User Account

All Pages

Dynamic analysis using immunity debugger

Assignment Help Assembly Language
Reference no: EM132577487 , Length: 4 pages

Part 1 - Dynamic Analysis Using Immunity Debugger

Perform an in-depth analysis on the sample Lab4.exe using Immunity Debugger. Your analysis should start with documenting the basic static file information (filename, size, MD5, SHA1, file type, and compile time). It is important to always document this information up front for forensic soundness. You must use the debugger to modify execution of the software. The software will not run unless certain conditions are met. You must modify the software at runtime to force it to execute until completion. You know the software has completed successfully when you get a success message.Screenshots accompanied by explanations must be included as evidence of your analysis. You must explain which values you changed, why you changed them, and how you changed them.

The software checks for three things before it will display the success message. Why do you suppose some malware would check for those specific things before installation? Include a concise summary of the sample. You may insert your analysis below, or you may create a separate document.

Part 2 - Kernel Debugging and Rootkits

1) Suppose you are analyzing a sample that is a suspected rootkit or a driver. You initially suspect a rootkit because you observe the following code.

What about this code is indicative that you may be dealing with a rootkit?

2) In the same sample, you see the malware is writing to the Mlwx486.sys file via a call to the WriteFile function. You then see the malware establish a connection to the service control manager by calling the OpenSCManager function. Following, you observe this code:

Explain what is happening in this code.

3) Suppose you executed the malware to verify if the service you suspected was installed and running. You did this through the "sc" utility and observed the following ouput:

As shown, the service is running. Being the motivated analyst you are, you attach a WinDbgkernel debugger to the VM to check if the driver was successfully loaded. The output, shown below, indicates that a driver was loaded because it has the same name as the .sys file that was created.

What is the address range of the loaded module of interest?

4) After analyzing the dropped Mlwx486.sys file in IDA, you observe the DriverEntry routine access theKeServiceDescriptorTable structure. Therefore, you suspect there may by some SSDT hooking. What is SSDT hooking?

5) You want to test your SSDT hooking theory by running the dd command on the SSDT. Here is your output:

Do you observe any evidence of SSDT hooking by the malware?

6) Which function can a rootkit call to register a handler for a particular interupt code in order to specify an ISR? What is the Interrupt Descriptor Table (IDT)?

7) Briefly describe the following rootkit defensive measures: Kernel Patch Protection (KPP, commonly referred to as PatchGuard), and driver signing enforcement.

Attachment:- Dynamic Analysis Using Immunity Debugger.rar

Reference no: EM132577487

Questions Cloud

Define external barriers to health care organization mission : Use the Internet and the Strayer Library to research a health care organization in your community. What are some internal and external barriers to the health.
What exactly does convenience mean and explain : Is it easier to shop online than to drive to the store a half a mile away? Share your thoughts. What exactly does convenience mean? Explain.
Topic - Drop Shipping Amazon Business : Business Plan Assignment - Topic - Drop Shipping Amazon Business. Want you to write a business plan about drop shipping
How has leader incorporated diversity into the new culture : Write a paper in which you assess what a CEO has done to change the culture and direction of a corporation by the application of leadership and strategic.
Dynamic analysis using immunity debugger : What about this code is indicative that you may be dealing with a rootkit - Briefly describe the following rootkit defensive measures: Kernel Patch Protection
Discuss challenges IT divisions face in achieving regulatory : Assess all key business processes and IT compliance factors and link to all business processes (financial and non-IT) to develop an aggregate vision
How can decision be made about what information is accurate : If a supervisor reviews the job analysis information provided by an employee and says the job duties and responsibilities have been inflated, but the employee.
Risk and control self-assessment : Conducting a Risk and Control Self-Assessment(RCSA) will identify 4 key challenges and risks that face an organization
Excel formula or financial calculator inputs : Write down your answer and Show the Excel formula or financial calculator inputs you used to estimate your annual withdrawals.

Reviews

Write a Review

Assembly Language Questions & Answers

  Create a assembly language subroutine

Create a assembly language subroutine MULSUM that takes an array named A containing n bytes of positive numbers, and fills two arrays, array B containing n words and array C containing n long words

  Write a function in linux assembly

Write a function in Linux assembly

  Analog measurements

Prepare an assembly program for the correctly measures the wind direction

  Design a simple digital clock

Design a simple digital clock

  Write an assembly program

Prepare an Assembly program that reads in a number of cents.

  Write an assembly language program

Write an assembly language program for encrypting alphabates of a string

  Greatest common divisor of integers-masm assembly language

Must be done in MASM assembly language: Greatest common divisor of two integers is largest integer which will evenly divide both integers. GCD algorithm involves integer division in a loop.

  Write assembly program-find right admission price to movie

Write the Assembly program to find correct admission price to movie. Price of admission to a movie is $7 for kids (under 12) and $9 for adults.

  Create simple 8-bit alu using add-subtract-shift functions

Create a simple 8-bit ALU. Requirements:The eight functions that you will implement are: add, subtract, and, or, shift left logical, less than, shift right logical.

  Write assembly program print binary representation-integers

Write the assembly program called hw6_ex1, stored in file hw6_ex1.asm. This program must prompt user to enter signed 32-bit integer. Program must print out binary representation of the integer.

  Allot op-codes and add microcode to microprogram

Allot op-codes and add microcode to microprogram of Mic-1 to implement following instructions which are then included with IJVM instruction set.

  Write mips assembly program to read two non-negative numbers

Write MIPS assembly program to repeatedly read two non-negative integers and print integer product and quotient without using multiplication and division instructions.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd