, , , , ,

[SOLVED] Cs6264 lab 2: malware analysis summer 2025

$25

File Name: Cs6264_lab_2__malware_analysis__summer_2025.zip
File Size: 405.06 KB

5/5 - (1 vote)

“Good work on that last assignment!” Your boss seems delightfully cheery today. “The client was very impressed by your skills and has requested that you help them with another engagement.”

This is great news, you are already impressing your boss.

“They recently found some malware on their servers, and want you to provide a report on its behaviors. From what I’ve seen, our team has never encountered some of these  malware before…”

This seems like less great news.

“Anyways, I expect a report on my desk in 2 weeks!”

It seems like its back to reading the documentation for you.

  Assignment

The purpose of this assignment is to evaluate your ability to find certain behaviors of a piece of malware using various static and dynamic malware analysis tools.

You will need to use the malware lab environment we have provided to create a report on all of the trigger commands and behaviors of each command for the provided malware. Please refer to the tutorial presentation to get started!

Feel free to adjust the VM’s memory space after download.

In your report, you will need to answer the following questions:

VM Link:

GoogleDrive:https://drive.google.com/open?id=1a_1U2UQKQ0268NApFnFHfV2HETZZEu4ZLinks to an external site.

OneDrive: https://gtvault-my.sharepoint.com/:u:/g/personal/dzhang377_gatech_edu/EZh748ZHXvBGlenulVmCtQgB9WF16wAL-kOAf-niaVG1YA?e=m2Z3zDLinks to an external site.

MD5hash: 72ff81b5b73b2297c8d64f0c09ecc03d

Supplementary Material:

Lab 2_Supplementary_Material.pdf

  Deliverables

Please submit a .tar.gz file containing the report, Angr scripts and proof of concrete execution. Name this “[username]_lab02.tar.gz”. Please include the following in this .tar.gz file:

Sample Structure after unzip:

  Warning:

Please don’t run the malware on your own computer! We are not responsible if you do. Only execute it inside the Windows VM we are provided. These are real world malware samples.

 

○    View assembly in disassembler

○     Find dispatcher code

○     Symbolic analysis

○     Dynamic analysis

○     In the VM, Ghidra is located at ~/ghidra_9.1.1_PUBLIC/

○  After you cd into that directory, run Ghidra with ./ghidraRun

○   A project has already been created for you, so all you need to do is import the binary to the project by clicking File > Import File > Select binary to import

○      Code will be presented as assembly instructions on the left half of the interface and reconstruction C instructions on the right half of the interface

○      For this project, being able to read assembly is not required, but can be helpful

■      Generally, assembly instructions come in the form of an instruction name followed by 1, 2, or 3 operands

■      For example, the PUSH instruction will push a value onto the stack. Since you can only push 1 item to the stack at a time, the instruction takes 1 operand

■      This operand can be a value or the name of a register: the value will be pushed to the stack if a value is used as the operand while the value inside the register will be pushed to the stack if the register is chosen as the operand instead

■      i.e. “PUSH %eax” means that the computer will push the value inside the EAX register to the top of the stack. Now, if you get the value at %esp (the stack pointer) or pop a value off of the stack, you will get whatever value you just pushed

○      A good reference for x86 assembly can be found here

○      In the folders on the very left of the UI, you can find all the functions within the binary. Explore these to find out more about what the malware will do (not necessary)

~/ghidra_9.1.1_PUBLIC/support/analyze.sh

 

○     We first need to find what we can tweak in our input to this function so that it will behave differently

○     In the binary, we find that the execution of the dispatching logic (not function) is dependent on the value stored at %eax

○     Looking at the C representation of these basic blocks confirms this observation, given the big if-statement being dependent on the “pcVar1” variable

○     In our C representation, we can also see that the “pcVar1” variable is dependent on the 1st parameter of the function, giving us a candidate to symbolically represent!

 

○    The script is found at ~/Desktop/symbolic_execution/sample_inputs.py

○     All we need to do is give it the start of the function (0x804d32) and the address at which we want our program execution to end up

○     In this case, we wish to end up at the function call inside the if-statement at 0x804dde because we believe that it will execute malicious behaviour

○     We can easily find these addresses by clicking specific lines in our C code representation on the right and the address will be highlighted on the left

○     Now, if we execute python sample_inputs.py –start 0x804d32 –end 0x804dde, it will print 1 parameter for the dispatching function that will hit the inside of the if-statement

○        Again, we will use a simulation manager like the one used in Lab 1 with a claripy solver

○     However, we will specify a call state to call the specific dispatching function with the argument that we will inject ourselves

■ target_state = proj.factory.call_state(start, sym_arg_1)

○     Then, the code will symbolically execute dispatching function again and again until an the symbolic argument causes the program to reach the inside of the if-statement, and we now find one such argument of the dispatcher!

Print out the argument that allowed the execution engine to reach the target address

○     Thus, if we want to find all such inputs from the command server that will trigger the dispatcher logic, we must put inverse constraints on the function argument after we find each new command

○    We can do this one of two ways:

■    Adding a constraint before evaluation (i.e. before .explore() is called)

■    Adding a constraint after evaluation

○    This way, we will iteratively find each triggering parameter

 

○     After logging into the Windows sandbox, we can find DynamoRIO already installed

○     This is a dynamic execution engine that not only keeps tracks of the actions being taken by the binary when run inside of the engine, you can customize the actions it takes upon reaching a certain behaviour from the binary

○     These customizations can be found in C:codeconcrete_executor

○     For sample.exe, we would like to change libcall_handler.cpp to change what the engine will do when a function is called

○     First, we would like to specify the function (i.e. the dispatcher function) we want to wrap and start monitoring from

○     Then, we would like to wrap the input before the function is called so we can define the input to a given function

○       Of course, we will need to add these method traces to the .h file to follow C++ convention

Symbolic Analysis (cont.)

○ Once this code has been changed, we first rebuild the scripts with .build.bat

○    Now, we can python run.py to run the dynamic analysis engine

○     Once the execution is complete, we can view the output of the engine in the folder you specified

○     In the below example, our input caused the malware to attempt to read many files

○     Of course, it is never going to be that easy as some functions may require extra logic in order to execute fully

○     If nothing happens after executing with a correct input, you may need to go back to the disassembled code to see if there are any additional requirements to fully analyze the malware behaviour

Introduction to Assembly

x86 Assembly/X86 Instructions – Wikibooks, open books for an open world

Claripy (not as important, but check #claripy-asts if you want to find other constructs you can use to constrain the solver)

Claripy – angr Documentation

Solver Engine (#constraint-solving is helpful for figuring out how to set constraints)

Solver Engine – angr Documentation

System overview https://dynamorio.org/dynamorio_docs/overview.html Existing tools based on DynamoRIO:

https://dynamorio.org Tutorial:

https://dynamorio.org/tutorials/ Library tracing:

https://github.com/mxmssh/drltrace DynamoRIO discussion group:

https://groups.google.com/g/dynamorio-users Code Manipulation API:

drwrap_wrap:(primary function that students need to use in project 2 dynamic analysis) https://dynamorio.org/dynamorio_docs/page_drwrap.html

list of sample use cases for dynamoRIO https://dynamorio.org/dynamorio_docs/API_samples.html

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Shopping Cart
[SOLVED] Cs6264 lab 2: malware analysis  summer 2025[SOLVED] Cs6264 lab 2: malware analysis summer 2025
$25