COMP4101 LAB EXERCISE #5
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
COMP4101 LAB EXERCISE #5
Introduction
In this COMP4101 assessed lab exercise, you are going to use IDA (or Ghidra) to disassemble the program contained in the file Lab05.zip (this file is encrypted with the password: infected). This .zip file contains a single, simple program Lab05-01.exe, which has been written using
anti-disassembly techniques. This program is perfectly benign, so it is safe to run it1 .
The aim of this lab exercise is to get you used to analysing programs that have been written using anti-disassembly techniques, and so the questions below are designed to guide your analysis. You will find that the true meaning of the program is obscured in both IDA Pro and Ghidra until you have unpicked the anti-disassembly techniques. You should then be able to see how the program works and answer the questions below.
This lab is part of the continuous assessment for the module, and so you will need to answer the questions below and submit your answers via Moodle when complete. You may well find it helpful to refer to chapters four, six and fifteen of ‘Practical Malware Analysis’ while attempting this exercise.
Note You will almost certainly need to ‘patch’2 (replace) certain instructions to get IDA, to disassemble the file correctly. Use the opcode 0x90, the NOP instruction, to replace any bytes that are fouling the disassembler. You may also need to‘Undefine' and re-‘Create Function’3 in IDA to ensure it properly decodes it after it has been patched. Similar approaches will be needed in
Ghidra.
Questions
You should use IDA Pro or Ghidra to answer the following questions about the provided sample. The questions should get progressively harder as you progress through them.
1. Which techniques (as described in Chapter 15 of Practical Malware Analysis) are being used in this program to hinder disassembly? Include any variations on the technique… [4 marks]
2. How many times is each technique used in the file? [4 marks]
3. Some of the anti-disassembly techniques use rogue opcodes to cause the disassembler to mis- decode the instructions. Which opcodes are used? [2 marks]
4. Various command line arguments will cause the program to print messages other than“Wrong answer guess again”. List which argument(s) when passed to the program on the command line cause it to print out a different message and what messages are printed? [8 marks]
Please note that the mark values are used to imply weighting as well as amount of detail required.
Assessment Criteria
The questions above will be awarded marks as per the mark scheme listed above, giving a total of 18 which will then be scaled to a final mark out of ten that will be used for the continuous assessment.
2023-03-20