Practical – Advanced Static Analysis of Windows Malware
Open malware file Lab06-01.exe. Work your way through CSC3059W8L3 lecture to familiarise yourself with IDA.
• Open the different disassembly Window Modes • Navigate around IDA
• Use cross-references
Copyright By PowCoder代写 加微信 powcoder
• Visualise the different graphing options
Analyse the malware found in the file Lab06-01.exe using IDA.
1. What is the major code construct found in the only subroutine called by main?
The main function calls a subroutine using instruction call sub_401000 at address 0x401044
In the subroutine starting 0x401000 the major code construct is an if-statement. An if-statement consists of a comparison and a jump.
We can see a call to the Windows API function InternetGetConnectedState. Using MSDN we see this function returns 1 in the eax register is there is an active internet connection, otherwise it returns 0 in the eax register. The program then stores the return value on the stack at location [ebp+var_4]
The program compares [ebp+var_4] with 0, using cmp [ebp+var_4], 0
If [ebp+var_4] == 0 then the zero-flag (Zf) is set to 1 If [ebp+var_4] == 1 then the zero-flag (Zf) is set to 0
If InternetGetConnectedState returns 0, Zf would be 1, and the jz instruction would jump to loc_40102B. Here the program prints “Error 1.1 No Internet”
If InternetGetConnectedState returned 1, Zf would be 0, and the program would continue to the next instruction at 0x401017 and print “Success: Internet Connection”
The function then returns to main. The return value is stored in eax and is 1 if there is an active internet connection and 0 if there is no connection.
2. What is the subroutine located at 0x40105F?
– Use the x-refs feature to find places where this function is called – Hint examine the context in which the function is used
If we try to understand the function at 0x40105F by examining its code using IDA it is easy to get lost in the details. Instead we can try to examine the context in which this function is used, which might give us some clues about what it does.
We look for places in the program where the function at 0x40105F is called. We can do this using the x-ref features of IDA.
In the sub routine starting at 0x401000 we can see two calls to the sub routine at 0x40105F. Both these calls occur after a pointer to a format string has been pushed onto the stack i.e.:
push offset aError1_1NoInte ; “Success: Internet Connection\n” push offset aSuccessInterne ; “Error 1.1: No Internet\n”
The strings pushed onto the stack before the function call both end with ‘\n’, which is the newline character.
We can also tell from the context that the program wishes to print a success/failure message at this point.
These clues lead us to suspect the function is printf. This technique, where we look at the parameters passed to a function, and its context, is useful for identifying unknown functions and/or finding clues about what an unknown function might do, but it might not work every time!
We can rename the function at 0x40105F in IDA by right clicking on the function name and selecting ‘Rename’. Enter printf into the Name textbox. This will allow us to understand and analyse the malware program more easily.
3. What is the overall purpose of this program?
The overall purpose of this program is to check for an active internet connection.
It prints the message ‘success: Internet Connection’ if it does have a connection and it prints the error message ‘Error 1.1: No internet’ if it does not.
Analyse the malware found in the file Lab06-02.exe
1. What operation does the first subroutine called by main perform?
This is the same subroutine as we analysed in Part 2.
It checks for an active internet connection and returns true or false accordingly.
The value returned from this subroutine is initially stored in the eax register and the moved into the stack at location [ebp+4] by the main function.
2. What is the subroutine located at 0x40117F?
We can again use context to understand what this subroutine does. Look at the parameters passed to this subroutine…
We can look at all the places in the program where it is called
Right click on “call sub_40117F” -> “Jump to xref to operand”
This opens a window listing all the places in the program where this subroutine is called
We can see that each time it is called a pointer to a string is pushed onto the stack. Moreover the string pushed onto the stack contains formatting characters such as %c and %d. This suggests we are looking at a printing function.
This reminds us of the answer to Part 2.2 and we can say this is likely to be the printf subroutine. We can rename function this in IDA to help us understand the overall program better.
Right click on sub_40117F -> Rename -> Name = ‘printf’.
Every time we see this function we will now be reminded of what it does.
3. What does the second subroutine called by main, located at 0x401040, do?
At the start of the subroutine we can see calls to two WindowsAPI functions. We can look-up the documentation for these functions in MSDN to understand what they do:
InternetOpen – Initializes the use of the WinINet library. The final parameter lpszAgent is a pointer to a NULL terminated string that specifies the name of the application calling the WinINet library. “Internet Explorer 7.5/pma” is a false name supplied by the malware. All other parameters passed to this function are zero. Note that this function returns a handle that must be passed into subsequent WinINet function calls.
InternetOpenUrl – Opens the web page specified in the szUrl parameter. Returns a valid handle to the URL or NULL if the function fails. The value ‘http://www.practicalmalwareanalysis.com/cc.htm is supplied by the malware.
Both functions return values in the eax register. The value returned from InternetOpen is then stored in local variable hInternet, while the result from InternetOpenUrl is stored in hFile.
An if-statement is used to compare the value in hFile with zero in the instruction cmp [ebp + hFile], 0
If hFile == 0, Zf = 1 – The program continues to instruction 0x40107F If hFile == 1, Zf= 0 – jnz jumps to loc_40109D
If either InternetOpen or InternetOpenUrl were unsuccessful the program continues to 0x40107F, where it prints the error message “Error 2.1: Fail to open URL” is eventually terminates.
Otherwise the program jumps to loc_40109D. Here the program uses InternetReadFile to attempt to download the webpage http://www.practicalmalwareanalysis.com/cc.htm using the hFile variable from above. Use MSDN to understand the parameters of this function, which include a variable dwNumberOfBytesToRead which specifies the number of bytes to read from the webpage. The malware reads 0x200h i.e. 512 bytes from the webpage and stores this in a buffer.
If the return from InternetReadFile is zero, the cmp instruction sets Zf=1 and the program does not take the jump at the jnz instruction. Instead it continues to 0x4010C0 where it prints the error message Error 2.2 : Fail to read file”, closes the handle and terminates. Otherwise if the return is 1, cmp sets Zf = 0 and at the jnz instruction the program jumps to 0x4010E5
At 0x4010E5, if the webpage was successfully downloaded, and stored in the buffer, the program compares the characters in the buffer with a hard-coded list of numbers. We can infer that these numbers are characters in ASCII code. We can see the numbers 3Ch, 21h, 2Dh, 2Dh are the ASCII code for < ! - - which is a HTML comment. Comparison is done using a cmp and jnz instruction. If any character does not match, the cmp sets Zf=0 and the jnz jumps 0x40111D, where it prints an error message and terminates. The fifth character is moved into the al register and the function returns to the main function where it prints “Success: Parsed command is a”
Looking back into the main function we can see the al register is stored on the stack in var_8. The program then checks if the eax register contains a zero (test eax, eax). If not, then the program prints “Success: Parsed command is %c\n”, which prints the string followed by the value stored in al, which was read from the HTML comment.
4. What is the major type of code construct used in subroutine sub_401040?
5. Are there any network-based indicators for this program?
A series of if statements. This is indicated by the use of comparison instructions (cmp) immediately followed by a jump (jnz).
From our analysis of this program we can conclude that there are two network based indicators
1. The html file downloaded over the network from http://www.practicalmalwareanalysis.com/cc.htm
2. The http user-agent internet explorer 7.5
6. What is the purpose of this malware?
The overall purpose of the program is to download the web page located at: http://www.practicalmalwareanalysis.com/cc.htm.
It then parses the HTML comment (CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com