. Patch it. (cfg/idagui.cfg ,
ENABLE_PATCH_SUBMENU NO)
Explain the false conditional at 0x004011D0. Patch it.
Explain the technique being used at 0x00401215. Patch it.
Explain the technique being used at 0x00401269. Patch it.
Explain the technique being used at 0x004012E6. Which two methods
does it combine? Patch it to reveal Listing 15-7L.
Step through analysis of the malicious code
a) What do sub_40130F and sub_401386 do?
b) Show how the first downloaded file is used to generate
the second downloaded file
c) Show how the second downloaded file is used
Chapter 16
Lab 16-1
1.
2.
3.
4.
5.
6.
7.
8.
Load the binary in IDA Pro. Bring up Figure 16-1L and explain what the three
jz checks are doing
Bring up sub_401000 and Listing 16-1L. What does this code do?
Load the binary in OllyDbg. Set a breakpoint at 0x00403554. What is the
value of eax? Step over several instructions. What happens?
Bring up Figure 16-2L or Figure 16-3L (via the Command Line plug-in or
Phant0m plug-in) to reset the flag
Re-run the first OllyDbg step. What happens?
Explain the second anti-debugging check at 0x00403573 and how to bypass it
Explain the third anti-debugging check at 0x00403594 and how to bypass it
Set the argument to “-in” and single-step to reach 0x004035D5.
Chapter 17
Lab 17-1
1.
2.
3.
4.
5.
In IDA Pro, show and explain the three anti-VM checks being performed
Run the code. Break before the first anti-VM check. Does this check
succeed? If so, NOP or skip the check and run again.
Break before the second anti-VM check. Does this check succeed? If so, NOP
or skip the check and run again.
Break before the third anti-VM check by setting a breakpoint at 0x004012CB
and stepping into sub_401100. Does this check succeed? If so, NOP or skip
the check and run again.
Reach the beginning of malware code at 0x004012DF and generate Listing
17-5L
Chapter 18
Lab 18-1
1.
2.
3.
4.
5.
Load executable in IDA Pro to identify packed code
Run PEiD on binary and find section UPX2. Perform a “deep
scan”. What does PEiD return?
In OllyDbg, locate the jump to the unpacking stub by finding the
register save instruction
Set a breakpoint at this location and execute unpacking code.
Single-step to the OEP.
Use OllyDump to dump the program into a new executable and
load the new executable in IDA Pro
Chapter 19
Lab 19-2
1.
2.
3.
4.
5.
6.
7.
8.
In IDA, find the code that opens the registry to find the default web
browser
Find the code that attempts to create a new web browser process
Find the place in the code where the browser process is opened and
the malicious payload is injected into it and run
In OllyDbg, set a breakpoint in main and single step (F8). What
happens?
View the buffer containing the shellcode to be injected into the
browser (address was found in IDA Pro)
In OllyDbg code pane, right click to “Go to” address, set origin to
above address and run
Generate Listing 19-4L
Use the remaining time to attempt to complete the shellcode
analysis. Where does your analysis get blocked?
Chapter 19
Lab 19-3
1. Run strings on the PDF file to generate Listing 19-11L
2. Implement the Python script in Listing 19-12L and generate the
shellcode. Does it differ from the included code?
3. Load shellcode_launcher.exe into IDA Pro or Olly, set arguments
to point to match command line shown below Listing 19-12L.
Find where the shellcode has been loaded and will be launched
4. Set a breakpoint just before the launch of the shellcode and
single-step *into* the call
5. Where has the code been loaded? Generate Listing 19-13L
with these run-time addresses
6. Single-step through to find the loop that populates the
kernel32 API calls
Chapter 20
Lab 20-1
1. In IDA Pro, what does the first subroutine called in WinMain
do?
2. What does the instruction at 0x0401019 do?
3. What does the instruction at 0x040101C do?
4. Follow the second subroutine call. What does it do?
5. What does the instruction at 0x0401055 do?