Anti-disassembler techniques 2018
Recommendations:
- When you are dealing with assembly that has been handcrafted to confuse the disassembler, it is usefull to look at the machine language bytes of each instructions or data. You can turn this by: Options - General - Number of opcode bytes (non-graph) set to 6.
In this lab we will be analyzing an executable that uses some of the anti-disassembly techniques to hide its true evil nature. It is calssified as malware by virustotal.com so proceed with caution. Perform static analysis on your linux VM.
This lab is an adaptation of Lab 15-3 from the awesome "Practical Malware Analysis" book.
-
Download the executable available at http://rarceresearch.fun/misc/Lab15-03-pr.exe. Perform static analysis using IDA Pro Demo to follow the steps bellow and answer the questions.
-
The code contains some exports that, used in combination, can be used for dubious purposes. For instance, a call to
URLDownloadToFileA
might be used to download a malware executable file from a website, thenWinExec
can be called to execute the malware. -
Examine the calling functions to
URLDownloadToFileA
. Did IDA identify a path from the main function toURLDownloadToFileA
? -
Go back to the
main
function and use your anti-disassembly knowledge to try to understand how the seemingly harmlessmain
ends up calling other malicious subroutines. -
Explain what the malicious code invoked by
main
does. -
From what URL is a file downloaded? (Hint the name is encoded using a simple XOR ciphering scheme).
-
What is the name of the file that is downloaded and run by
WinExec
?