Lab 7 - Disassemblers (IDA)
In this lab, you will familiarize yourself with IDA, the Interactive DisAssembler. (It's also a debugger and decompiler, although those features are not available in the freeware version).
Deliverables
Upload the following items to the Lab 7 Assignment on Canvas when finished.
- The PDF file containing the required documentation
Part 1 - 32-bit malware
For the 32-bit malware sample, use the IDA 5.0 freeware disassembler.
(Note: If the assembly code display panel "looks funny" or corrupted, try customizing the display font and size in IDA)
| Question | Answer |
|---|---|
| In the cdecl calling convention, where are arguments to the function stored? | |
| In the cdecl calling convention, who cleans up the stack? | |
| In the stdcall calling convention, where are arguments to the function stored? | |
| In the stdcall calling convention, who cleans up the stack? | |
| What calling convention is used by the Win32 API? |
There is one function in the executable that calls GetTempFileNameW(). Locate this function. Note that you are not locating the code for GetTempFileNameW(), but rather the function in the malware that calls it.
Tip: Use the Imports panel to find the function, jump to the .data section, and cross-reference via the ‘X’ key to see where it is called from
| Question | Answer |
|---|---|
| What is the starting address of this function in the .text section? Tip: Scroll up |
|
| What name has IDA given this function? | |
| From how many locations in the code is this function called? Tip: Use the cross-reference feature in IDA via the ‘X’ key. |
|
| What calling convention does IDA think that this function uses? | |
| How many arguments does this function takes? Tip: The base pointer plus a value is generally a function argument. |
|
| How many local variables does this function uses? Tip: The base pointer minus a value is generally a local variable. |
|
| What instructions in this function are part of the prologue? Tip: The function prologue is assembly code at the beginning of the function that saves (backs up) registers that will be used in the function body, and allocates space on the stack for local variables. This code is generated by the compiler, and is not part of the malware logic. |
|
| What instructions in this function are part of the epilogue? Tip: The epilogue is assembly code at the end of the function that restores registers and does other cleanup activity. It is also generated by the compiler. Tip 2: ‘leave’ is equivalent to mov esp, ebp + pop ebp Tip 3: ‘retn’ does a ‘pop eip' |
There is one function in the executable that calls CreateProcessW(). Locate this function. Note that you are not locating the code for CreateProcessW(), but rather the function in the malware that calls it.
| Question | Answer |
|---|---|
| What is the starting address of this function in the .text section? | |
| What name has IDA given this function? | |
| From how many locations in the code is this function called? | |
| What calling convention does IDA think that this function uses? | |
| How many arguments does this function takes? Note: The IDA-generated function prototype is inconsistent here - disregard it and instead look at positive offsets to the base pointer. |
|
| How many local variables does this function use? | |
| What instructions in this function are part of the prologue? | |
| What instructions in this function are part of the epilogue? Tip: You may want to switch to graph view (via SPACEBAR) to examine the control flow of this function and sure that you locate the correct end (which will have a RETN instruction) |
There is a loop that begins at offset 407D84 in the executable - go to that location.
Tip: Use the 'G' key as a shortcut.
| Question | Answer |
|---|---|
| What instruction(s) determine when the loop will exit? What address(es) are those instructions stored at? Tip: Look at the dashed lines at the far left of the IDA code view panel |
|
| What instruction updates the loop control variable? What address is that instruction stored at? | |
| What instruction initializes the loop control variable? What address is that instruction stored at? Tip: You know what register is being used as the loop control variable already. Click on that register, and IDA will highlight where it is used elsewhere in the code. |
|
| Write the loop control structure in C pseduocode. |
Part 2 - 64-bit malware
For the 64-bit malware sample, use the IDA 7.0 freeware disassembler.
| Question | Answer |
|---|---|
| From what 3 addresses in the program is the function strlen() called? | |
From what 2 functions in the program is RegOpenKeyExA() called? (Give their IDA-generated names) |
|
For both of those calls to RegOpenKeyExA(), the same hKey argument is used. What is the value in hex? |
|
| For the hKey argument, what is the symbolic name that the programmer would have entered? Tip: Right click->Use standard symbolic constant, and use your knowledge of the Windows API to pick the reasonable choice |
|
From what function in the program is HttpQueryInfoA() called? (Give the IDA-generated name) |
|
| From the dwInfoLevel argument, what is the value in hex? | |
| For the dwInfoLevel argument, what is the symbolic name (or combination of names, hint hint) that the programmer likely entered? | |
| For the dwInfoLevel argument, what does that value mean in plain English? |