Advanced Static Analysis #3
The third part of the Lab from Chapter 5
15. At 0x10001701 is a call to socket. What are the three parameters?
I jumped to the wrong section 10001071... and spent an hour analyzing something difficult.
16. Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful?What are the parameters after you apply changes?
I’m going to have to add a plugin for this exercise. I think I’ll need IDA Pro as well. The answer was: These arguments correspond to three symbolic constants: IPPROTO_TCP, SOCK_STREAM, and AF_INET.
17. Search for usage of the in instruction (opcode 0xED). This instruction is used with a magic string VMXh to perform VMware detection. Is that in use in this malware? Using the cross-references to the function that executes the in instruction, is there further evidence of VMware detection?
Had to search for a sequence of bits: “ED”
Using cross reference on the function that called in. We can see the virtual machine check happens again. If the malware finds it is in a VM. Then it will stop installing.
18. Jump your cursor to 0x1001D988. What do you find?
Doesn’t seem to mean much. It’s just random data.
19. If you have the IDA Python plug-in installed (included with the commercial version of IDA Pro), run Lab05-01.py, an IDA Pro Python script provided with the malware for this book. (Make sure the cursor is at 0x1001D988.) What happens after you run the script?
20. H With the cursor in the same location, how do you turn this data into a single ASCII string?
21. Open the script with a text editor. How does it work?
I don’t think plugins work with IDA Freeware. I might have to let these excerises go. I’ve read up on what each of the questions lead to. Seem to be focused on using features, by pressing a key, from the plugin. I’ll try to get IDA Pro soon. I want to play around with it more.
Reflections
Finally! I’ve completed the IDA Pro exercises. The final 7 questions seemed to be focused on using plugins which was unfortunate since I’m using the freeware. It was tedious at times .Grinding through functions and assembly trying to work out what’s going on. The work seemed to have paid off as I feel I’ve gotten more familiar with the assortment of tools offered by IDA. I’ll try to get my hands on IDA Pro in the future.










