Malware Investigations – 2017 – Assignment 2 • This assignment contributes 50% of the marks for your final marks for the Malware Investigations module. • Deadline: March 29th at 23:59 GMT • Coursework which is submitted after the submission date will attract a penalty as follows: -Up to 1 calendar week delay 10% of the marks available for the assessment -Up to 2 calendar weeks delay 20% of the marks available for the assessment -Anything beyond that requires submission of an Extenuating Circumstances form • Any evidence of plagiarism will result in 0 marks • Answers should be submitted in a Word or PDF file and uploaded to the course website. • Any questions, or if you are really stuck – please contact me at [email protected] • You will be receiving marks for several subcomponents of the investigation below - so even if you do not manage to answer 100% of the question, you will be getting most of the marks. • Answers do not need to be lengthy essays – simply describe your key findings in bullet points is fine Q1: Assembly calling conventions [10 marks] - The following is a snippet of code taken from a program running on Windows 7. This code is a function that does something with strings of text. push ebp mov ebp,esp mov edi, 0x00520000h mov esi, 0x00520200h push esi call some_func (0x00610000h) push eax push edi call some_func (0x00610000h) add edi,eax pop ecx inc ecx cli loop_label: lodsb stosb loop loop_label mov eax,edi mov esp,ebp pop ebp ret 0 Here is some extra information: 1. Memory address 0x00520000 and 0x00520200 both contain different zero-terminated strings of text 2. Memory address 0x00610000 contains a function that takes on parameter, a memory address, and returns back an integer value that contains the length of the string at that location. Essentially think of it as strlen() - With regards to the above code, answer the following questions: 1. What does this code do? (brief explanation) 2. Which calling convention is used by this code – stdcall, cdecl, fastcall or thiscall? Explain your conclusion. Q2: C Structures [10 marks] To list all of the modules within a process, an application will normally use a combination of the CreateToolhelp32Snapshot, Module32First and Module32Next APIs. To represent information about each modules these APIs use the following C structure typedef struct tagMODULEENTRY32 { DWORD dwSize; DWORD th32ModuleID; DWORD th32ProcessID; DWORD GlblcntUsage; DWORD ProccntUsage; BYTE *modBaseAddr; DWORD modBaseSize; HMODULE hModule; TCHAR szModule[MAX_MODULE_NAME32 + 1]; TCHAR szExePath[MAX_PATH]; } MODULEENTRY32, *PMODULEENTRY32; More details: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684225(v=vs.85).aspx The memory dump contained in the file Module_Structure.txt has a MODULEENTRY32 structure at memory address 0x0017FAE8. NOTE: That is 8 bytes into the dump. Answer the following questions: 1. What are the values of the MODULEENTRY32 member variables? 2. Also there seems to be a lot if uninitialized “junk” values in szModule and szExePath– why is this? 3. Does the data stored in memory use little-endian or big-endian convention? What makes you think this? 4. What does this particular module tell you about the executable using it? Useful Links MODULEENTRY32: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684225(v=vs.85).aspx Module32First: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684218(v=vs.85).aspx Module32Next: https://msdn.microsoft.com/en-us/library/windows/desktop/ms684221(v=vs.85).aspx CreateToolhelp32Snapshot: http://msdn.microsoft.com/en-us/library/ms682489(VS.85).aspx HINT: MAX_PATH=260, MAX_MODULE_NAME32 = 255 . Q3: IDA Pro Reverse Engineering [30 marks] - Analyse the file Ass1_2017.exe. - Describe in English / Pseudo-code in your answer doc file what the program does. Use screenshots of your IDA markup if helpful to illustrate your point. - Describe in 2-3 sentences the core purpose of the program - IDA will be the most useful tool here as this is primarily a whiteboxing exercise so you can skip Blackboxing (apart from simply running the file from the command line to observe its behaviour). - NOTE: By default this program will not reveal its full intention on most systems. This is deliberate to show that by Blackboxing of malware alone you can not find out all of its capabilities, only through Whiteboxing can this fully be done. HINT: Its common that most programs will not start directly at the real main code developed by the programmer. There will be some code added by the compiler at the start. My advice on how to start is to run the code and see the first thing it prints out. Then open the exe in IDA and find that string in the Strings tab. Clicking the cross-reference (XREF) will take you to the first REAL part of the code and you can work on from here. HINT: Remember the advice from the Reverse Engineering Lab on how to approach the file