The following lab is an adaptation from Lab 5-1 in the Practical Malware Analysis book by Michael Sikorki and Andrew Honig.

Setting up

We will be performing static analysis on an infect 32-bit windows DLL file as a way to practice basic commands in IDA. We will be using IDA demo version 7.0 which can analyze 32-bit executables (both PE and ELF).

  1. Download the http://rarceresearch.fun/misc/idademo70_linux.tar.
  2. Untar to your chosen directory (using tar xvf idademo70_linux.tar). The ida executable will be located in the idademo70 directory.
  3. In this lab we will be dealing with a malware that was created for the Practical Malware Analysis book. Thus we shall be following the steps recommended when dealing with malware: creating a snapshot of our VM in its uninfected state so that we can recover it at a later time when VM might be infected. Do the following:
    1. Shutdown the VM.
    2. In Virtual Box, in the Snapshots tab, press the "Take" button. Give it a proper name, e.g. "Pre Malware Analysis".
    3. Now that you have created the snapshot, you rerun the VM to begin the analysis.
  4. Download http://rarceresearch.fun/misc/labIDA.zip and unzip. The resulting file: Lab05-01.dll is the file we will analyze.
  5. Download http://rarceresearch.fun/misc/ida01.IDC.

Questions

  1. What is the address of procedure DllMain? How did you get it?
  2. Using the imports window determine what is the DLL to which the function gethostbyname belongs to.
  3. How many functions call gethostbyname?
  4. Search the MSDN (Microsoft Developer Network) to learn about the function gethostbyname.
    1. How many parameters and their types?
    2. What does it return?
  5. Focusing on the call to gethostbyname located in the function that starts in sub_10001656, can you figure out what is the name of the host passed to the gethostbyname function.
  6. Lets concentrate on the subroutine that begins at address 0x10001656:
    1. How many local variables did IDA recognize for this subroutine?
    2. How many parameters did IDA recognize for this subroutine?
    3. Is this an EBP or ESP based subroutine. That is, are the addresses for the local variables based on ESP or on EBP. Explain.
  7. Open the String subview using Views - Open Subviews - Strings. Locate the string \\cmd.exe /c. Finding this string in an executable is another sign that its up to no good. What is the address of that string?
  8. Go to the instruction that references the cmd.exe string. This instruction is part of a lengthy subroutine that apparently helps create a remote shell for the intruder. For example:
    1. Several instructions after the cmd.exe is referenced, this subroutine enters a loop where it compares strings received using recv against strings such as exit, minstall, inject.
  9. In the instruction at 0x100101C8 there is a comparison which decides wether cmd.exe or command.exeis concatenated to a string. The cmp is between dword_1008E5C4 and ebx. How does the malware set the value of dword_1008E5C4 (hint: use dword_1008E5C4 cross-references).
  10. What does the export PSLIST do? (hint: examine the calls that it makes).
  11. Use one of the graphing options to determine what are the API calls that are made from the function at 0x10004E79. Based on this information, what name would you give this function?
  12. How many Windows API functions does DLLMain call directly? (hint: use the View - Graphs - User xref charts - Recursion depth 1)
  13. At 0x10001358 there is a call to Sleep. Find out what this MSDN function does and what parameters it expects. Looking backward through the code, how long will the program sleep if this code executes.
  14. At 0x10001701 there is a call to socket. Find out what it does and its parameters. Use the named constants functionality in IDA to rename to improve code readability.
  15. Goto address 0x1001D988? The content of this address and what follows was interpreted by IDA as characters, but they seem like gibberish. Let's assume that you have magical mental powers and guess that to decrypt these characters all you need to do is xor each with the byte 0x55. Doing this for each byte would lead you into depression. Luckily, IDA Pro is scriptable both in a dialect of the C language called IDC and in Python. The demo version only understands IDC. Load and run the code from the file ida01.IDC. What is the string that was decoded?

Deliverables

Submit a report answering all the questions.