Scribd
Upload
85 views

Lab 9.1 IDA Pro

The document outlines a project using IDA Pro for malware analysis, specifically Lab 5-1 from the textbook 'Practical Malware Analysis'. It provides instructions for downloading necessary files, installing IDA Pro, and completing specific tasks such as finding DLLMain and analyzing local variables. Students are required to capture and submit full-desktop images of their findings for credit.

Uploaded by

baopham16122003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views

Lab 9.1 IDA Pro

The document outlines a project using IDA Pro for malware analysis, specifically Lab 5-1 from the textbook 'Practical Malware Analysis'. It provides instructions for downloading necessary files, installing IDA Pro, and completing specific tasks such as finding DLLMain and analyzing local variables. Students are required to capture and submit full-desktop images of their findings for credit.

Uploaded by

baopham16122003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Proj 6: IDA Pro (Lab 5-1) (20 pts.

, 4 images)
What you need:

A Windows machine, real or virtual, such as the Windows 2008 Server VM we've been using
The textbook: "Practical Malware Analysis"

Purpose
You will practice using IDA Pro.

You should already have the lab files, but if you don't, do this:

Downloading the Lab Files


In a Web browser, go here:

http://practicalmalwareanalysis.com/labs/

Download and unzip the lab files.

Downloading and Installing IDA Pro


In your Windows machine, open a Web browser and go to

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Download "IDA Freeware" and install it.

If that link is down, use this alternate download link:

https://samsclass.info/126/proj/idafree50.exe

Follow the Textbook


Follow the instructions for Lab 5-1 in the textbook, questions 1-8, to analyze Lab05-01.dll using only IDA Pro. There are more detailed solutions in the back of the book.

Opening Lab05-01.dll in IDA Pro


Launch IDA Pro. Click OK. Click New. Click the "PE Dynamic Library" icon and click OK. Navigate to Lab05-01.dll and open it.

Q 1: Finding the Address of DLLMain


In IDA Pro, click Windows, "Functions window".

Click the "Function name" header to sort by name and scroll to the top.

Your image should show the location of DLLMain, as shown below:

Press the PrntScrn key to capture an image of the whole desktop.

Open Paint and paste the image in with Ctrl+V.

Save this image with the filename "Proj 6a from YOUR NAME".

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT!

Q 2: Find the import for gethostbyname


In IDA Pro, click Windows, Imports. Click the Name header to sort by name. Find "gethostbyname" -- note that capital letters and lowercase letters sort into separate
groups.

Widen the Address column to make the entire address visible.

Your image should show the location of gethostbyname, as shown below:


Save a full-desktop image with the filename "Proj 6b from YOUR NAME".

Q 5: Count Local Variables for the Subroutine at 0x10001656


In IDA Pro, click Windows, "IDA View-A". Press the SPACEBAR to get to text view.

Press g to Go. Enter the address 0x10001656 and click OK.

Scroll up to show the comments IDA added to the start of the function, listing its local variables, as shown below:

Save a full-desktop image with the filename "Proj 6c from YOUR NAME".

Q 8: Finding the Purpose of the Code that References \cmd.exe /c


In IDA Pro, click Windows, Strings. Make the window larger. Sort by String. Find the String "\\cmd.exe /c" and double-click it. The function opens in text view, as
shown below.

In the line containing "\\cmd.exe /c", double-click the address to the right of "XREF", as indicated by the red outline in the image below.

Press the SPACEBAR to get to graph view, as shown below. "\\cmd.exe /c" is used in the little routine on the left.
Drag the graph view down to see the subroutines before it. About three boxes up you should find text beginning with "Hi, Master", as shown below.

Double-click aHiMasterDDDD to find the complete message. The purpose of the malware is clearly stated.

Your image should show what the code is doing, as shown below. The purpose is behind the red rectangle in the image below.

Save a full-desktop image with the filename "Proj 6d from YOUR NAME".

Turning in your Project


Email the images showing to [email protected] with the subject line: Proj 6 from YOUR NAME

Last modified 2-25-16

You might also like