Dynamic analysis using immunity debugger

Reference no: EM132577487 , Length: 4 pages

Part 1 - Dynamic Analysis Using Immunity Debugger

Perform an in-depth analysis on the sample Lab4.exe using Immunity Debugger. Your analysis should start with documenting the basic static file information (filename, size, MD5, SHA1, file type, and compile time). It is important to always document this information up front for forensic soundness. You must use the debugger to modify execution of the software. The software will not run unless certain conditions are met. You must modify the software at runtime to force it to execute until completion. You know the software has completed successfully when you get a success message.Screenshots accompanied by explanations must be included as evidence of your analysis. You must explain which values you changed, why you changed them, and how you changed them.

The software checks for three things before it will display the success message. Why do you suppose some malware would check for those specific things before installation? Include a concise summary of the sample. You may insert your analysis below, or you may create a separate document.

Part 2 - Kernel Debugging and Rootkits

1) Suppose you are analyzing a sample that is a suspected rootkit or a driver. You initially suspect a rootkit because you observe the following code.

What about this code is indicative that you may be dealing with a rootkit?

2) In the same sample, you see the malware is writing to the Mlwx486.sys file via a call to the WriteFile function. You then see the malware establish a connection to the service control manager by calling the OpenSCManager function. Following, you observe this code:

Explain what is happening in this code.

3) Suppose you executed the malware to verify if the service you suspected was installed and running. You did this through the "sc" utility and observed the following ouput:

As shown, the service is running. Being the motivated analyst you are, you attach a WinDbgkernel debugger to the VM to check if the driver was successfully loaded. The output, shown below, indicates that a driver was loaded because it has the same name as the .sys file that was created.

What is the address range of the loaded module of interest?

4) After analyzing the dropped Mlwx486.sys file in IDA, you observe the DriverEntry routine access theKeServiceDescriptorTable structure. Therefore, you suspect there may by some SSDT hooking. What is SSDT hooking?

5) You want to test your SSDT hooking theory by running the dd command on the SSDT. Here is your output:

Do you observe any evidence of SSDT hooking by the malware?

6) Which function can a rootkit call to register a handler for a particular interupt code in order to specify an ISR? What is the Interrupt Descriptor Table (IDT)?

7) Briefly describe the following rootkit defensive measures: Kernel Patch Protection (KPP, commonly referred to as PatchGuard), and driver signing enforcement.

Attachment:- Dynamic Analysis Using Immunity Debugger.rar

Reference no: EM132577487

Questions Cloud

Define external barriers to health care organization mission : Use the Internet and the Strayer Library to research a health care organization in your community. What are some internal and external barriers to the health.

What exactly does convenience mean and explain : Is it easier to shop online than to drive to the store a half a mile away? Share your thoughts. What exactly does convenience mean? Explain.

Topic - Drop Shipping Amazon Business : Business Plan Assignment - Topic - Drop Shipping Amazon Business. Want you to write a business plan about drop shipping

How has leader incorporated diversity into the new culture : Write a paper in which you assess what a CEO has done to change the culture and direction of a corporation by the application of leadership and strategic.

Dynamic analysis using immunity debugger : What about this code is indicative that you may be dealing with a rootkit - Briefly describe the following rootkit defensive measures: Kernel Patch Protection

Discuss challenges IT divisions face in achieving regulatory : Assess all key business processes and IT compliance factors and link to all business processes (financial and non-IT) to develop an aggregate vision

How can decision be made about what information is accurate : If a supervisor reviews the job analysis information provided by an employee and says the job duties and responsibilities have been inflated, but the employee.

Risk and control self-assessment : Conducting a Risk and Control Self-Assessment(RCSA) will identify 4 key challenges and risks that face an organization

Excel formula or financial calculator inputs : Write down your answer and Show the Excel formula or financial calculator inputs you used to estimate your annual withdrawals.

User Account

All Pages