LabDOS (Lab 7-01 from PMA)

The "malware" that we will examine today attempts to create a denial of service attack on a certain doom date.

  1. Using IDA, open the binary file you will find at: http://ccom.uprrp.edu/~rarce/ccom4995/misc/LabDOS.exe

  2. The main function invokes a function called StartServiceCtrlDispatcherA. According to the documentation: "It connects the main thread of a service to the service control manager, which causes thread to be the service control dispatcher thread for the calling process”. In other words, the thread of the Lab07_01.exe process establishes that it will be its point of contact from the Service Control Manager. Whenever the SCM wants something from this service process, it will go through this thread.

    1. How many parameters are passed to the StartServiceCtrlDispatcherA?

    2. What is the name of the service that is being registered to the Service Control Manager?

    3. What is the address of the function that will act as the ServiceMain function?

  3. Open the sub_401040. The first thing that sub_401040 does is try to open a existing mutex.

    1. What is the name of the mutex?

    2. Depending on the result of openning the mutex, the program can exit or continue. Under what condition is the program exited?

    3. According to your answer, the intention of this binary is to allow for multiple instance of it to run simultaneously:

  4. This function will exit when the OpenMutexA is succesful becuase this means that another process like this is already running (the malware creator just wants one copy of the process running at a time). If the program continues, the next operation performed is the creation of a mutex followed by a call to OpenSCManagerA to establish a connection to the service control manager. This is needed for later creating a service.

    1. In what register is the handle to the service control manager kept after invoking the OpenSCManagerA?

    2. Why is GetModuleFileName called before CreateServiceA?

  5. After CreateService, a sequence of functions (SystemTimeToFileTime, CreateWaitableTimer, SetWaitableTimer, WaitForSingleObject ) are called to establish a timer until a certain date.

    1. Find what that date is. Analyze the parameters sent to the SystemTimeToFileTime. What is the date represented by those parameters?

    2. Notice that the parameter lpDueTime that is passed to SetWaitableTimer is the return parameter from the SystemTimeToFileTime call. Thus a timer is set for that date.

  6. The jnz short loc_40113B instruction jumps if the timer has not run its course (if it is not the date established by the counter). If it does not jump, the program creates several threads by calling the block on loc_401126 several times.

    1. How many times is the block at loc_401126 executed?

    2. What does each of the threads do? (Hint: one of the parameters to the CreateThread is the address of the subroutine to be executed in the thread)

    3. What is the name of the subroutine to be executed by the threads?

    4. What is the name of the website that will receive a lot of requests on the doomed date?