With the cursor in the same location, how do you turn this data into a single ASCII string? 21. (Make sure the cursor is at 0x1001D988.) What happens after you run the script? 20. If you have the IDA Python plug-in installed (included with the commercial version of IDA Pro), run Lab05–01.py, an IDA Pro Python script provided with the malware for this book. Is that in use in this malware? Using the cross-references to the function that executes the in instruction, is there further evidence of VMware detection? 18. This instruction is used with a magic string VMXh to perform VMware detection. Search for usage of the in instruction (opcode 0圎D). Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful? What are the parameters after you apply changes? 17. Looking backward through the code, how long will the program sleep if this code executes? 15. At 0x10001358, there is a call to Sleep (an API function that takes one parameter containing the number of milliseconds to sleep). How many Windows API functions does DllMain call directly? How many at a depth of 2? 14. Which API functions could be called by entering this function? Based on the API functions alone, what could you rename this function? 13. Use the graph mode to graph the cross-references from sub_10004E79. What happens if the string comparison to robotwork is successful (when memcmp returns 0)? 11. A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons use memcmp to compare strings. How does the malware set dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.) 10. In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global variable that helps decide which path to take. What is happening in the area of code that references \cmd.exe /c? 9. Use the Strings window to locate the string \cmd.exe /c in the disassembly. How many parameters has IDA Pro recognized for the subroutine at 0x10001656? 7. How many local variables has IDA Pro recognized for the subroutine at 0x10001656? 6. Focusing on the call to gethostbyname located at 0x10001757, can you figure out which DNS request will be made? 5. How many functions call gethostbyname? 4. Use the Imports window to browse to gethostbyname. This lab analyses the malware found in the file Lab05–01.dll, and is a longer lab designed to demonstrate features of IDA Pro and give hands-on experience.ġ. Labs skip from 3 to 5, as there is no Lab 4-x in the book, this chapter covers x86 disassembly, covered here (coming soon) dll and demonstrates various techniques for navigation and analysis. This lab utilises IDA to explore a malicious. IDA Pro enables the disassembly of an entire program and performs tasks such as function discovery, stack analysis, local variable identification, in order to understand (or change) its functionality. IDA Pro, an Interactive Disassembler, is a disassembler for computer programs that generates assembly language source code from an executable or a program. Note that the formatted string is not trimmed if its length is longer than value of size parameter.Lab 5 - IDA Pro Solutions for Lab 5 within Practical Malware Analysis. That option has effect only with padstr option. size - determines formatted string size.padstr - string used for right-padding of the formatted string if its length (including prefix and grouping) is less than value of size parameter. Study Decimal to Hex and Binary flashcards from Matthew Connollys class online, or in Brainscapes iPhone or Android.trim - (works only with bin formatting) specifies if the leading 0's should be trimmed.It is quite handy option when dealing with large numbers. delimiter - specifies delimiter string to be inserted in between character groups.groupsize - splits output string into groups of groupsize length characters.Note that this option is not supported by dec conversion. It can be either BE for Big Endian or LE for Little Endian. format - specifies format of the input number.The options argument (optional) is an object which provides some additional conversion details: Note that you will have to specify format if you would like to use options argument. If format argument is missing, dec format is used as a default option. hex - conversion to hexadecimal format e.g.bin - conversion to binary format e.g.dec - conversion to decimal format e.g.The format argument represents output string format and it can be one of the following options: A string with a number in a hexadecimal format e.g.An array of bytes (values from 0x00 to 0xFF) e.g.It can be provided in one of the following formats: The number argument represents an arbitrary length unsigned integer number to be converted to string. The biguint-format module is a function ( fn(number, format )) which performs number conversion to the required string format.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |