├── README.md
├── lab01
    └── lab01.md
├── lab02
    └── lab02.md
├── lab03
    ├── lab03.md
    └── procmon.txt
├── lab04
    └── lab04.md
├── lab05
    ├── check_platform_and_version.png
    ├── determine_arch.png
    ├── determine_version_info.png
    ├── dll_main_windows_api.png
    ├── dll_main_windows_api_2.png
    ├── dns_request_host.png
    ├── execute_cmd.png
    ├── gethostbyname_graph.png
    ├── ida_imports.png
    ├── lab05.md
    ├── local_vars.png
    ├── print_sys_lang_graph.png
    ├── pslist.png
    ├── set_cmdorcommand.png
    └── sleep_time.png
├── lab06
    └── lab06.md
├── lab07
    └── lab07.md
├── lab08
    └── lab08.md
├── lab09
    ├── dll_base_addresses.png
    ├── dll_mystery_data.png
    ├── hexstring.png
    ├── lab09.md
    └── xor_domainencode.png
├── lab10
    └── lab10.md
├── lab11
    ├── ini_location.png
    ├── lab11.md
    ├── modify_rcpt_to.png
    ├── modify_send.png
    ├── process_name_check.png
    ├── procmon.png
    ├── shellcode.png
    ├── spoolvxx.png
    └── text_decoding.png
├── lab12
    ├── access-resource.png
    ├── lab12.md
    ├── loadlibrary.png
    ├── loadresource.png
    ├── lpstartaddress.png
    └── winlogon.png
├── lab13
    ├── first_attempt.png
    ├── immunity_instrumenting_setup.png
    ├── lab13.md
    ├── likely_decoding.png
    ├── refs_to_b64table.png
    ├── second_attempt.png
    ├── tempfiles.png
    ├── xor_search.png
    └── xor_search2.png
├── lab14
    ├── assemble_guid.png
    ├── fetch_commands.png
    ├── get_request.png
    ├── lab14.md
    ├── noscript_search.png
    └── regex_writer.png
├── lab15
    └── lab15.md
├── lab16
    ├── anti_debugging_checks.png
    ├── find_window.png
    ├── lab16.md
    ├── nop_today.png
    └── tls_entrypoint.png
└── lab19
    ├── find_browser.png
    ├── import_terminateprocess.png
    ├── lab19.md
    ├── manual_import.png
    ├── shellcode_connect.png
    ├── shellcode_decoder.png
    ├── very_sneaky.png
    └── xor_decode_shellcode.png


/README.md:
--------------------------------------------------------------------------------
1 | # practical-malware-analysis
2 | Working through Practical Malware Analysis from No Starch Press
3 | 


--------------------------------------------------------------------------------
/lab01/lab01.md:
--------------------------------------------------------------------------------
  1 | Lab 1-1
  2 | =======
  3 | 
  4 |   1. `Lab01-01.dll` is marked malicious for 24/56 engines; `Lab01-01.exe` is for 29/55 engines.
  5 | 
  6 |   2. `Lab01-01.dll` was compiled on `2010-12-19 16:16:38`; `Lab01-01.exe` on `2010-12-19 16:16:19`.
  7 | 
  8 |   3. VirusTotal indicates that `Lab01-01.dll` uses `Armadillo v1.xx - v2.xx`, while `Lab01-01.exe` uses `Armadillo v1.7.1`.
  9 | 
 10 |   4. `Lab01-01.dll` imports `socket`, `inet_addr`, and other internet functions, suggesting it connects to the internet. `Lab01-01.exe` imports `FindFirstFileA`, `CopyFileA`, `CreateFileA`, and other file handling functions that suggest it manipulates files.
 11 | 
 12 |   5. Each file contains several fairly unique strings that could be used as host-based indicators; `Lab01-01.dll` contains `127.26.152.13` (obviously useful as a network indicator as well), while `Lab01-01.exe` contains `WARNING_THIS_WILL_DESTROY_YOUR_MACHINE`.
 13 | 
 14 |   6. `Lab01-01.dll` contains:
 15 | 
 16 |     ```
 17 |     hello
 18 |     127.26.152.13
 19 |     SADFHUHF
 20 |     ```
 21 | 
 22 |     Which suggests to me that perhaps the message `hello` is sent to `127.26.152.13` - usable as a network indicator.
 23 | 
 24 |   7. `Lab01-01.exe` contains some odd strings:
 25 |     ```
 26 |     kerne132.dll
 27 |     kernel32.dll
 28 |     .exe
 29 |     C:\*
 30 |     C:\windows\system32\kerne132.dll
 31 |     Kernel32.
 32 |     Lab01-01.dll
 33 |     C:\Windows\System32\Kernel32.dll
 34 |     WARNING_THIS_WILL_DESTROY_YOUR_MACHINE
 35 |     ```
 36 | 
 37 |     Along with the file handling functions imported, this suggests to me that this sample will delete at least `kerne132.dll` (interesting typo in several cases?) if not `C:\*` entirely. On the other hand, at least they warn you first.
 38 | 
 39 |     As noted in (6), `Lab01-01.dll` contains:
 40 | 
 41 |     ```
 42 |     hello
 43 |     127.26.152.13
 44 |     SADFHUHF
 45 |     ```
 46 | 
 47 |     Which suggests to me that perhaps the message `hello` is sent to `127.26.152.13`. Given the set of imports shown below, the sample appears to have receive functionality as well, which could possibly implement full command and control (or could be a simple phone home).
 48 | 
 49 |     ```
 50 |     socket
 51 |     closesocket
 52 |     inet_addr
 53 |     send
 54 |     WSACleanup
 55 |     WSAStartup
 56 |     connect
 57 |     shutdown
 58 |     htons
 59 |     recv
 60 |     ```
 61 | 
 62 | 
 63 | Lab 1-2
 64 | =======
 65 | 
 66 |  1. `Lab01-02.exe` matches 36 engines on VirusTotal.
 67 | 
 68 |  2. The file appears to be packed with the UPX packer - as reported by VirusTotal. It's also telling that the PE sections are "UPX0" through "UPX2".
 69 | 
 70 |   3. The file imports `InternetOpenA` from `WININET.dll`, as well as `CreateServiceA` from `ADVAPI32.dll`, which suggests that it spawns a service with Internet access. Since it also imports `GetProcAddress` and `LoadLibraryA`, it could load additional libraries for more functionality. (the text `InternetOpenUrlA` appears in the body of the executable, suggesting it is loaded dynamically)
 71 | 
 72 |   4. The file contains several interesting strings, including `http://www.malwareanalysisbook.com` and `Internet Explorer 8.0`, the latter of which seems likely to be a user agent string used when accessing the earlier domain. The string `MalService` also appears (twice), suggesting (in tandem with the import of `CreateServiceA`) that this file creates a service with that name.
 73 | 
 74 | 
 75 | Lab 1-3
 76 | =======
 77 | 
 78 |   1. VirusTotal matches this sample on a huge variety of malware families; the most common seems to be `Packer.FSG.A`.
 79 | 
 80 |   2. VirusTotal reports that the file appears to be packed with the `FSG` packer. PEiD reports `FSG 1.0 -> dulek/xt`. It cannot be unpacked using simple static analysis.
 81 | 
 82 |   3. `Lab01-03.exe` has a variety of interesting imports, including:
 83 | 
 84 |   ```
 85 |   CreateRemoteThread
 86 |   CreateDirectory
 87 |   CreateFile
 88 |   FindFirstFile
 89 |   LoadLibrary
 90 |   CreateNamedPipe
 91 |   CreatePipe
 92 |   IsDebuggerPresent
 93 |   Beep
 94 |   ```
 95 | 
 96 |   4. Without unpacking, there are very few indicators to find here. Using some of the imports as clues, it may be worthwhile to watch for a process that spawns threads and creates pipes, but that's not a particularly unique signature.
 97 | 
 98 | 
 99 | Lab 1-4
100 | =======
101 | 
102 |   1. 48 VirusTotal engines match (out of 56).
103 | 
104 |   2. VirusTotal reports the file is packed with `Armadilo v1.7`. PEiD, however, reports the file is not packed - bot due to entropy and a deep scan.
105 | 
106 |   3. PEview reports that the file was compiled on `2019/08/30 Fri 22:26:59 UTC` - obviously faked.
107 | 
108 |   4. This file has a huge number of imports, including:
109 | 
110 |   ```
111 |   LoadLibrary
112 |   WriteFile
113 |   DeleteFile
114 |   CreateRemoteThread
115 |   OpenThread
116 |   CreatePipe
117 |   CreateNamedPipe
118 |   ConnectNamedPipe
119 |   GetCommandLine
120 |   ExpandEnvironmentStrings
121 |   GetEnvironmentVariable
122 |   IsDebuggerPresent
123 |   Beep
124 |   OpenProcessToken
125 |   CreateService
126 |   ControlService
127 |   StartService
128 |   RegLoadKey
129 |   RegOpenCurrentUser
130 |   DelayLoadFailureHook
131 |   NsiConnectToServer
132 |   CryptDecrypt
133 |   CryptEncrypt
134 |   WinVerifyTrust
135 |   LogonUser
136 |   CreateBitmap
137 |   GetClipBox
138 |   < various other GUI functions >
139 |   PlaySound
140 |   URLDownloadToCacheFile
141 |   URLDownloadToFile
142 |   OpenProcessToken
143 |   ```
144 | 
145 |   5. Host indicators include the strings `\system32\wupdmgr.exe` (which, paired with some of the imports, suggests that this file calls out to that executable), `<not real>`, `\winup.exe` (again, likely calls out), and several dlls that are likely dynamicall imported - `urlmon.dll` and `psapi.dll` among them.
146 | 
147 |   Network-based indicators include the URL `http://www.practicalmalwareanalysis.com/updater.exe`.
148 | 
149 |   6. The only resource available with ResourceHacker is a binary file containing the text of the program.
150 | 


--------------------------------------------------------------------------------
/lab02/lab02.md:
--------------------------------------------------------------------------------
1 | Lab 2
2 | =====
3 | 
4 | Lab two has no problems, but instead requires setup and configuration of a virtual machine for malware analysis.
5 | 


--------------------------------------------------------------------------------
/lab03/lab03.md:
--------------------------------------------------------------------------------
  1 | Lab 3-1
  2 | =======
  3 | 
  4 | 1. The softare's strings, according to Process Explorer, are: 
  5 |   ```
  6 |   jjjjjj
  7 |   !This program cannot be run in DOS mode.
  8 |   Rich
  9 |   .text
 10 |   `.data
 11 |   ExitProcess
 12 |   kernel32.dll
 13 |   cks=u
 14 |   ttp=
 15 |   cks=
 16 |   CONNECT %s:%i HTTP/1.0
 17 |   QSRW
 18 |   PWW
 19 |   thj@h
 20 |   PWW
 21 |   VSWRQ
 22 |   QVlM
 23 |   ^-m-m<|<|<|M
 24 |   advapi32
 25 |   ntdll
 26 |   user32
 27 |   Jbh
 28 |   QQVP
 29 |   ucj
 30 |   advpack
 31 |   StubPath
 32 |   SOFTWARE\Classes\http\shell\open\commandV
 33 |   Software\Microsoft\Active Setup\Installed Components\
 34 |   test
 35 |   www.practicalmalwareanalysis.com
 36 |   admin
 37 |   VideoDriver
 38 |   WinVMX32-
 39 |   vmx32to64.exe
 40 |   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 41 |   SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 42 |   PWj
 43 |   AppData
 44 |   VQj
 45 |   ViW
 46 |   ```
 47 |   Of particular interest are `www.practicalmalwareanalysis.com`, `CONNECT %s:%i HTTP/1.0`, and the various file path strings.
 48 | 
 49 |   The file has a number of interesting imports, including many related to threads, mutexes and semaphores, manipulating files, loading libraries, and creating and manipulating named pipes.
 50 | 
 51 | 2. Host-based indicators include the strings seen above. Regshot shows no changed or added registry keys (beyond some noise), and [procmon](./procmon.txt) shows very little interesting activity - loading kernel32.dll, reading some registry keys (none of which seem unusual), then exiting. Curiously, the process exits with status `-1073741819`, which suggests to me that this malware is failing to execute properly.
 52 | 
 53 | 3. ApateDNS seems only to turn up requests to `watson.microsoft.com` and `wpad.olin.edu`. Netcat shows the following, which seems consistent with Apate's findings:
 54 | 
 55 |   ```
 56 |   C:\Users\IEUser\Desktop\nc111nt>nc -l -p 80
 57 |   GET /wpad.dat HTTP/1.1
 58 |   Connection: Keep-Alive
 59 |   Accept: */*
 60 |   Host: 127.0.0.1
 61 |   ```
 62 | 
 63 |   ```
 64 |   C:\Users\IEUser\Desktop\nc111nt>nc -l -p 443
 65 |   ▬♥☺ ⌂☺  {♥☺X┤áP♠/i(ÄGh◄PkP2☼R(▓Ç-♀WNu▀#ö┘¡d  ∟└¶└‼ 9 3 5 /└
 66 |   └        8 2
 67 |   ‼ ♣ ♦☺  6   ↓ ↨  ¶watson.microsoft.com
 68 |   ♠ ♦ ↨ ↑ ♂ ☻☺  ↨   ☺ ☺
 69 |   ```
 70 | 
 71 |   Neither of these seem to be caused by the file being analyzed. In addition, Process Explorer shows no TCP/IP connections, nor does the file seem to import any networking libraries. This is odd, since a domain name and apparent HTML connection string appear in the file's strings.
 72 | 
 73 | Lab 3-2
 74 | =======
 75 | 
 76 | 1. According to PE Explorer, `Lab03-02.dll` exports `Install`, `ServiceMain`, `UninstallService`, `installA`, and `uninstallA`. This implies that the malware could be installed as a service by running `rundll32.exe Lab03-02.dll,install MalService`.
 77 | 
 78 | Unfortunately, doing so (even without any arguments - `rundll32.exe Lab03-02.dll,install`) results in a crash:
 79 | 
 80 |   ```
 81 |   Version=1
 82 |   EventType=APPCRASH
 83 |   EventTime=131327951831980417
 84 |   ReportType=2
 85 |   Consent=1
 86 |   UploadTime=131327951832481137
 87 |   ReportIdentifier=cba757e2-fe06-11e6-8ca2-08002785c5cd
 88 |   IntegratorReportIdentifier=cba757e1-fe06-11e6-8ca2-08002785c5cd
 89 |   Response.type=4
 90 |   Sig[0].Name=Application Name
 91 |   Sig[0].Value=rundll32.exe
 92 |   Sig[1].Name=Application Version
 93 |   Sig[1].Value=6.1.7600.16385
 94 |   Sig[2].Name=Application Timestamp
 95 |   Sig[2].Value=4a5bc637
 96 |   Sig[3].Name=Fault Module Name
 97 |   Sig[3].Value=ntdll.dll
 98 |   Sig[4].Name=Fault Module Version
 99 |   Sig[4].Value=6.1.7601.23572
100 |   Sig[5].Name=Fault Module Timestamp
101 |   Sig[5].Value=57fd0335
102 |   Sig[6].Name=Exception Code
103 |   Sig[6].Value=c0000005
104 |   Sig[7].Name=Exception Offset
105 |   Sig[7].Value=00052a0e
106 |   DynamicSig[1].Name=OS Version
107 |   DynamicSig[1].Value=6.1.7601.2.1.0.256.4
108 |   DynamicSig[2].Name=Locale ID
109 |   DynamicSig[2].Value=1033
110 |   DynamicSig[22].Name=Additional Information 1
111 |   DynamicSig[22].Value=0a9e
112 |   DynamicSig[23].Name=Additional Information 2
113 |   DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
114 |   DynamicSig[24].Name=Additional Information 3
115 |   DynamicSig[24].Value=0a9e
116 |   DynamicSig[25].Name=Additional Information 4
117 |   DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
118 |   UI[2]=C:\Windows\system32\rundll32.exe
119 |   UI[3]=Windows host process (Rundll32) has stopped working
120 |   UI[4]=Windows can check online for a solution to the problem.
121 |   UI[5]=Check online for a solution and close the program
122 |   UI[6]=Check online for a solution later and close the program
123 |   UI[7]=Close the program
124 |   LoadedModule[0]=C:\Windows\system32\rundll32.exe
125 |   LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
126 |   LoadedModule[2]=C:\Windows\system32\kernel32.dll
127 |   LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
128 |   LoadedModule[4]=C:\Windows\system32\USER32.dll
129 |   LoadedModule[5]=C:\Windows\system32\GDI32.dll
130 |   LoadedModule[6]=C:\Windows\system32\LPK.dll
131 |   LoadedModule[7]=C:\Windows\system32\USP10.dll
132 |   LoadedModule[8]=C:\Windows\system32\msvcrt.dll
133 |   LoadedModule[9]=C:\Windows\system32\imagehlp.dll
134 |   LoadedModule[10]=C:\Windows\system32\ADVAPI32.dll
135 |   LoadedModule[11]=C:\Windows\SYSTEM32\sechost.dll
136 |   LoadedModule[12]=C:\Windows\system32\RPCRT4.dll
137 |   LoadedModule[13]=C:\Windows\system32\apphelp.dll
138 |   LoadedModule[14]=C:\Windows\AppPatch\AcLayers.DLL
139 |   LoadedModule[15]=C:\Windows\system32\SspiCli.dll
140 |   LoadedModule[16]=C:\Windows\system32\SHELL32.dll
141 |   LoadedModule[17]=C:\Windows\system32\SHLWAPI.dll
142 |   LoadedModule[18]=C:\Windows\system32\ole32.dll
143 |   LoadedModule[19]=C:\Windows\system32\OLEAUT32.dll
144 |   LoadedModule[20]=C:\Windows\system32\USERENV.dll
145 |   LoadedModule[21]=C:\Windows\system32\profapi.dll
146 |   LoadedModule[22]=C:\Windows\system32\WINSPOOL.DRV
147 |   LoadedModule[23]=C:\Windows\system32\MPR.dll
148 |   LoadedModule[24]=C:\Windows\system32\IMM32.DLL
149 |   LoadedModule[25]=C:\Windows\system32\MSCTF.dll
150 |   LoadedModule[26]=C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L\Lab03-02.dll
151 |   LoadedModule[27]=C:\Windows\system32\WS2_32.dll
152 |   LoadedModule[28]=C:\Windows\system32\NSI.dll
153 |   LoadedModule[29]=C:\Windows\system32\WININET.dll
154 |   LoadedModule[30]=C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
155 |   LoadedModule[31]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
156 |   LoadedModule[32]=C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
157 |   LoadedModule[33]=C:\Windows\system32\version.DLL
158 |   LoadedModule[34]=C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
159 |   LoadedModule[35]=C:\Windows\system32\normaliz.DLL
160 |   LoadedModule[36]=C:\Windows\system32\iertutil.dll
161 |   LoadedModule[37]=C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
162 |   LoadedModule[38]=C:\Windows\system32\uxtheme.dll
163 |   LoadedModule[39]=C:\Windows\system32\dwmapi.dll
164 |   FriendlyEventName=Stopped working
165 |   ConsentKey=APPCRASH
166 |   AppName=Windows host process (Rundll32)
167 |   AppPath=C:\Windows\system32\rundll32.exe
168 |   ```
169 | 
170 | 2. After installation, the above-named `MalService` could theoretically be run with `net start MalService`.
171 | 
172 | 3. In Process Explorer, look for the DLL `Lab03-02.dll` to be loaded into a running process; it should be under a `svchost.exe` process.
173 | 
174 | 4. During the installation process, setting procmon filters for `rundll32.exe` should provide some useful filtering, and afterward once the process is identified in process explorer, either a PID or process name could be used to isolate the service's actions.
175 | 
176 | 5. There are a large number of unique strings which could be used for host-based detection, but the inability to install the DLL above impedes digging deeper into the malware's activity.
177 | 
178 | 6. The malware contains some strings which suggest network activity: `practicalmalwareanalysis.com`, `HTTP/1.1`, etc., and also imports `WinInet.dll`, which strongly suggests that the malware has an internet component; unfortunately, due to being unable to install the service, I'm unable to explore further.
179 | 
180 | Lab 3-3
181 | =======
182 | 
183 | 1. It's odd that `Lab03-03.exe` spawns a process `svchost.exe`.
184 | 
185 | 2. Yes; the `svchost.exe` process has significantly different strings on disc and in memory - and, in addition, has a number of strings in memory such as `[SHIFT]`, `[TAB]`, etc. that seem to indicate it is logging keystrokes. In addition, for some reason the `Lab03-03.exe` process has an `<error opening process>` message in the pane for strings in memory - this perhaps accompanies the popup when the program is executed that says "The application was unable to start correctly", so it may not be an odd indicator.
186 | 
187 | 3. The string `practicalmalwareanalysis.log` present in memory for the `svchost.exe` process suggests to me this program creates a logfile somewhere. As noted in the previous question, the strings that suggest keylogging are also likely present somewhere on disk (presumably in this logfile).
188 | 
189 | 4. I very strongly suspect that this is a keylogger.
190 | 
191 | 
192 | Lab 3-4
193 | =======
194 | 
195 | 1. The executable file for the lab disappears; presumably deleted. In addition, Process Monitor reports that at one point a process was creted executing `cmd.exe`, which is consistent with my observation that a command window briefly appeared and then disappeared. Process Monitor reports that the event's command line value was `"C:\Windows\System32\cmd.exe" /c del C:\Users\IEUser\Desktop\PRACTI~1\BINARY~1\CHD8AF~1\Lab03-04.exe >> NUL`.
196 | 
197 | 2. The incredible speed of the process made catching it in Process Explorer quite difficult. In addition, spawning a command line process causes us to be unable to introspect some of the executable's actions since they take place in a different process.
198 | 
199 | 3. The program can be run from the command line, through `explorer.exe`, or through Process Explorer. It could also be executed with a debugger attached, though we haven't gotten there yet. :)
200 | 


--------------------------------------------------------------------------------
/lab03/procmon.txt:
--------------------------------------------------------------------------------
 1 | 2:14:08.2976661 PM	Lab03-01.exe	4048	Process Start		SUCCESS	Parent PID: 268, Command line: "C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L\Lab03-01.exe" , Current directory: C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L\, Environment: 
 2 | 	=::=::\
 3 | 	ALLUSERSPROFILE=C:\ProgramData
 4 | 	APPDATA=C:\Users\IEUser\AppData\Roaming
 5 | 	CommonProgramFiles=C:\Program Files\Common Files
 6 | 	COMPUTERNAME=IE11WIN7
 7 | 	ComSpec=C:\Windows\system32\cmd.exe
 8 | 	FP_NO_HOST_CHECK=NO
 9 | 	GSTREAMER_PATH=C:\Program Files\Autopsy-4.3.0\gstreamer\bin;C:\Program Files\Autopsy-4.3.0\gstreamer\lib\gstreamer-0.10
10 | 	HOMEDRIVE=C:
11 | 	HOMEPATH=\Users\IEUser
12 | 	LOCALAPPDATA=C:\Users\IEUser\AppData\Local
13 | 	LOGONSERVER=\\IE11WIN7
14 | 	NUMBER_OF_PROCESSORS=1
15 | 	OS=Windows_NT
16 | 	Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Autopsy-4.3.0\gstreamer\bin;C:\Program Files\Autopsy-4.3.0\gstreamer\lib\gstreamer-0.10
17 | 	PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
18 | 	PROCESSOR_ARCHITECTURE=x86
19 | 	PROCESSOR_IDENTIFIER=x86 Family 6 Model 142 Stepping 9, GenuineIntel
20 | 	PROCESSOR_LEVEL=6
21 | 	PROCESSOR_REVISION=8e09
22 | 	ProgramData=C:\ProgramData
23 | 	ProgramFiles=C:\Program Files
24 | 	PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
25 | 	PUBLIC=C:\Users\Public
26 | 	SESSIONNAME=Console
27 | 	SystemDrive=C:
28 | 	SystemRoot=C:\Windows
29 | 	TEMP=C:\Users\IEUser\AppData\Local\Temp
30 | 	TMP=C:\Users\IEUser\AppData\Local\Temp
31 | 	USERDOMAIN=IE11WIN7
32 | 	USERNAME=IEUser
33 | 	USERPROFILE=C:\Users\IEUser
34 | 	windir=C:\Windows
35 | 2:14:08.2976692 PM	Lab03-01.exe	4048	Thread Create		SUCCESS	Thread ID: 3852
36 | 2:14:08.4083838 PM	Lab03-01.exe	4048	Load Image	C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L\Lab03-01.exe	SUCCESS	Image Base: 0x400000, Image Size: 0x1c00
37 | 2:14:08.4110844 PM	Lab03-01.exe	4048	Load Image	C:\Windows\System32\ntdll.dll	SUCCESS	Image Base: 0x777d0000, Image Size: 0x142000
38 | 2:14:08.4111537 PM	Lab03-01.exe	4048	CreateFile	C:\Windows\Prefetch\LAB03-01.EXE-3F02A4FC.pf	NAME NOT FOUND	Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a
39 | 2:14:08.4112311 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager	REPARSE	Desired Access: Read
40 | 2:14:08.4112437 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager	SUCCESS	Desired Access: Read
41 | 2:14:08.4112573 PM	Lab03-01.exe	4048	RegQueryValue	HKLM\System\CurrentControlSet\Control\Session Manager\CWDIllegalInDLLSearch	NAME NOT FOUND	Length: 1,024
42 | 2:14:08.4112641 PM	Lab03-01.exe	4048	RegCloseKey	HKLM\System\CurrentControlSet\Control\Session Manager	SUCCESS	
43 | 2:14:08.4114043 PM	Lab03-01.exe	4048	CreateFile	C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L	SUCCESS	Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
44 | 2:14:08.4115082 PM	Lab03-01.exe	4048	Load Image	C:\Windows\System32\kernel32.dll	SUCCESS	Image Base: 0x775a0000, Image Size: 0xd5000
45 | 2:14:08.4116283 PM	Lab03-01.exe	4048	Load Image	C:\Windows\System32\KernelBase.dll	SUCCESS	Image Base: 0x75990000, Image Size: 0x4b000
46 | 2:14:08.4137803 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\Terminal Server	REPARSE	Desired Access: Read
47 | 2:14:08.4137940 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\Terminal Server	SUCCESS	Desired Access: Read
48 | 2:14:08.4138079 PM	Lab03-01.exe	4048	RegQueryValue	HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat	NAME NOT FOUND	Length: 548
49 | 2:14:08.4138149 PM	Lab03-01.exe	4048	RegQueryValue	HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled	SUCCESS	Type: REG_DWORD, Length: 4, Data: 0
50 | 2:14:08.4138211 PM	Lab03-01.exe	4048	RegCloseKey	HKLM\System\CurrentControlSet\Control\Terminal Server	SUCCESS	
51 | 2:14:08.4138328 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	REPARSE	Desired Access: Query Value, Set Value
52 | 2:14:08.4138401 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	NAME NOT FOUND	Desired Access: Query Value, Set Value
53 | 2:14:08.4138526 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\Srp\GP\DLL	REPARSE	Desired Access: Read
54 | 2:14:08.4138585 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\System\CurrentControlSet\Control\Srp\GP\DLL	NAME NOT FOUND	Desired Access: Read
55 | 2:14:08.4138683 PM	Lab03-01.exe	4048	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	SUCCESS	Desired Access: Query Value
56 | 2:14:08.4138848 PM	Lab03-01.exe	4048	RegQueryValue	HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled	NAME NOT FOUND	Length: 80
57 | 2:14:08.4138901 PM	Lab03-01.exe	4048	RegCloseKey	HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers	SUCCESS	
58 | 2:14:08.4139043 PM	Lab03-01.exe	4048	RegOpenKey	HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	NAME NOT FOUND	Desired Access: Query Value
59 | 2:14:10.3877745 PM	Lab03-01.exe	4048	Thread Exit		SUCCESS	Thread ID: 3852, User Time: 0.0000000, Kernel Time: 0.0000000
60 | 2:14:10.3881592 PM	Lab03-01.exe	4048	QueryNameInformationFile	C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L\Lab03-01.exe	SUCCESS	Name: \Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L\Lab03-01.exe
61 | 2:14:10.3881994 PM	Lab03-01.exe	4048	QueryNameInformationFile	C:\Windows\System32\KernelBase.dll	SUCCESS	Name: \Windows\System32\KernelBase.dll
62 | 2:14:10.3882217 PM	Lab03-01.exe	4048	QueryNameInformationFile	C:\Windows\System32\kernel32.dll	SUCCESS	Name: \Windows\System32\kernel32.dll
63 | 2:14:10.3882469 PM	Lab03-01.exe	4048	QueryNameInformationFile	C:\Windows\System32\ntdll.dll	SUCCESS	Name: \Windows\System32\ntdll.dll
64 | 2:14:10.3882762 PM	Lab03-01.exe	4048	QueryNameInformationFile	C:\Windows\System32\apisetschema.dll	SUCCESS	Name: \Windows\System32\apisetschema.dll
65 | 2:14:10.3883393 PM	Lab03-01.exe	4048	Process Exit		SUCCESS	Exit Status: -1073741819, User Time: 0.0000000 seconds, Kernel Time: 0.0000000 seconds, Private Bytes: 151,552, Peak Private Bytes: 241,664, Working Set: 708,608, Peak Working Set: 712,704
66 | 2:14:10.3883623 PM	Lab03-01.exe	4048	CloseFile	C:\Users\IEUser\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_3L	SUCCESS	
67 | 
68 | 


--------------------------------------------------------------------------------
/lab04/lab04.md:
--------------------------------------------------------------------------------
1 | This chapter is a crash course in x86 assembly, and did not include labs. Instead, I did a bunch of other random reading on assembly and read through [some old code](https://github.com/DakotaNelson/stagehand/blob/master/winstage.c) as a refresher.
2 | 


--------------------------------------------------------------------------------
/lab05/check_platform_and_version.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/check_platform_and_version.png


--------------------------------------------------------------------------------
/lab05/determine_arch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/determine_arch.png


--------------------------------------------------------------------------------
/lab05/determine_version_info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/determine_version_info.png


--------------------------------------------------------------------------------
/lab05/dll_main_windows_api.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/dll_main_windows_api.png


--------------------------------------------------------------------------------
/lab05/dll_main_windows_api_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/dll_main_windows_api_2.png


--------------------------------------------------------------------------------
/lab05/dns_request_host.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/dns_request_host.png


--------------------------------------------------------------------------------
/lab05/execute_cmd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/execute_cmd.png


--------------------------------------------------------------------------------
/lab05/gethostbyname_graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/gethostbyname_graph.png


--------------------------------------------------------------------------------
/lab05/ida_imports.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/ida_imports.png


--------------------------------------------------------------------------------
/lab05/lab05.md:
--------------------------------------------------------------------------------
  1 | Lab 5-1
  2 | =======
  3 | 
  4 |   1. DllMain is at address `1000D02E`.
  5 | 
  6 |   2. As seen in the figure below, `gethostbyname` does not appear in the IDA imports table.
  7 | 
  8 |   ![IDA imports table for malware sample](ida_imports.png)
  9 | 
 10 |   3. Since `gethostbyname` does not appear in the imports table, I determined the number of callers using IDA's Xrefs graph. As seen in the figure below, `gethostbyname` is called by 5 different functions.
 11 | 
 12 |   ![IDA Xrefs graph showing callers of gethostbyname](gethostbyname_graph.png)
 13 | 
 14 |   4. Based on the xefs leading to (specifically a data xref immediately before) that memory address's call to `gethostbyname`, the DNS request will go out for `pics.practicalmalwareanalysis.com`, as seen in the figure below.
 15 | 
 16 |   ![hostname seen in xrefs graph from IDA pro](dns_request_host.png)
 17 | 
 18 |   5. IDA recognizes 22 local variables in that subroutine (prefixed with `var_` or named by IDA). They can be seen in the figure below.
 19 | 
 20 |   ![subroutine local variables identified by IDA](local_vars.png)
 21 | 
 22 |   6. IDA recognizes one argument (prefixed with `arg_`) - it can be seen in the figure above.
 23 | 
 24 |   7. The string `\cmd.exe /c` appears at `xdoors_d:10095B34`.
 25 | 
 26 |   8. In the area of the code that the above string appears at, the program appears to create a pipe, get the system directory, then execute a command using the string `\\command.exe /c` or `\\cmd.exe /c` based on the results of the system directory call. It then zeros out 255 bytes of memory, and receives some data from a socket.
 27 | 
 28 |   ![IDA disassembly showing segment of assembly code](execute_cmd.png)
 29 | 
 30 |   9. The code seen in the figure below determines the platform the code is running on. I named this subprocedure "DetermineVersionInfo".
 31 | 
 32 |   ![disassembly subprocedure to determine Windows version information](determine_version_info.png)
 33 | 
 34 |   This subprocedure is called from the disassembly seen in the figure below, which then sets the variable `dword_1008E5C4` (which I have renamed "cmdOrCommand") for later use.
 35 | 
 36 |   ![disassembly snippet from IDA](set_cmdorcommand.png)
 37 | 
 38 |   10. If `memcmp` returns zero (the bytes are identical), the program pushes the variable `s` (a SOCKET) to the stack, then calls a method which prints (over the socket) the `Robot_WorkTime` of the system (which involves reading the registry key `SOFTWARE\Microsoft\Windows\CurrentVersion`).
 39 | 
 40 |   11. `PSLIST` first calls a procedure which checks `dwPlatformId` and `dwMajorVersion`, as seen in the figure below. The procedure returns 1 if `dwPlatformId == 2` and `dwMajorVersion == 5`, else it returns 0.
 41 | 
 42 |   ![IDA procedure that checks dwPlatformId and dwMajorVersion](check_platform_and_version.png)
 43 | 
 44 |   The PSLIST subroutine then calls `strlen` on an argument, and uses the result to decide between two paths; one of which prints a list of processes locally, another which does so over a socket. PSLIST then returns.
 45 | 
 46 |   ![the PSLIST subroutine displayed in IDA](pslist.png)
 47 | 
 48 |   12. I had already named this function as a part of my analysis, but based entirely on the call graph, I would name this subroutine something along the lines of `sendLangID` - since it calls `GetSystemDefaultLangID` and then a function which uses `send`, `malloc`, and `free` (strongly implying it's a function to send some data over a socket).
 49 | 
 50 |   ![IDA call graph of sub_10004E79](print_sys_lang_graph.png)
 51 | 
 52 |   13. `DllMain` calls 4 Windows API functions directly:
 53 | 
 54 |   ![DllMain's list of called Windows API functions](dll_main_windows_api.png)
 55 | 
 56 |   At a depth of 2, things expand rapidly - at this level, DllMain calls 33 Windows API functions, by my count:
 57 | 
 58 |   ![DllMain's call graph at depth 2](dll_main_windows_api_2.png)
 59 | 
 60 |   14. The variable I have named `sleepTime` is set to `[This is CTI]30`. While I don't understand the prefix, the `30` is obviously converted to an integer, then multiplied by 1000 to convert to milliseconds before being passed to `sleep`, as seen in the function below:
 61 | 
 62 |   ![IDA disassembly around the sleep function](sleep_time.png)
 63 | 
 64 |   15. The three parameters to the `socket` call are 2, 6, and 1 - `af`, `type`, and `protocol`, respectively.
 65 | 
 66 |   16. After applying the symbolic constants, the arguments to the `socket` call are `AF_INET`, `SOCK_STREAM`, and `IPPROTO_TCP`.
 67 | 
 68 |   17. The exported functions `InstallRT`, `InstallSB`, and `InstallSA`, all of which calls the subroutine containing the `in` instruction, have a string "Found Virtual Machine,Install Cancel.", which strikes me as pretty damning evidence of virtual machine detection.
 69 | 
 70 |   18. There's a long, odd procession of ASCII characters.
 71 | 
 72 |   19. I do not have IDA Pro, but this looks like shellcode.
 73 |   
 74 |   20. Highlighting the desired bytes and pressing "A" will convert them to an ASCII string.
 75 | 
 76 |   21. The Python script XORs each byte with `0x55`, which must be a decoding constant discovered some other way and used to obfuscate this shellcode. Since I can't use the IDA script, I instead wrote:
 77 | 
 78 |   ```
 79 |   s = "-1::',27h,'u<&u!=<&u746>1::',27h,'yu&!',27h,'<;2u106:101u3:',27h,'u',5,27h,'46!<649u',18h,'49\"4',27h,'0u',14h,';49,&<&u',19h,'47uo|dgfa"
 80 |   d = [ord(c)^(0x55) for c in (s)]
 81 |   "".join([hex(x) for x in d]).replace("0x", " ")
 82 |   ```
 83 | 
 84 |   Which duly prints:
 85 | 
 86 |   ```
 87 |   ' 78 64 6f 6f 72 79 67 62 3d 79 72 20 69 73 20 74 68 69 73 20 62 61 63 6b 64 6f 6f 72 79 67 62 3d 79 72 2c 20 73 74 72 79 67 62 3d 79 72 69 6e 67 20 64 65 63 6f 64 65 64 20 66 6f 72 79 67 62 3d 79 72 20 72 79 60 79 67 62 3d 79 72 61 63 74 69 63 61 6c 20 72 79 64 6d 3d 79 72 61 6c 77 61 72 79 67 62 3d 79 72 65 20 72 79 64 61 3d 79 72 6e 61 6c 79 73 69 73 20 72 79 64 6c 3d 79 72 61 62 20 3a 29 31 32 33 34'
 88 |   ```
 89 | 
 90 |   In a hex editor, this is:
 91 | 
 92 |   ```
 93 |   xdoorygb=yr is this backdoorygb=yr, strygb=yring decoded forygb=yr ry`ygb=yractical rydm=yralwarygb=yre ryda=yrnalysis rydl=yrab :)1234
 94 |   ```
 95 | 
 96 |   Which doesn't appear quite right, but is pretty close! I'm not sure what all the `ygb=y` strings are, but removing them leaves:
 97 | 
 98 |   ```
 99 |   xdoorr is this backdoorr, strring decoded forr ry`ractical rralwarre rrnalysis rrab :)1234
100 |   ```
101 | 
102 |   Which I'll call good enough for having done it myself.
103 | 


--------------------------------------------------------------------------------
/lab05/local_vars.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/local_vars.png


--------------------------------------------------------------------------------
/lab05/print_sys_lang_graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/print_sys_lang_graph.png


--------------------------------------------------------------------------------
/lab05/pslist.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/pslist.png


--------------------------------------------------------------------------------
/lab05/set_cmdorcommand.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/set_cmdorcommand.png


--------------------------------------------------------------------------------
/lab05/sleep_time.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab05/sleep_time.png


--------------------------------------------------------------------------------
/lab06/lab06.md:
--------------------------------------------------------------------------------
 1 | Lab 6-1
 2 | =======
 3 | 
 4 |   1. Main calls the subroutine `sub_401000`, which contains an if statement.
 5 | 
 6 |   2. The subroutine appears to write data out.
 7 | 
 8 |   3. Above all else, this program seems to do a lot of useless math. Other than that, it seems to determine whether or not the internet is connected (using `InternetGetConnectedState`).
 9 | 
10 | 
11 | Lab 6-2
12 | =======
13 | 
14 |   1. The first subroutine called by `main` determines if there is an internet connection.
15 | 
16 |   2. The subroutine appears to write data out (printf?).
17 | 
18 |   3. The second subroutine attempts to open (connect to) `http://www.practicalmalwareanalysis.com/cc.htm".
19 | 
20 |   4. This subroutine appears to use if statements, and perhaps a for loop.
21 | 
22 |   5. The User Agent is set to `Internet Explorer 7.5/pma`, and the program reaches out to a set url (see question 3).
23 | 
24 |   6. This malware attempts to open and read from a specified URL, then expects the URL to contain a string `\<!--` which specifies a command.
25 | 
26 | 
27 | Lab 6-3
28 | =======
29 | 
30 |   1. The new function called from main runs one of several commands.
31 | 
32 |   2. The new function takes `char` and `LPCSTR lpExistingFileName` parameters.
33 | 
34 |   3. This new function contains a jump table.
35 | 
36 |   4. This function can establish persistence by writing an executable into `C:\\Temp\\cc.exe` (or deleting it), add a registry key to run the malware on startup, sleep for a time, or create the `Temp` directory.
37 | 
38 |   5. Host based indicators include the malware file at `C:\\Temp\\cc.exe`, or the registry key `Software\Microsoft\Windows\CurrentVersion\Run` with the data `C:\\Temp\\cc.exe` and the value `Malware`.
39 | 
40 |   6. This malware can connect to a URL, retrieve a command, and then perform one of several actions based on that command.
41 | 
42 | 
43 | Lab 6-4
44 | =======
45 | 
46 |   1. In this lab, the malware sleeps after executing a command, then loops back to fetch another command. Additionally, the malware will only run for 24 hours before exiting.
47 | 
48 |   2. A for loop is now present in main.
49 | 
50 |   3. The function to fetch a command from the internet now varies its User Agent using the index of the main loop. In addition, it actually cleans up after itself by calling `InternetCloseHandle`.
51 | 
52 |   4. This program will run for 24 hours.
53 | 
54 |   5. The new network-based indicators are the varying User Agent string.
55 | 
56 |   6. This malware will do the same as the previous iteration, but in a loop which will operate for 24 hours rather than only executing one time.
57 | 


--------------------------------------------------------------------------------
/lab07/lab07.md:
--------------------------------------------------------------------------------
 1 | Lab 7-1
 2 | =======
 3 | 
 4 |   1. This program runs as a service, which causes it to be restarted when the computer is restarted.
 5 | 
 6 |   2. This program uses a mutex (`HGL345`) to ensure that only one copy of it runs on a machine at a time.
 7 | 
 8 |   3. The aforementioned mutex is a good host-based indicator for this malware.
 9 | 
10 |   4. This program attempts to open `http://www.malwareanalysisbook.com` with a User-Agent of `Internet Explorer 8.0`, both of which are useful network-based indicators.
11 | 
12 |   5. This program creates 20 threads which open `http://www.malwareanalysisbook.com` using `InternetOpenUrl`. This happens at midnight on January 1, 2100.
13 |   
14 |   6. The program doesn't finish executing until killed.
15 | 
16 | 
17 | Lab 7-2
18 | =======
19 | 
20 |   1. This program does not appear to implement persistence.
21 | 
22 |   2. This program opens a url (`http://www.malwareanalysisbook.com/ad.html`) in a browser window.
23 | 
24 |   3. This program finishes executing after it has opened the browser window.
25 | 
26 | 
27 | Lab 7-3
28 | =======
29 | 
30 |   1. This file appears to open a file mapping of both `C:\\Windows\\System32\\Kernel32.dll` and `Lab07-03.dll`, then execute a large number of operations, suggesting it is modifying one or both of the files. Afterward, it creates a file called `C:\\windows\\system32\\kerne132.dll`, which I suspect contains malicious code and is used as a persistence mechanism. It then loops through files (the subroutine `sub_4011E0`), and includes a check to see if they end with `.exe`, calling `sub_4010A0` if they do. That subroutine then maps a view of the tile and modifies it, including the string `kernel32.dll`. All of this together suggests that this malware creates a malicious DLL, then modifies EXE files on the system to call the new malicious DLL.
31 | 
32 |   2. The created file, `kerne132.dll` is a good host-based indicator, as is the string in the file, `WARNING_THIS_WILL_DESTROY_YOUR_MACHINE`. The DLL file also contains a mutex, `SADFHUHF`.
33 | 
34 |   3. `Lab07-03.exe` exists only to establish `Lab07-03.dll` as a persistent backdoor. The DLL file then connects to `127.26.152.13` and can accept two commands, `sleep` and `exec`.
35 | 
36 |   4. This malware could potentially be removed by deleting the persistence DLL it has created, though I suspect you would also have to repair every EXE on your system to no longer call the malicious DLL. Alternately, you could neuter the malicious DLL so that it's still in place and called but no longer contains malicious code.
37 | 


--------------------------------------------------------------------------------
/lab08/lab08.md:
--------------------------------------------------------------------------------
1 | Chapter 8 is an introduction to debugging, and has no lab component.
2 | 


--------------------------------------------------------------------------------
/lab09/dll_base_addresses.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab09/dll_base_addresses.png


--------------------------------------------------------------------------------
/lab09/dll_mystery_data.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab09/dll_mystery_data.png


--------------------------------------------------------------------------------
/lab09/hexstring.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab09/hexstring.png


--------------------------------------------------------------------------------
/lab09/lab09.md:
--------------------------------------------------------------------------------
 1 | Lab 9-1
 2 | =======
 3 | 
 4 |   1. Starting at address `00402510`, the program implements some sort of password-checking functionality. The program will simply delete itself if the correct password is not passed to it on the command line.
 5 | 
 6 |   2. The command line options appear to be `-in`, `-re`, `-c`, and `-cc`. The password is `abcd`.
 7 | 
 8 |   3. The function which checks the password can be modified to always return true using: 
 9 |      ```
10 |         mv eax, 0x1
11 |         retn
12 |      ```
13 | 
14 |   4. The program queries the registry key `SOFTWARE\Microsoft \XPS` and deletes itself depending on the result, suggesting that it uses this as an install or persistence flag, which makes a good host-based indicator. It also installs itself as a service with the name `___ Manager Service`, with the blank filled by a parameter.
15 | 
16 |   5. The malware can execute the commands `NOTHING`, `DOWNLOAD`, `UPLOAD`, `CMD`, or `SLEEP`.
17 |   
18 |   6. The malware reaches out to `http://www.practicalmalwareanalysis.com` over HTTP using a GET request.
19 | 
20 | 
21 | Lab 9-2
22 | =======
23 | 
24 |   1. The only visible string I see statically is `cmd` and some imports.
25 | 
26 |   2. Running this binary results in it exiting with a code of 1. That's about it.
27 | 
28 |   3. A function called early on is used as a conditional for a jump (the first jump in the program). I simply bypassed the jump (by setting the Z flag) and discovered that the payload ran. Using this as justification to dig into the function, I discovered this long hex string:
29 | 
30 |   ![long hex string in immunity debugger](hexstring.png)
31 | 
32 |   The last null terminated part of that hex string, `6f636c2e657865`, converts to ASCII as `ocl.exe`. When renamed as that, the program runs.
33 | 
34 |   4. The location `0x00401133` (the same as seen in the image above), is being used to build a stringon the stack so that it doesn't show up during static analysis.
35 | 
36 |   5. The subroutine at `0x00401089` is being passed the string `1qaz2wsx3edc` and a pointer to a buffer.
37 | 
38 |   6. This malware reaches out to `practicalmalwareanalysis.com`.
39 | 
40 |   7. The loop seen in the figure below using XOR encoding to deobfuscate the domain name:
41 | 
42 |   ![XOR encoding loop seen in immunity debugger](xor_domainencode.png)
43 | 
44 |   8. The `CreateProcessA` call is the one which creates the actual reverse shell (by passing `cmd` to the new process).
45 | 
46 | 
47 | Lab 9-3
48 | =======
49 | 
50 |   1. `Lab09-03.exe` imports `DLL1`, `DLL2`, `KERNEL32`, and `NETAPI32` statically, and `user32.dll` and `DLL3.dll` dynamically.
51 | 
52 |   2. All three DLLs requests base address `0x10000000`.
53 | 
54 |   3. The image below shows the base addresses for the loaded DLLs:
55 | 
56 |   ![imunity debugger's module view showing the base addresses of the loaded DLLs](dll_base_addresses.png)
57 | 
58 |   4. The program calls `DLL1Print`, which then prints `DLL 1 mystery data %d\n` where `%d` is interpolated.
59 | 
60 |   5. The function `DLL2ReturnJ` returns the filename `temp.txt`, which is then written to.
61 | 
62 |   6. After `DLL3` is dynamically loaded, `DLL3GetStructure` is called, and its output is used as the data for the second parameter of `NetScheduleJobAdd`.
63 | 
64 |   7. The three pieces of DLL mystery data can be seen below:
65 | 
66 |   ![DLL mystery data printed in the terminal](dll_mystery_data.png)
67 | 
68 |   8. From IDA, use File > Open, select `DLL3.dll`, then check the "Manual load" box, then enter the offset (determined from OllyDbg) into the resultant "please enter an address" window.
69 | 


--------------------------------------------------------------------------------
/lab09/xor_domainencode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab09/xor_domainencode.png


--------------------------------------------------------------------------------
/lab10/lab10.md:
--------------------------------------------------------------------------------
1 | Lab 10 is an introduction to kernel debugging.
2 | 
3 | After several hours spent grappling with linking two virtual machines together to debug one's kernel, I moved on to the next chapter. I may return, time permitting.
4 | 


--------------------------------------------------------------------------------
/lab11/ini_location.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/ini_location.png


--------------------------------------------------------------------------------
/lab11/lab11.md:
--------------------------------------------------------------------------------
 1 | Lab 11-1
 2 | ========
 3 | 
 4 |   1.  This malware creates `msgina32.dll` in the same directory as itself. It also fiddles with the filesystem at `C:\Windows\System32\sechost.dll`, as seen below.
 5 | 
 6 |   ![process monitor window displaying disk activity for malware sample](procmon.png)
 7 | 
 8 |   2. This malware achieves persistence using the `Winlogon` registry key; I suspect this this due to the `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` string , followed soon by `GinaDLL`.
 9 | 
10 |   3. The malware uses GINA interception to steal user credentials. The smoking gun here is the creation of the `msgina32.dll` file. Additionally, a large number of strings in this sample (either imports or exports) begin with `Wlx`.
11 | 
12 |   4. The dropped file, `msgina32.dll`, writes the credentials out to `msutil32.sys` - this can be seen to occur in the export function `WlxLoggedOutSAS`.
13 | 
14 |   5. Simply logging out will capture credentials into the log file. (n.b. after a reboot - the Gina interception DLL won't load until then)
15 | 
16 | 
17 | Lab 11-2
18 | ========
19 | 
20 |   1. This DLL exports `installer` and `DllEntryPoint`.
21 | 
22 |   2. The string `spoolvxx32.dll`, which appears in the `installer` export, also appears in Process Monitor - this DLL appears to be written out by the malware. (or, rather, it attempts to and is unable)
23 | 
24 |   ![procmon window showing creation of spoolvxx.dll](spoolvxx.png)
25 | 
26 |     The sample also appears to attain persistence by setting the `AppInit_DLLs` registry key (under `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows`) with the value of `spoolvxx32.dll` - the same newly-created DLL.
27 | 
28 |   3. The figure below shows the malware sample attempting to find the `Lab11-02.ini` file. It first calls a function which returns the result of `GetSystemDirectoryA`, then appends `\Lab11-02.ini` to the end and creates the resulting path. All told, this path comes out to be `%SystemRoot%\System32\Lab11-02.ini`.
29 | 
30 |   ![section of malware sample shown in IDA attempting to open an ini file](ini_location.png)
31 | 
32 |   4. The malware loads its filename into the `AppInit_DLLs` key in the registry, which causes (according to [this documentation](https://support.microsoft.com/en-us/help/197571/working-with-the-appinit-dlls-registry-value)) the malicious DLL to be loaded every time an executable links to `User32.dll`.
33 | 
34 |   5. This file patches (installs an inline hook) the `send` function in `wsock32.dll`. The very beginning of this process can be seen in the figure below.
35 | 
36 |   ![malware preparing to modify the send function in wsock32.dll](modify_send.png)
37 | 
38 |   6. The hooking code appears to modify the `RCPT TO:` header in any email messages, as seen in the figure below:
39 | 
40 |   ![code hook to add a recipient to sent messages](modify_rcpt_to.png)
41 | 
42 |   7. This process attacks `OUTLOOK.EXE`, `THEBAT.EXE`, and `MSIMN.EXE`, which are the executables for three different Windows email clients. This makes sense, since they'll be the programs sending email (which is what the malware targets). The hook will only be installed if the malware is running inside one of those three processes. This check can be seen in the image below:
43 | 
44 |   ![malware sample in IDA checking its process name against three mail clients](process_name_check.png)
45 | 
46 |   8. The INI file contains an encrypted email address. Its contents are read out (through a decryption process) into a location in memory which is then referenced during the patching of the `RCPT TO:` headers - specifically, interpolated between the open and close of the headers.
47 | 
48 |   The decryption process:
49 | 
50 |   ![text decryption routine shown in IDA](text_decoding.png)
51 | 
52 |   9. Simply sending some email to a dummy address using Outlook (or one of the other patched browsers) while Wireshark is capturing traffic should show the modified email headers.
53 | 
54 | 
55 | Lab 11-3
56 | ========
57 | 
58 |   1. Simply running strings on the `exe` file results in some strings of interest:
59 | 
60 |   ```
61 |   C:\WINDOWS\System32\inet_epar32.dll
62 |   net start cisvc
63 |   C:\WINDOWS\System32\%s
64 |   cisvc.exe
65 |   Lab11-03.dll
66 |   C:\WINDOWS\System32\inet_epar32.dll
67 |   cmd.exe
68 |   command.com
69 |   .com
70 |   .exe
71 |   .bat
72 |   .cmd
73 |   ```
74 | 
75 |   As does the same for the `dll` file:
76 | 
77 |   ```
78 |   <SHIFT>
79 |   C:\WINDOWS\System32\kernel64x.dll
80 |   ```
81 | 
82 |   2. This malware appears to edit `inet_epar32.dll` - I suspect it is replacing that file with the DLL accompanying it, based on the pattern of file opens and closes.
83 | 
84 |   3. `Lab11-03.exe` copies `Lab11-03.dll` to `inet_epar32.dll`, then appears to modify `cisvc.exe`, likely to ensure that it runs the new malicious DLL. After these modifications, the sample runs `net start cisvc` in a spawned command shell.
85 | 
86 |   4. The malware infects `cisvc.exe`. It appears to inject some shellcode into that executable (shown in the figure below), which includes the string `C:\WINDOWS\System32\inet_epar32.dll',zzz69806582` - obviously launching the keylogging functionality.
87 | 
88 | 
89 |   ![shellcode shown in IDA](shellcode.png)
90 | 
91 |   5. `Lab11-03.dll` has one primary export - `zzz69806582`, which creates a thread that then loops writing data to `C:\Windows\System32\kernel64x.dll` using the format `%s: %s\n`. The data in question is generated using a subroutine which calls `GetAsyncKeyState` several times and other such keylogging red flags, including the string `<SHIFT>` seen earlier in the strings output.
92 | 
93 |   6. This malware stores its data in `C:\Windows\System32\kernel64x.dll`.
94 | 


--------------------------------------------------------------------------------
/lab11/modify_rcpt_to.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/modify_rcpt_to.png


--------------------------------------------------------------------------------
/lab11/modify_send.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/modify_send.png


--------------------------------------------------------------------------------
/lab11/process_name_check.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/process_name_check.png


--------------------------------------------------------------------------------
/lab11/procmon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/procmon.png


--------------------------------------------------------------------------------
/lab11/shellcode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/shellcode.png


--------------------------------------------------------------------------------
/lab11/spoolvxx.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/spoolvxx.png


--------------------------------------------------------------------------------
/lab11/text_decoding.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab11/text_decoding.png


--------------------------------------------------------------------------------
/lab12/access-resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab12/access-resource.png


--------------------------------------------------------------------------------
/lab12/lab12.md:
--------------------------------------------------------------------------------
 1 | Lab 12-1
 2 | ========
 3 | 
 4 |   1. When executed, a popup appears which says "press OK to reboot" and only has an OK button. The popup periodically reappears.
 5 | 
 6 |   2. The sample appears to inject into `explorer.exe`.
 7 | 
 8 |   3. The malware does not persist in `explorer.exe` so rebooting your computer (or restarting `explorer.exe`) will remove the malware from the process.
 9 | 
10 |   4. This malware's `.exe` component uses DLL injection to insert its `.dll` component into `explorer.exe`. Once the malicious DLL is loaded, once per minute it spawns a thread which opens a text box.
11 | 
12 | 
13 | Lab 12-2
14 | ========
15 | 
16 |   1. This program appears to extract and launch a program from its resources section.
17 | 
18 |   2. The malicious payload replaces `svchost.exe` using process replacement.
19 | 
20 |   3. The malicious payload is stored in the resources section of the launcher program - you can see it being accessed below.
21 | 
22 |   ![accessing the resource section of a malicious launcher](access-resource.png)
23 | 
24 |   4. The payload is XOR encoded.
25 | 
26 |   5. The strings are also XOR encoded.
27 | 
28 | 
29 | Lab 12-3
30 | ========
31 | 
32 |   1. Based on a run of strings against the file, this appears to be a keylogger that outputs its logs to `practicalmalwareanalysis.log`.
33 | 
34 |   2. The program uses a hook (`SetWindowsHookExA`) to capture keystrokes.
35 | 
36 |   3. The captured keystrokes are logged to `practicalmalwareanalysis.log`.
37 | 
38 | 
39 | Lab 12-4
40 | ========
41 | 
42 |   1. The code at `0x401000` compares a PID to the string below - `winlogon.exe`.
43 | 
44 |   ![winlogon string shown in the data section of IDA](winlogon.png)
45 | 
46 |   2. Code is injected into `winlogon.exe`.
47 | 
48 |   3. `LoadLibraryA` loads `sfc_os.dll` - shown below.
49 | 
50 |   ![malicious code loading sfc_os.dll](loadlibrary.png)
51 | 
52 |   4. The fourth argument to `CreateRemoteThread` is `lpStartAddress`, which is the return value of `GetProcAddress` (which is in turn passed the output of the `LoadLibrary` function call which loads `sfc_os.dll`).
53 | 
54 |   ![the arguments to CreateRemoteThread shown in IDA](lpstartaddress.png)
55 | 
56 | 
57 |   5. The main executable opens a resource (see figure below) which is a PE executable. It then copies `wupdmgr.exe` to the tmp directory and replaces it with this malicious binary.
58 | 
59 |   ![malicious program opening a resource](loadresource.png)
60 | 
61 |   6. The dropped malware calls out to `http://www.practicalmalwareanalysis.com/updater.exe` and saves that file to the tmp directory.
62 | 


--------------------------------------------------------------------------------
/lab12/loadlibrary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab12/loadlibrary.png


--------------------------------------------------------------------------------
/lab12/loadresource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab12/loadresource.png


--------------------------------------------------------------------------------
/lab12/lpstartaddress.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab12/lpstartaddress.png


--------------------------------------------------------------------------------
/lab12/winlogon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab12/winlogon.png


--------------------------------------------------------------------------------
/lab13/first_attempt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/first_attempt.png


--------------------------------------------------------------------------------
/lab13/immunity_instrumenting_setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/immunity_instrumenting_setup.png


--------------------------------------------------------------------------------
/lab13/lab13.md:
--------------------------------------------------------------------------------
  1 | Lab 13-1
  2 | ========
  3 | 
  4 |   1. ApateDNS indicates that the program reaches out to `www.practicalmalwareanalysis.com`, which is interesting considering that string does not appear in a run of `strings`. Process Explorer shows the following strings in the "memory" strings dump that are not present in the "image" strings dump:
  5 | 
  6 |   ```
  7 |   abcdefghijklmnopqrstuvwxyz
  8 |   ABCDEFGHIJKLMNOPQRSTUVWXYZ
  9 |   www.practicalmalwareanalysis.com
 10 |   ```
 11 | 
 12 |   2. The XOR instruction appears in several places in the code:
 13 | 
 14 |   ![IDA search for occurences of the string "xor"](xor_search.png)
 15 | 
 16 |   The first place where the XOR isn't of a register and itself is of eax and a constant in a small loop - a likely XOR decoding/encoding routine:
 17 | 
 18 |   ![a likely encoding/decoding loop shown in IDA](likely_decoding.png)
 19 | 
 20 |   3. The key is `0x3B` (59). The function that does the en/decoding is called from a function (`sub_401300`) that appears to open a resource before passing it through the en/decoding function. It also contains a string `Could not load exe.` that causes me to suspect the decoded resource is a PE executable.
 21 | 
 22 |   4. There's a Base64 encoding portion as well; KANAL detects it as `BASE64 table :: 000050E8 :: 004050E8`. The string is a classic Base64 string: `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/`.
 23 | 
 24 |   5. Base64 encoding is used for part of the network traffic sent by the malware.
 25 | 
 26 |   6. The Base64 encoding starts in `sub_401000`:
 27 | 
 28 |   ![references to the Base64 encoding string shown in IDA](refs_to_b64table.png)
 29 | 
 30 |   7. The malware only takes the first 12 characters of the hostname, so with padding that could come out to 16 characters at most.
 31 | 
 32 |   8. If the hostname subset used by the malware isn't divisible by 3 (which would mean the hostname would have to be less than 12 characters long) there would be padding appended.
 33 | 
 34 |   9. This malware periodically sends a GET request with an encoded hostname component to `www.practicalmalwareanalysis.com`. If it receives a specific response, it exits.
 35 | 
 36 | 
 37 | Lab 13-2
 38 | ========
 39 | 
 40 |   1. When run, the malware creates a number of files in its directory:
 41 | 
 42 |   ![files created by running malware](tempfiles.png)
 43 | 
 44 |   The files are continually created as long as the malare is running.
 45 | 
 46 |   2. KANAL finds no results. An XOR search turns up quite a few possibilities:
 47 | 
 48 |   ![IDA search for occurences of the string "xor"](xor_search2.png)
 49 | 
 50 |   3. It's very likely that encoding functions will appear before `WriteFile`, since the written files seem to be encoded.
 51 | 
 52 |   4. The encoding function is at `sub_40181F`.
 53 | 
 54 |   5. The source of the encoded content is `sub_401070`, which appears to create a bitmatp of the desktop.
 55 | 
 56 |   6. Instrumentation!
 57 | 
 58 |   7. Instrumentation is awesome! Essentially, by adding a breakpoint in Immunity Debugger just before the encoding, the data that is about to be encoded can be overwritten with already-encoded data pulled from one of the files written out by the malware. Since XOR is reversible, running the encoding function on something already encoded will decode it.
 59 | 
 60 |   The setup in Immunity is shown here:
 61 | 
 62 |   ![setup for Immunity debugger to do instrumented decoding](immunity_instrumenting_setup.png)
 63 | 
 64 |   The highlighted part of the dump is about to be encoded, but instead is overwritten with the data in one of the encoded files - during my first attempt, I didn't highlight (and thus replace) enough of the bytes to be encoded, and ended up with the following:
 65 | 
 66 |   ![first attempt at instrumented decoding](first_attempt.png)
 67 |   
 68 |   My second attempt, however, was successful:
 69 | 
 70 |   ![second (successful!) attempt at instrumented decoding](second_attempt.png)
 71 | 
 72 |   Awesome!
 73 | 
 74 | 
 75 | Lab 13-3
 76 | ========
 77 | 
 78 |   1. The string `CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/` appears in the strings dump, which strongly suggests a non-standard Base64 encoding. That's about it.
 79 | 
 80 |   2. There are 194 occurrences of XOR, which is a shame - potentially intersting XORs appear in about a half-dozen different functions. I haven't done a full check of them all, but XOR encoding doesn't seem particularly likely.
 81 | 
 82 |   3. KANAL finds:
 83 | 
 84 |   ```
 85 |   RIJNDAEL [S] [char] :: 0000C908 :: 0040C908
 86 |   RIJNDAEL [S-inv] [char] :: 0000CA08 :: 0040CA08
 87 |   ```
 88 | 
 89 |   Apparently, "Rijndael is the block cipher algorithm recently chosen by NIST as AES" - so we've got ourselves a symmetrical cipher.
 90 | 
 91 |   4. Based on my analysis so far, the custom Base64 and AES ciphers appear to both be used.
 92 | 
 93 |   5. The key for the AES encryption appears to be `ijklmnopqrstuvwx` - it's the first argument to `sub_00401AC2`, the encryption function. The first thing that function does is check to make sure its `arg_0` is set, and it throws an "empty key" exception if not. The key for the custom Base64 encoding is in question 1.
 94 | 
 95 |   6. The Base64 is fine with just its index string, but AES needs some other configuration information, such as its mode of operation, key length (there's an error in the code if it's set incorrectly at `0x00401B05`), block length (error message in code at `0x00401B38`) and IV ([initialization vector](https://crypto.stackexchange.com/questions/3965/what-is-the-main-difference-between-a-key-an-iv-and-a-nonce)).
 96 | 
 97 |   7. `cmd.exe` appears in the strings, and the malware reaches out to `www.practicalmalwareanalysis.com`, which causes me to think it opens a reverse shell. A cursory analysis in IDA seems to confirm this hypothesis.
 98 | 
 99 |   8. Based on the example code from the reading, decrypting the custom Base64 encoded data can be accomplished with:
100 | 
101 |   ```python
102 |   import string
103 |   import base64
104 | 
105 |   s = ""
106 |   tab = "CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/"
107 |   tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
108 | 
109 |   ciphertext = "whatever=="
110 | 
111 |   for ch in ciphertext:
112 |       if (ch in tab):
113 |           s += b64[string.find(tab,str(ch))]
114 |       elif (ch == '='):
115 |           s += '='
116 | 
117 |   print base64.decodestring(s)
118 |   ```
119 | 
120 |   Decoding the AES would use PyCrypto's AES decoding functionality and the key found earlier - roughly:
121 | 
122 |   ```
123 |   from Crypto.Cipher import AES
124 |   AES.new('key', AES.MODE_CBC).decypt(ciphertext)
125 |   ```
126 | 


--------------------------------------------------------------------------------
/lab13/likely_decoding.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/likely_decoding.png


--------------------------------------------------------------------------------
/lab13/refs_to_b64table.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/refs_to_b64table.png


--------------------------------------------------------------------------------
/lab13/second_attempt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/second_attempt.png


--------------------------------------------------------------------------------
/lab13/tempfiles.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/tempfiles.png


--------------------------------------------------------------------------------
/lab13/xor_search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/xor_search.png


--------------------------------------------------------------------------------
/lab13/xor_search2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab13/xor_search2.png


--------------------------------------------------------------------------------
/lab14/assemble_guid.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab14/assemble_guid.png


--------------------------------------------------------------------------------
/lab14/fetch_commands.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab14/fetch_commands.png


--------------------------------------------------------------------------------
/lab14/get_request.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab14/get_request.png


--------------------------------------------------------------------------------
/lab14/lab14.md:
--------------------------------------------------------------------------------
  1 | Lab 14-1
  2 | ========
  3 | 
  4 | 1. `URLDownloadToCacheFileA` appears in the malware's strings, which indicates it is using COM. COM actually manipulates the browser rather than relying on API calls, making traffic identical to that issued by a legitimate use of the browser.
  5 | 
  6 | 2. The beacon appears to use the string `http://www.practicalmalwareanalysis.com/%s/%c.png`. Before the function is called, the malware assembles a string out of the machine's GUID, and calls `GetUserNameA`, then calls the function which sends the actual request, suggesting to me that these are the two elements used to construct the beacon.
  7 | 
  8 | ![malware shown in IDA assembling a GUID string](assemble_guid.png)
  9 | 
 10 | The highlighted portion of the GET request shown below, `ODA6NmU6NmY6NmU6Njk6NjMtSUVVc2Vy`, when Base64 decoded, comes out as `80:6e:6f:6e:69:63-IEUser` - which is the GUID of my analysis machine and the correct username.
 11 | 
 12 | ![GET request from the malware shown in Wireshark](get_request.png)
 13 | 
 14 | 3. Due to NAT (or other networking techniques, but largely NAT), the GUID may be necessary to uniquely identify a specific instance of malware running inside a network. As for the username, it's useful for the attacker to be able to target specific people (i.e. if you see the username "admin" as an attacker, you get excited).
 15 | 
 16 | 4. The string `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/` appears (and is used), indicating standard Base64 encoding, with the only oddity being that the `=` is missing off the end. (Edit: after reading answers, it appears that the malware uses 'a' for padding instead of '='.)
 17 | 
 18 | 5. This sample is a dropper - it downloads arbitrary data and executes it.
 19 | 
 20 | 6. The Base64-encoded portion has a standard format - `xx:xx:xx:xx:xx:xx-xxxxxxx`, which makes the colons and dash quite useful. Having a `.png` on the end is also very useful, as well as knowing that the filename for that PNG is at most one character. (if not static entirely)
 21 | 
 22 | 7. Analysts might try to target something like the User-Agent (or really anything other than the URL) without realizing that since the malware uses COM, the headers will change based on the host machine running the malware.
 23 | 
 24 | 7. A regex on the Base64 decoded data along the lines of `([0-9,a-z]{2}:){5}([0-9,a-z]{2})-[A-z,1-9]{1,}` will match.
 25 | 
 26 | To make this work with encoded data, I used the [exrex library](https://github.com/asciimoo/exrex) and `for i in {1..30}; do exrex -r "([0-9,a-z]{2}:){5}([0-9,a-z]{2})-[A-z,1-9]{1,}" | base64; done` to generate many samples of possible data, then wrote a regex to match them all using [my favorite regex assistant](http://regexr.com/): `[A-Z0-9a-z+\/]{3}6[A-Z0-9a-z+\/]{3}6[A-Z0-9a-z+\/]{3}6[A-Z0-9a-z+\/]{3}6[A-Z0-9a-z+\/]{3}6[A-Z0-9a-z+\/]{3}t([A-Z0-9a-z+\/]{4}){1,}`
 27 | 
 28 | ![regex being written to detect URL patterns used in this malware](regex_writer.png)
 29 | 
 30 | This matches the Base64 component, but we can still trigger on the rest of the URL, skipping the Base64 portion: `[A-Z0-9a-z+\/]{24,}\/[A-Z0-9a-z+\/]\.png`
 31 | 
 32 | In addition to the two regexes above, you could also write a signature to detect `www.practicalmalwareanalysis.com`.
 33 | 
 34 | 
 35 | Lab 14-2
 36 | ========
 37 | 
 38 | 1. Using bare IP addresses means you can't be DNS sinkholed, but also a lot of defenses won't allow bare IPs out, and if you lose control of a machine or an address is compromised/blacklisted, there's no way to switch C2.
 39 | 
 40 | 2. This sample uses WinINet, which has the advantage of being higher level than Winsock, which means things like cookies and some headers are provided by the OS, but it still needs some headers (including User-Agent) to be set by the malware itself, which can make blending more difficult.
 41 | 
 42 | 3. The URL this sample communicated with is stored in the resources section, which is more easily changed than a hardcoded string (no recompiling).
 43 | 
 44 | 4. The malware creates two threads, both of which access the Internet; data is stored in the User-Agent field in one of them, and the other uses the static string `Internet Surf`.
 45 | 
 46 | 5. The initial beacon contains a command prompt.
 47 | 
 48 | 6. Having a static user-agent for even part of the malware makes writing signatures much easier.
 49 | 
 50 | 7. This malware contains the string `WXYZlabcd3fghijko12e456789ABCDEFGHIJKL+/MNOPQRSTUVmn0pqrstuvwxyz`, which strongly suggests nonstandard base64 encoding.
 51 | 
 52 | 8. If the command "exit" is received, the malware deletes itself.
 53 | 
 54 | 9. This malware provides a simple backdoor with a modicum of obfuscation - it's likely a small, simple utility for an attacker.
 55 | 
 56 | 
 57 | Lab 14-3
 58 | ========
 59 | 
 60 | 1. Simply looking at the output of `strings` provides some valuable information for writing signatures:
 61 | 
 62 | ```
 63 | User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
 64 | Accept: */*
 65 | Accept-Language: en-US
 66 | UA-CPU: x86
 67 | Accept-Encoding: gzip, deflate
 68 | http://www.practicalmalwareanalysis.com/start.htm
 69 | ```
 70 | 
 71 | The user-agent may or may not be useful depending on how common it is, but it's likely to have false positives regardless. UA-CPU, however, is likely to be valuable. According to [MSDN](https://blogs.msdn.microsoft.com/ieinternals/2009/06/30/internet-explorer-and-custom-http-headers/):
 72 | 
 73 | ```
 74 | UA-CPU
 75 | 
 76 | Allows a website to determine what CPU a client is using (“x86” or “AMD64” or “IA64”). IE7 clients emit this header unconditionally on 64bit machines; in IE6 & 8, the header is only sent when using the 64bit browser.
 77 | ```
 78 | 
 79 | This (again, depending on environment) may be unique enough to be a valuable signature, especially since IE7 (what the User-Agent claims to be) appears to only emit this header unconditionally on x64, which the UA-CPU header claims not to be - a rare combination.
 80 | 
 81 | After some simple dynamic analysis, it also turns out that the malware author has made a mistake in the headers that results in duplicating the User-Agent header:
 82 | 
 83 | `User-Agent: User-Agent: Mozilla/4.0 ...`
 84 | 
 85 | This is probably an excellent signature.
 86 | 
 87 | 2. The malware appears to open some sort of configuration file `C:\autobat.exe`, which it then reads to determine the URL to communicate with; something that can be changed with a config file is a poor signature. It can also write to this file, so the URL can probably be changed remotely.
 88 | 
 89 | 3. This malware appears to search for the string `<no` in data it downloads, suggesting that the data is stored in an HTML tag somewhere on an otherwise legitimate-looking site, as demonstrated in this chapter's example. If it finds that string, it then jumps to a subroutine that searches (one character at a time) for the full string `noscript`. Hiding data in HTML like this can make it hard for defenders to tell legitimate from malicious network traffic - "hiding in plain sight".
 90 | 
 91 | 4. Once the malware has found the initial `<no` string, the function which searches for the full `noscript` string does so one character at a time in a scrambled order, such that no string is visible.
 92 | 
 93 | ![malware shown in IDA downloading data from internet and searching for command](fetch_commands.png)
 94 | 
 95 | A full command appears to require the `noscript` tag, then the URL of the page the data was fetched from, and must end in the string "96". Curiously, the command appears to only be a single character, but it ignores further text, so the attacker could send any string starting with the correct character to be interpreted as the same command.
 96 | 
 97 | ![searching for noscript tag](noscript_search.png)
 98 | 
 99 | 5. The author used a custom encoding. Running strings shows the string `/abcdefghijklmnopqrstuvwxyz0123456789:.` in the malware. The arguments to the commands are two-digit indexes into this reference string - so, for example `010203` translates to `abc`. On this upside, this was harder to understand than just Base64 or another standard encoding scheme, but on the downside it still leaves patterns in the URLs used to communicate - it doesn't really prevent writing signatures, just human understanding.
100 | 
101 | 6. `redirect`, `sleep`, `quit`, and `download`, which do what you'd expect them to.
102 | 
103 | 7. This malware is a dropper; the `download` command allows it to fetch and run arbitrary code.
104 | 
105 | 8. An analyst could blacklist the URL/domain, but that will only work for so long. A filter on the construction of the C2 channel, such as its requirement to end in `96`, would be more robust, especially if paired with the hardcoded User-Agent - which is not incredibly unique by itself, but still likely worth including.
106 | 
107 | 9. I would write the following regexes:
108 | 
109 | Match the User-Agent (including accidental double-header):
110 | `User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)`
111 | 
112 | Match the command string:
113 | `<noscript>.{1,}http:\/\/.{1,}?\/[dnrs].{1,}\/[0-9]{0,}?96'`
114 | 
115 | Since two of the commands require a URL for an argument, you could also match on:
116 | `08202016370000`, which is `http://` and will always be present as the beginning of the argument to those two commands.
117 | 


--------------------------------------------------------------------------------
/lab14/noscript_search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab14/noscript_search.png


--------------------------------------------------------------------------------
/lab14/regex_writer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab14/regex_writer.png


--------------------------------------------------------------------------------
/lab15/lab15.md:
--------------------------------------------------------------------------------
 1 | Lab 15-1
 2 | ========
 3 | 
 4 | 1. This sample uses jump instructions with constant conditions to obfuscate the disassembly.
 5 | 
 6 | 2. The disassembler is tricked into assemblinhg `call` instructions into strange places.
 7 | 
 8 | 3. The technique is used 5 times.
 9 | 
10 | 4. `pdq` is the code.
11 | 
12 | 
13 | Lab 15-2
14 | ========
15 | 
16 | 1. The program initially requests `http://practicalmalwareanalysis.com/bamboo.html`.
17 | 
18 | 2. The program takes the computer's hostname and increments each character by 1 to create the User-Agent.
19 | 
20 | 3. The program searches for any text between `Bamboo::` and `::` in the page.o
21 | 
22 | 4. The text found (see previous question) is then used as a URL. The program downloads what it finds at that URL, names it `Account Summary.xls.exe`, then launches it.
23 | 
24 | 
25 | Lab 15-3
26 | ========
27 | 
28 | 1. The return pointer from the `main` function is changed, causing IDA to miss the malicious code.
29 | 
30 | 2. The code downloads and executes the data it finds at a set URL.
31 | 
32 | 3. `http://www.practicalmalwareanalysis.com/tt.html`
33 | 
34 | 4. `spoolsrv.exe`
35 | 


--------------------------------------------------------------------------------
/lab16/anti_debugging_checks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab16/anti_debugging_checks.png


--------------------------------------------------------------------------------
/lab16/find_window.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab16/find_window.png


--------------------------------------------------------------------------------
/lab16/lab16.md:
--------------------------------------------------------------------------------
 1 | Lab 16-1
 2 | ========
 3 | 
 4 | 1. The IDA screenshot below shows the three anti-debugging methods the sample uses. First, it checks the `BeingDebugged` flag, then the `ProcessHeap` flag, then the `NTGlobalFlag` flag.
 5 | 
 6 | ![three anti-debugging checks shown in IDA](anti_debugging_checks.png)
 7 | 
 8 | 2. If any of the anti-debugging checks above are successfull (i.e. the program is being debugged), the sample will delete itself.
 9 | 
10 | 3. These techniques can be circumvented by manually setting the flags being checked to zero, or installing a plugin for OllyDbg meant to defend against them.
11 | 
12 | 4. In OllyDbg, the CommandLine plugin can dump the locations being checked (`dump ds:[fs:[30] + 0x18] + 0x10`, for example) and then you can select the flags being checked and right click -> fill with 00s to reset the flags. Repeat for whatever is being checked.
13 | 
14 | 5. OllyDbg's PhantOm plugin will work.
15 | 
16 | 
17 | Lab 16-2
18 | ========
19 | 
20 | 1. The program asks for a 4 character password.
21 | 
22 | 2. The program says "Incorrect password, Try again."
23 | 
24 | 3. The correct password is `byrr`
25 | 
26 | 4. Strncmp is at `00401123A`.
27 | 
28 | 5. When loaded in OllyDbg, the program simply exits.
29 | 
30 | 6. The program contains a `.tls` section, which is super suspicious.
31 | 
32 | 7. The TLS callback can be seen below at `00401060`.
33 | 
34 | ![TLS callback shown in IDA](tls_entrypoint.png)
35 | 
36 | 8. The malware is looking for an OllyDbg window to be open (see below). The code could be NOP'd out to avoid this exit (a plugin like PhantOm would probably also work). I used WinHex to replace the offending function call with NOPs to great effect.
37 | 
38 | ![malware code looking for OllyDbg window, shown in IDA](find_window.png)
39 | 
40 | ![that anti-debugging code may stop me another time, but NOP today](nop_today.png)
41 | 
42 | 9. The password seems to be `bzqr`
43 | 
44 | 10. Nope, that password doesn't work
45 | 
46 | 11. The routine that does the decoding uses some of the debugging flags (`OutputDebugString` and the `BeingDebugged` flag) as inputs. Answer: NOP 'em!
47 | 
48 | 
49 | Lab 16-3
50 | ========
51 | 
52 | 1. Other than the usual imports and garbage, strings outputs:
53 | 
54 | ```
55 | cmd.exe
56 |  >> NUL
57 | /c del
58 | ```
59 | 
60 | 2. It doesn't really look like the malware does anything
61 | 
62 | 3. The file must be named `peo.exe`
63 | 
64 | 4. This sample uses `rdtsc`, `QueryPerformanceCounter`, and `GetTickCount` to detect debugging.
65 | 
66 | 5. In case the `rdtsc` check fails, the malware deletes itself. If the `QueryPerformanceCounter` check fails, the malware does something in a loop - it looks like it's modifying a string? I'm not exactly sure what string, but I assume it's important. If the `GetTickCount` check fails, the program tries to move `edx` to `[eax]` having just run `xor eax, eax`, which triggers an exception and crashes the program.
67 | 
68 | 6. The timing checks set up an SEH handler, with the handler's pointer pointing right back to the timing code. If the exception occurs outside of a debugger, the SEH chain is handled quickly and the timing checks pass, but if it's in a debugger the exception takes a while to handle and the check fails.
69 | 
70 | 7. This sample reaches out to `adg.malwareanalysisbook.com`.
71 | 


--------------------------------------------------------------------------------
/lab16/nop_today.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab16/nop_today.png


--------------------------------------------------------------------------------
/lab16/tls_entrypoint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab16/tls_entrypoint.png


--------------------------------------------------------------------------------
/lab19/find_browser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/find_browser.png


--------------------------------------------------------------------------------
/lab19/import_terminateprocess.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/import_terminateprocess.png


--------------------------------------------------------------------------------
/lab19/lab19.md:
--------------------------------------------------------------------------------
 1 | Lab 19-1
 2 | ========
 3 | 
 4 | 1. The shellcode is stored in the lower 4 bits of a pair of encoded bytes. The decoder function, shown below, removes the letter "A" from a byte (the shellcode is presumably added to this at encode time), then shifts the bits left, then does the same subtraction from the second byte, without a shift, before adding the two encoded bytes, turning them into one decoded byte of shellcode.
 5 | 
 6 | ![shellcode decoder shown in IDA](shellcode_decoder.png)
 7 | 
 8 | 2. The shellcode manually imports the following:
 9 | 
10 | ```
11 | WinExec
12 | GetCurrentProcess
13 | URLDownloadToFileA
14 | TerminateProcess
15 | GetSystemDirectoryA
16 | LoadLibraryA
17 | ```
18 | 
19 | 3. `http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe`
20 | 
21 | 4. The shellcode creates a file at `%SystemRoot%\System32\1.exe`.
22 | 
23 | 5. The shellcode downloads a file from the URL above, writes it to the path above, then executes it.
24 | 
25 | 
26 | Lab 19-2
27 | ========
28 | 
29 | 1. The sample injects its shellcode into the default browser, as found by the registry query shown below.
30 | 
31 | ![malware sample querying the registry to find the default browser](find_browser.png)
32 | 
33 | 2. The shellcode is at `0x00407030`.
34 | 
35 | 3. The snippet of code shown below at `0x40703B` runs in a loop to decode the rest of the shellcode by XORing it with `0xE7`:
36 | 
37 | ![decoding shellcode using XOR](xor_decode_shellcode.png)
38 | 
39 | 4. The malware's manual importing routines are shown below.
40 | 
41 | ![the shellcode's manual import routine shown in IDA](manual_import.png)
42 | 
43 | ![malware sample shown in OllyDbg having just found "TerminateProcess" for import](import_terminateprocess.png)
44 | 
45 | All told, this sample imports:
46 | 
47 | ```
48 | TerminateProcess
49 | GetCurrentProcess
50 | WSAStartup
51 | WSASOcketA
52 | connect
53 | LoadLibraryA
54 | CreateProcessA
55 | ```
56 | 
57 | 5. The shellcode connects to `192.168.200.2` on port 13330.
58 | 
59 | ![shellcode calling the connect function, shown in IDA](shellcode_connect.png)
60 | 
61 | 6. This shellcode runs `cmd.exe` and allows remote access to it.
62 | 
63 | 
64 | Lab 19-3
65 | ========
66 | 
67 | This shellcode is cunningly hidden in a PDF.
68 | 
69 | ![shellcode in a pdf document loaded in IDA](very_sneaky.png)
70 | 
71 | 1. This sample exploits CVE-2008-2992.
72 | 
73 | 2. The shellcode is encoded using standard URL encoding (percent-encoding).
74 | 
75 | 3. The shellcode imports:
76 | 
77 | ```
78 | CloseHandle
79 | TerminateProcess
80 | GetCurrentProcess
81 | GetTempPathA
82 | WriteFile
83 | ShellExecuteA
84 | LoadLibraryA
85 | SetCurrentDirectoryA
86 | ReadFile
87 | SetFilePointer
88 | GetFileSize
89 | CreateFileA
90 | CreateProcessA
91 | GlobalFree
92 | GlobalAlloc
93 | ```
94 | 
95 | 4. The sample creates `foo.exe` and `bar.pdf`, both in the temp directory.
96 | 
97 | 5. The shellcode extracts data stored in the PDF it is packaged in, and writes them (see above). It then executes `foo.exe` and opens `bar.pdf`.
98 | 


--------------------------------------------------------------------------------
/lab19/manual_import.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/manual_import.png


--------------------------------------------------------------------------------
/lab19/shellcode_connect.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/shellcode_connect.png


--------------------------------------------------------------------------------
/lab19/shellcode_decoder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/shellcode_decoder.png


--------------------------------------------------------------------------------
/lab19/very_sneaky.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/very_sneaky.png


--------------------------------------------------------------------------------
/lab19/xor_decode_shellcode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DakotaNelson/practical-malware-analysis/849eb0871b7bfd8a639d7a9c5ecc42e11b7af2d0/lab19/xor_decode_shellcode.png


--------------------------------------------------------------------------------