Lab05-01

Only IDA Pro Analysis in file Lab05-01.dll Malicious code found in . The goal of this experiment is to give you a IDA Pro Hands on experience . If you already use IDA Pro Worked , You can choose to ignore these problems , Instead, focus on Reverse Engineering malicious code .

More content , More later
 

1.DllMain What's the address of ？

Use IDA After opening , Where the mouse is

Or click on the red area in the figure

  Then it will appear viewB

Then you can right-click

  It's here dllmain Start address of .

2. Use Imports Window and browse to gethostbyname, What address does the import function locate ？

Search function names directly

  Double click directly on the function , Find the location address in the original text . Is in .idata Chaste 0x100163CC It's about .

In fact, the above figure has already given the address .

3. How many functions have called gethostbyname?

In this viewB Window ,ctrl+x.Jump to xref to oprand.

  Or right click

  Function cross reference ,p Is quoted ,r Is read , First read , To quote . Refer to the 9 Time , By 5 Function calls .

This shows 18 That's ok , But it's not 18 A function called this gethostbyname.

+ The following is the offset address .

4. Concentrate on 0x10001757 Right at gethostbyname Call to , You can find that DNS Will the request be triggered ？

Close the external reference window , Then press G, Direct positioning 0x10001757 Jump past

5.IDA Pro Identified in 0x10001656 How many local variables in the subprocess at ？

6.IDA Pro Identified in 0x10001656 How many parameters in the subprocess at ？

7. Use Strings window , To locate the string in disassembly \cmd.exe /c. Where is it located ？

8. In reference to \cmd.exe /c What happens in the area where your code is located ？
9. In the same area , stay 0x100101C8 It's about , Look like dword_1008E5C4 Is a global variable , It helps decide which path to take . How is the malicious code set dword_1008E5C4 What about ？（ Tips ： Use dword_1008E5C4 Cross references to .）
10. Located in 0x1000FF58 Among the hundreds of lines of instructions in the subprocess at , A series of uses memecmp To compare strings . If the robotwork The string comparison is successful （ When memcmp return 0）, What's going to happen ？
11.PSLIST What does the export function do ？
12. Use graph mode to draw pairs of sub_10004E79 Cross reference diagram of . When you enter this function , that API The function may be called ？ Just based on these API function , How would you rename this function ？
13.DLLMain How many... Are called directly Windows API？ How many at a depth of 2 When called ？
14. stay 0x10001358 It's about , There is one right Sleep（ A parameter that uses a parameter that contains the number of milliseconds to sleep API function ） Call to . Look back along the code , If this code executes , How long does this program sleep ？
15. stay 0x10001701 The place is a pair of socket Call to . its 3 What are the two parameters ？
16. Use MSDN Page socket and IDA Pro Named symbolic constants in , Can you make the parameters more meaningful ？ After you apply the changes , What are the parameters ？
17. Search for in Instructions （opcode 0xED） Use . This instruction and a magic string VMXh Used for VMware testing . Is this used in this malicious code ？ Use to execute in Cross reference of instruction function , Can detect further VMware Evidence of ？
18. Jump your cursor to 0x1001D988 It's about , What did you find ？