User Account

All Pages

Perform a more in-depth static code analysis

Assignment Help Assembly Language
Reference no: EM132583606 , Length: 2 pages

Part 1 - Credential Stealing

For part 1 of this lab, analyze the file Lab5-1.exe.

Question 1. What kind of malware is Lab5-1.exe (Backdoor, RAT, GINA Interceptor, Keylogger, Rootkit, or Launcher)?

Question 2. What is the name and location of the file that gets created?

Question 3. Does it use a polling technique or a hooking technique?

Question 4. Use IDA to provide an analysis of the code. Discuss how the malware works. You may use any combination of tools at your disposal. Include screenshots of IDA to help explain critical code segments. Execute the malware and observe the contents of the log file. Provide a screenshot of the log file.

Part 2 - Covert Malware Launching and Injection

For part 2 of this lab, analyze the files Lab5-2.exe and Lab5-2.dll.

Question 1) Briefly examine Lab5-2.exe in IDA. What type of covert launching do you initially suspect of this malware performing (direct injection, dll injection, hook injection, APC injection, or process replacement)? What is the evidence?

Question 2) Which process does this malware target? How can you tell?

Question 3) Examine Lab5-2.dll in IDA. You will observe that the DLL simply invokes a thread that creates a loop of threads that generate a pop-up window every six seconds to show that the DLL was successfully injected. What is the startAddress of the outer thread and what is the startAddress of the inner thread?

Question 4) Execute the target (victim) process norwich.exe. Do not click ‘OK' since that will terminate the process and it will not be injected. Now execute Lab5-2.exe. What are your observations? You should see the pop-up window that you suspected during your static code analysis of Lab5-2.dll. You should see the pop-up every six seconds. With norwich.exe still running, open Process Hacker. Examining the process list, you should not see any evidence of Lab5-2.exe or Lab5-2.dll. However, that pop-up we saw in the Lab5-2.dll keeps coming. Let's look at the target process, norwich.exe, by double clicking on it in Process Hacker. Look in the "Modules" tab and the "Threads" tab. Do you observe evidence of Lab5-2.dll? Look at the import table of norwich.exe via CFF Explorer. Do you see it import Lab5-2.dll? If that dll is not being imported by norwich.exe, then what is your initial as to why norwich.exe is executing code from a dll it did not import?

Question 5) Perform a more in-depth static code analysis on Lab5-2.exe. Explain the injection technique. Who calls the code in DllMain of Lab5-2.dll (OS, victim process, or the Lab5-1.exe launcher)? When does DllMain get called? Be sure to clearly indicate the roles of the dll and the exe. Include screenshots of important code sections to augment your discussion.

Reference no: EM132583606

Questions Cloud

Calculate the harmonic mean of two numbers : Calculate the harmonic mean of two numbers x and y is using the expression and calculate and display their harmonic mean in dddd.dd format.
Develop population health plan : Develop a population health plan to address a health concern in the current healthcare industry.
Categorical-hierarchical and relational : Categorical: Comparing categories and distributions of quantities values, Hierarchical: Charting part-to-whole relationships and hierarchies
Discuss the role of the therapist : Discuss the role of the therapist and perceptions of the therapist's responsibility for change when using a strategic family therapy model;
Perform a more in-depth static code analysis : What type of covert launching do you initially suspect of this malware performing (direct injection, dll injection, hook injection, APC injection, or process
Social determinants of health : discuss some of major risk factors for health and health care disparities and why they are associated with poorer outcomes among some multicultural populations
Evaluate at least three health information systems : Evaluate at least three health information systems (HIS) and three (3) data storage designs (e.g., onsite, cloud).
What kinds of protections might a customer expect : what kinds of protections might a customer expect from other customers when accessing reputations?
U25293 Corporate Strategy Assignment : U25293 Corporate Strategy Assignment Help and Solution, University of Portsmouth - Assessment Writing Service - Critically evaluate one technique

Reviews

Write a Review

Assembly Language Questions & Answers

  Create a assembly language subroutine

Create a assembly language subroutine MULSUM that takes an array named A containing n bytes of positive numbers, and fills two arrays, array B containing n words and array C containing n long words

  Write a function in linux assembly

Write a function in Linux assembly

  Analog measurements

Prepare an assembly program for the correctly measures the wind direction

  Design a simple digital clock

Design a simple digital clock

  Write an assembly program

Prepare an Assembly program that reads in a number of cents.

  Write an assembly language program

Write an assembly language program for encrypting alphabates of a string

  Greatest common divisor of integers-masm assembly language

Must be done in MASM assembly language: Greatest common divisor of two integers is largest integer which will evenly divide both integers. GCD algorithm involves integer division in a loop.

  Write assembly program-find right admission price to movie

Write the Assembly program to find correct admission price to movie. Price of admission to a movie is $7 for kids (under 12) and $9 for adults.

  Create simple 8-bit alu using add-subtract-shift functions

Create a simple 8-bit ALU. Requirements:The eight functions that you will implement are: add, subtract, and, or, shift left logical, less than, shift right logical.

  Write assembly program print binary representation-integers

Write the assembly program called hw6_ex1, stored in file hw6_ex1.asm. This program must prompt user to enter signed 32-bit integer. Program must print out binary representation of the integer.

  Allot op-codes and add microcode to microprogram

Allot op-codes and add microcode to microprogram of Mic-1 to implement following instructions which are then included with IJVM instruction set.

  Write mips assembly program to read two non-negative numbers

Write MIPS assembly program to repeatedly read two non-negative integers and print integer product and quotient without using multiplication and division instructions.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd