Reverse engineering is an important skill to develop that requires practice. The course textbook provides a plethora of exercises for doing using a number of tools that, while old, are representative of the techniques one would use in modern reverse engineering.
For each lab, a walkthrough in the textbook's appendix describes the process for completing it. For your lab notebook, however, we require that you
We will now setup the course VM. A video walkthrough is shown below:
There are multiple options for setting up your VM. Choose the one that suits your environment.
General=>Basic, change the name of your VM to your OdinID (to appear in screenshots). In
System=>Motherboard, change the Base Memory slider to 2GB (2048 MB)
"Local User and Groups" => "Users". Right-click on Administrator user and click "
The environment on linuxlab allows you to either download the VM onto a local partition (/disk/trump) or to a partition on a central server (
/stash/cs492/class). Only users in the vagrant group can do so. You should have been added to this group if the class is being offered in the linuxlab.
Some differences in installation include:
/disk/trump/cs492/492_WinXP_x86.ovawhen performing the import.
Files=>Preferences. Specify a "
Default Machine Folder" to be
/disk/trump/cs492. The initial VM will only be accessible on your current workstation.
If you wish to run this VM on any linuxlab machine, then you will need to put a copy of it on the central MCECS file server. To do so:
/disk/trump/cs492) over to it (
Files=>Preferences.Specify a "Default Machine Folder" to be
Lab01-01.dll. From these calls, what might this DLL be doing?
PEview, examine the
.datasection to fiind where the malware is attempting to create its malicious file.
Wininet.dll. What might this executable be doing?
stringswithin cygwin to reconstruct the URL being requested
strings) to find the
procmon) to monitor events from this binary to generate Figure 3-11L
memcmp()is used to compare command strings received over the network
Apate DNS, execute the malware to generate Listing 6-3L (Note that if you wish to use
netcat, the version on cygwin does not require the
��p to specify the port)
main. What does each one do?
WinINetcalls are used and explain what each one does.
stringsin cygwin, identify the network resource being used by the malware (Note that the resource is encoded in unicode and you will need to pass
-e lto the
stringscommand to dump unicode strings instead of ASCII)
Wireshark, show the connect and its result
ProcessExplorerto show injection for Figure 12-1L
Wireshark(turn off promiscuous mode)
xor, then bring up Figure 13-1L, rename
xorEncodeto get to Listing 13-2L
WinHex(winhex.com), open binary, and perform Figure 13-2L
PEiD(softpedia.com) with caution (should be a Zip file), open binary, and run KANAL at bottom right arrow to obtain Listing 13-3L
xrefto top-level function, bring up and rename
base64index, bring up Listing 13-4L
0x0040115A. Patch it. (
0x004011D0. Patch it.
0x00401215. Patch it.
0x00401269. Patch it.
0x004012E6. Which two methods does it combine? Patch it to reveal Listing 15-7L.
jzchecks are doing
sub_401000and Listing 16-1L. What does this code do?
OllyDbg. Set a breakpoint at
0x00403554. What is the value of
eax? Step over several instructions. What happens?
Phant0mplug-in) to reset the flag
OllyDbgstep. What happens?
0x00403573and how to bypass it
0x00403594and how to bypass it
OllyDbgto set the argument to "
-in" and single-step to reach
NOPor skip the check and run again.
0x004012CBand stepping into
sub_401100. Does this check succeed? If so,
NOPor skip the check and run again.
0x004012DFand generate Listing 17-5L
PEiDon binary and find section
UPX2. Perform a "deep scan". What does
OllyDbg, locate the jump to the unpacking stub by finding the register save instruction
OllyDumpto dump the program into a new executable and load the new executable in IDA Pro
OllyDbg, set a breakpoint on main() and run to the breakpoint. Perform single stepping from there (
F8). What happens?
shellcode_launcher.exeinto IDA Pro or Olly, set arguments to match the command line shown below Listing 19-12L. Find where the shellcode has been loaded and will be launched