CMSC449_A-4

docx

School

University of Maryland, Baltimore County *

*We aren’t endorsed by this school

Course

449

Subject

Computer Science

Date

Jan 9, 2024

Type

docx

Pages

Uploaded by ChefOryxMaster925

CMSC 449 Malware Analysis HW 4 Name: Ricky Kapoor Assigned: 10/17/2023 Due: 10/26/2023 by 11:59pm Download hw4.7z onto your malware analysis VM and extract it with the password “infected”. hw4.7z link: ● https://drive.google.com/file/d/1y9aiOP4cc-noET65uO35mZOIeiIIqmzr/view?usp=drive_link Hint: Chapters 4, 5, and 6 of your Practical Malware Analysis textbook are very useful references! Part 1: hw4_1 – Ghidra (20 pts) Part 1 of this homework will familiarize you with navigating Ghidra. Create a new Ghidra project and then import and open hw4_1. 1) Use the Defined Strings window in Ghidra to find the string “Usage: %s [port] [threads]”. What address is this string defined at? How many cross-references (XREFS) to this string are there in the malware’s code? (6 pts) Address: 00104107 Number of XREFs: 1 2) Navigate to the address 0x0077EB20 in Ghidra’s listing view. Provide a screenshot of the listing view below. (4 pts)

3) Navigate to Ghidra’s Data Type Manager window. Search for the AU-Sound data type and right-click it. How many uses of the AU-Sound data type appear in the malware? (4 pts) 4. 4) Investigate the uses of the AU-Sound data from question 3. One of the uses is as an operand to the AU instruction. What address is this AU instruction located at? What is the purpose of this instruction? (6 pts) Address of AU instruction: 00106040

Purpose: It s ays it is an “AU representation”, and its cross referenced “[2,1]” times. It’s name is an “AU-sound” dataType, so I am going to guess that this instruction is creating the necessary implementation for listening to the computer’s microphone. Part 2: hw4_2.exe – Ghidra or IDA Pro (35 pts) For the remainder of this assignment, you will investigate hw4_2.exe, which is identical to the malware from HW 2 part 2 (hw2_2.exe). You may use Ghidra and/or IDA Pro during your analysis. The instructions will use the naming conventions from Ghidra (such as FUN instead of SUB for naming of functions). 1) Provide a detailed analysis of what FUN_401428 does. Be specific about how this function interacts with the resources of hw4.exe. (14 pts) It uses FindResourceA to locate a resource in the specified module (param_1). The resource is identified by the arguments s_#1001_0040309f and s_BINTYPE_004030ab.It checks if the resource was found (local_210 != (HRSRC)0x0) and gets the size of the resource (local_218 = SizeofResource(param_1,local_210)). If the resource was found and its size is non-zero, it loads the resource (pvVar1 = LoadResource(param_1,local_210)), and checks if the resource was loaded successfully (pvVar1 != (HGLOBAL)0x0). If the resource was loaded successfully, it locks the resource (pvVar2 = LockResource(pvVar1)) and checks if the locking operation was successful (pvVar2 != (LPVOID)0x0). It then proceeds to perform file operations, like creating a file using CreateFileA, writing to the file using WriteFile, and closing the file handle with CloseHandle. The function then repeats a similar process with a different resource (s_#1002_004030a5 and s_kjpost.dll_00403074). 5) Provide a detailed analysis of what FUN_4011FA does. How long is the timer set? What is the instruction at 0x401250 doing? (14 pts) Overall, this code appears to be part of a larger program that loads a DLL, retrieves function addresses from it, calls those functions, and sets a timer on a specified window handle. The exact behavior and purpose of this code would depend on the context in which it is used, and on the definitions of the global variables and strings (s_kjlib.dll_0040306a, s_StartHooking_0040307f, s_UnHook_0040308c, etc.) The instruction at 0x0401250 is calling a function indirectly through a function pointer stored at [EBP - 8]. The exact behavior and purpose of this code would depend on the specific values stored in memory at runtime. 6) Choose a descriptive new name for the first local variable of FUN_4011FA (called var_4 in IDA and pFVar1 in Ghidra). Justify why you chose this name. (7 pts) A good name for the local variable pFVar1 could be something descriptive of its purpose. Given that it's used to store a function pointer

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

obtained from GetProcAddress, you could name it something like pfnStartHooking. This name reflects that it's a pointer to a function (pfn) related to starting hooking operations. Part 3: kjlib.dll and kjpost.dll (45 pts) Next, you will configure the network settings of your analysis VM so that it is safe to run hw4_2.exe. You should completely disconnect the VM from the network by changings its network adapter to “Not Attached” in the VirtualBox network settings. Once you have done this, run hw4_2.exe with administrator privileges. Then, answer the following questions about kjlib.dll and kjpost.dll, which the malware creates. 1) What is the address of kjlib.dll’s StartHooking export? (4 pts) 10001045 2) Choose a new name for the second argument of SetWindowExA when it is called inside of SetHooking. Why did you choose this name? Justify your answer. (6 pts) I would suggest naming the second argument of `SetWindowsHookExA` as `pfnHookProc`. The name `pfnHookProc` is descriptive and indicates that this argument is expected to be a pointer to a hook procedure. It aligns with common naming conventions used in Windows API programming. In the Windows API, function pointers are often prefixed with "pfn" to indicate that they are pointers to functions. It makes the code more readable and self-explanatory. Anyone reading the code will immediately understand that this argument expects a hook procedure. If someone else or even yourself needs to work with this code in the future, using a descriptive name like `pfnHookProc` will make it easier to understand and modify. Using a generic and descriptive name like `pfnHookProc` makes it clear what type of function is expected as an argument. It helps avoid confusion or ambiguity in the code. So, I recommend naming the second argument of `SetWindowsHookExA` as `pfnHookProc`. 3) Provide a detailed analysis of what FUN_100014CC in kjlib.dll does. (15 pts) 1. `void FUN_100014cc(void)`: This is a function named `FUN_100014cc` that returns nothing (`void`) and takes no arguments. 2. `int iVar1;`: This declares an integer variable named `iVar1`. 3. `_SYSTEMTIME local_224;`: This declares a structure of type `_SYSTEMTIME` named `local_224`. It's used to store the current system time. 4. `CHAR local_210[260];`: This declares an array of characters (`CHAR`) named `local_210` with a size of 260 bytes. This will be used to store a temporary path.

5. `CHAR local_10c[260];`: Similarly, this declares another array of characters named `local_10c` with a size of 260 bytes. 6. `DWORD local_8;`: This declares an unsigned double word (`DWORD`) variable named `local_8`. 7. `GetLocalTime((LPSYSTEMTIME)&local_224);`: This function call retrieves the current local system time and stores it in the structure `local_224`. 8. `GetTempPathA(0x104, local_210);`: This function call retrieves the path of the temporary directory on the system and stores it in the array `local_210`. The `0x104` parameter specifies the maximum length of the path. 9. `wsprintfA(local_10c, ...);`: This function combines formatted strings and stores the result in `local_10c`. It constructs a filename using the temporary path (`local_210`) and the current date (`local_224.wMonth`, `local_224.wDay`, `local_224.wYear`). 10. `iVar1 = lstrcmpA(&DAT_10002008, local_10c);`: This compares the string stored at the memory address `&DAT_10002008` with the string in `local_10c`. The result is stored in `iVar1`. 11. `if (iVar1 != 0) { ... }`: This checks if the strings are not equal. - If they are not equal, it means that the filename constructed (`local_10c`) is different from the one stored at `&DAT_10002008`. 12. `lstrcpyA(&DAT_10002008, local_10c);`: If the strings are not equal, this copies the content of `local_10c` to the memory location `&DAT_10002008`. 13. `if (DAT_1000400c != (HANDLE)0x0) { ... }`: This checks if `DAT_1000400c` (which seems to be a file handle) is not null. - If it's not null, it means a file handle is already open, so it closes it with `CloseHandle`. 14. `DAT_1000400c = CreateFileA(local_10c, ...);`: This creates a new file or opens an existing file. It uses the filename from `local_10c` and sets some file attributes. 15. `if (DAT_1000400c == (HANDLE)0xffffffff) { ... }`: This checks if `CreateFileA` returned an invalid handle (0xffffffff), which indicates an error. - If an error occurred, it retrieves the error code with `GetLastError` and constructs an error message in `local_10c`. 16. The function then returns.

In summary, `FUN_100014cc` is a function that generates a filename based on the current date, checks if it's different from a previously stored filename, and if so, updates the stored filename and opens a new file with that name. If there's an error during file creation, it constructs an error message. 4) After CreateFileA is called inside of FUN_100014CC, its return value is moved into a global variable. How many XREFs are there to this global variable? (4 pts) 9. 5) Investigate the XREFs of the global variable from question 4. Choose a new name for this variable based on your analysis and justify why you chose this name. (6 pts) Given that this variable is used to store a file handle, a more descriptive name could be `hFile`. Here's why I suggest this name: `hFile` is a commonly used naming convention in Windows programming to indicate a handle to a file. It's clear and directly conveys the purpose of the variable. It makes the code more readable and self-explanatory. Anyone reading the code will immediately understand that this variable is used to hold a file handle. It aligns with common naming conventions used in Windows API programming. In the Windows API, handles to objects like files are often named with a prefix "h" followed by the type of the handle. If someone else or even yourself needs to work with this code in the future, using a descriptive name like `hFile` will make it easier to understand and modify. Given these considerations, I recommend renaming the global variable `DAT_1000400c` to `hFile`. Open kjpost.dll in IDA Pro or Ghidra and answer the following question: 6) Provide a detailed analysis of what FUN_1000110B in kjpost.dll does. (15 pts) In summary, FUN_1000110b seems to perform operations related to finding and processing files in a temporary directory, using Windows Sockets API functions, and interacting with profile settings. The specifics of its purpose would depend on the context and the definitions of the global variables and strings (s__kjtmpxxxp_1000402e, FUN_100012f6, etc.) Extra Credit (Up to 5 points) In kjpost.dll, the function FUN_100012F6 is called near the end of FUN_1000110B. Provide a detailed analysis of FUN_100012F6. In summary, FUN_100012f6 is responsible for constructing and sending an HTTP POST request to a remote server. It dynamically generates headers and possibly includes file content. The specifics of what this function does would depend on the context and the definitions of the global variables and strings (s_badguy.com_10004556, FUN_100016da, FUN_10001895, etc.) which are not provided in this snippet. _

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

CMSC449_A-4

Related Documents