CMSC449_A-6

docx

School

University of Maryland, Baltimore County *

*We aren’t endorsed by this school

Course

449

Subject

Computer Science

Date

Jan 9, 2024

Type

docx

Pages

Uploaded by ChefOryxMaster925

CMSC 491/691 Malware Analysis HW 6 Name: Ricky Kapoor Assigned: 11/15/2023 Due: 11/29/2022 by 5:30pm Download the OllyDumpEx plugin and ImportREC.7z onto your VM. Place OllyDumpEx_Imm18.dll inside of the C:\Progam Files (x86)\Immunity Inc\Immunity Debugger\ folder. Unzip ImportREC.7z. The password is “imprec”. OllyDumpEx_Imm18.dll: ● https://drive.google.com/file/d/1xCtIC-9qbWZlqg2ct04-xAqeNPuNCMGK/view?usp=share_link ImportRec.7z: ● https://drive.google.com/file/d/13rZDfCnv9m9pdrfxDIlVJXvWDmt3NQ1h/view?usp=share_link Download hw6.7z onto your Flare VM and extract it. The password is “infected”. Set your VM’s network adapter to “not attached”. Take a snapshot of your VM when your VM is set up because you will likely need to revert multiple times. You are not required to run Immunity Debugger as administrator. HW 6.7z: ● https://drive.google.com/file/d/1MOaC0pgfI05o0iG2igpCJf3n4qZcBK6m/view?usp=share_link Hint: Chapter 18 of PMA is a great reference for this homework! Part 1: Unpacking hw6_1.exe (33 pts) Answer the following questions about hw6_1.exe. 1) What is the relative virtual address (RVA) of the entrypoint? (3 pts) 1d001 2) What section contains the unpacking stub? Justify your answer. (4 pts) The section “.aspack” or “Section 8” has the unpacking stub. When navigating to the entry point in IDA, this section contains the command “start”.

3) What section contains the packed data? Justify your answer. (4 pts) The section “CODE” or “Section 1” has the packed data. Its entropy is very high and it contains the largest amount of data. 4) Using one of the methods described in class, find the original entry point (OEP) of hw6_1.exe. What is the address of the OEP? In a few sentences, describe which method you used and how you found the OEP. (8 pts) Address of OEP: 413C14 Description: I used the second method (“Read Breakpoints on the Stack”). First, I found where the executable was pushed onto the stack, then took the bytes in the ESP’s address register when it was run, and set a hardware access breakpoint. Then, I stepped through the remaining instructions until the executable was loaded into the EIP register and “returned” that address. 5) Provide a screenshot of Immunity Debugger showing execution paused at the OEP. Make sure that your screenshot shows the entire window of your virtual machine. (8 pts)

6) Use OllyDumpEx to dump the unpacked hw6_1.exe and then fix its IAT using ImpRec. Provide a screenshot of ImpRec once you have fixed the IAT. Make sure that your screenshot shows the entire window of your virtual machine, and that the ImpRec log shows how many modules and import functions were detected. (6 pts)

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Plugins > OllyDumpEx > Dump process > OEP > Dump > Open in IDA ImpRec > Run as Administrator > Hw6_1.exe > Adjust OEP > AutoSearch > GetImports > FixDump > Choose OllyDumpEx file > Screenshot # of modules and imported functions > Open in IDA Part 2: Unpacking hw6_2.exe (33 pts)

Answer the following questions about hw6_2.exe. 7) What is the RVA of the entrypoint? (3 pts) 18000 8) What section contains the unpacking stub? Justify your answer. (4 pts) The section “sunray” or “Section 4” contains the unpacking stub. It can be determined by finding the “start” command in the disassembly view in IDA. In this case, it was at the same address as the entry point. 9) What section contains the packed data? Justify your answer. (4 pts) The section “UPX1” or “Section 1” contains the packed data. It can be determined because this section has the largest amount of data and a high entropy. 10) Using one of the methods described in class, find the original entry point (OEP) of hw6_2.exe. What is the address of the OEP? In a few sentences, describe which method you used and how you found the OEP. (8 pts) Address of OEP: 4 1801A Description: Th is OEP can be found using method 1’s description of “Control Flow Graphs”. It is found in IDA by looking at the end of the unpacking stub section, in this case, “sunray”, and finding the call to the register where the tail jump occurs. 11) Provide a screenshot of Immunity Debugger showing execution paused at the OEP. Make sure that your screenshot shows the entire window of your virtual machine. (8 pts)

12) Use OllyDumpEx to dump the unpacked hw6_2.exe and then fix its IAT using ImpRec. Provide a screenshot of ImpRec once you have fixed the IAT. Make sure that your screenshot shows the entire window of your virtual machine, and that the ImpRec log shows how many modules and import functions were detected. (6 pts)

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Part 3: Unpacking hw6_3.exe (34 pts) Answer the following questions about hw6_3.exe. 13) What is the RVA of the entrypoint? (3 pts) 1018 14) What section contains the unpacking stub? Justify your answer. (4 pts) Section “PS” or “Section 0” contains the unpacking stub. It contains the “start” command. 15) What section contains the packed data? Justify your answer. (4 pts) “Section 1” contains the packed data. It can be found by locating the largest data section that has a high entropy. 16) Using one of the methods described in class, find the original entry point (OEP) of hw6_3.exe. What is the address of the OEP? In a few sentences, describe which method you used and how you found the OEP. (8 pts) LoadLibrary 395D87 KERNEL32.DLL USER32.DLL ADVAPI32.DLL OLEAUT32.DLL KERNEL32.DLL ADVAPI32.DLL KERNEL32.DLL GDI32.DLL USER32.DLL SHELL32.DLL COMCTL32.DLL USER32.DLL ADVAPI32.DLL

NETAPI32.DLL USER32.DLL WINMM.DLL GetProcAddress I couldn’t find any. I was confused because the malware was importing LoadLibrary functions after one was loaded from a different address than the original. It never ended for me. Address of OEP: Description: 17) Provide a screenshot of Immunity Debugger showing execution paused at the OEP. Make sure that your screenshot shows the entire window of your virtual machine. (8 pts) 18) Use OllyDumpEx to dump the unpacked hw6_3.exe and then fix its IAT using ImpRec. Provide a screenshot of ImpRec once you have fixed the IAT. Make sure that your screenshot shows the entire window of your virtual machine, and that the ImpRec log shows how many modules and import functions were detected. (7 pts)

Related Documents

SCS 100 Module Five Activity Template.docx

POLI_toProposal.docx

REL_whenGraph.docx

INT 220 Business Brief Template.docx

CMSC449_A-4.docx

CMSC449_A-3.docx

message (2).txt

Assignment Print View.pdf

blackmamba (1).docx

IMG_4194.png

submission_173827983.pdf

723_HW3_Description.pdf

Recommended textbooks for you

A+ Guide To It Technical Support

Computer Science

ISBN:9780357108291

Author:ANDREWS, Jean.

Publisher:Cengage,

LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.

Computer Science

ISBN:9781337569798

Author:ECKERT

Publisher:CENGAGE L

CompTIA Linux+ Guide to Linux Certification (Mind...

Computer Science

ISBN:9781305107168

Author:Jason Eckert

Publisher:Cengage Learning

Systems Architecture

Computer Science

ISBN:9781305080195

Author:Stephen D. Burd

Publisher:Cengage Learning

SEE MORE TEXTBOOKS

Recommended textbooks for you

A+ Guide To It Technical Support
Computer Science
ISBN:9780357108291
Author:ANDREWS, Jean.
Publisher:Cengage,
LINUX+ AND LPIC-1 GDE.TO LINUX CERTIF.
Computer Science
ISBN:9781337569798
Author:ECKERT
Publisher:CENGAGE L
CompTIA Linux+ Guide to Linux Certification (Mind...
Computer Science
ISBN:9781305107168
Author:Jason Eckert
Publisher:Cengage Learning
Systems Architecture
Computer Science
ISBN:9781305080195
Author:Stephen D. Burd
Publisher:Cengage Learning