Module Exam 3
What is a long pointer (LP)? What is a pointer (P)?
A pointer to another type in 32-bit systems. A pointer to another type in 16-bit systems.
What does the FindWindow API function do?
Allows malware code to search for the debugger window handler.
What is user mode?
Debuggers runs on the same system as the code being analyzed. Debugging is a single executable that is separated from other executables by the OS.
What is linear sweep disassembly?
Disassembling one instruction at a time linearly, without deviating. Uses the size of the disassembled instruction to determine which byte to disassemble next, without regard for flow-control instructions.
What is a run trace? What information does it save?
It allows you to execute code and have x32dbg save information. - Register values for executed instructions. - Flag values for executed instructions. - Memory map values for executed instructions.
What is kernel mode?
It requires two computers and if the kernel is at a breakpoint, the system stops. One computer runs the code being debugged while the other computer runs the debugger. The OS must be configured to allow kernel debugging.
What does OutputDebugString do?
It uses SetLastError to detect the presence of a debugger.
What does RegOpenKey do?
Opens a registry key.
What does ZwQuerySystemInformation do?
Returns true if debug object handle exists.
The Windows API is a broad set of functionality that governs the way a Windows application or malware interacts with the Microsoft libraries. (T/F)
True
The Windows registry is used to store OS and program configuration information, such as networking, driver, startup, user account settings and options. (T/F)
True
When you step-into a call instruction, the next instruction you will see in the debugger is the first instruction of the called function. (T/F)
True
What is call stack trace? What does the call stack window display?
You can view the execution path to a given function. It displays a list of functions called at run time from the beginning of a program until the execution of the current statement. It also displays the sequence of calls to reach your current location.
What six techniques can malware use to scan for indication that a debugger is attached?
1. Using Windows API functions. 2. Searching for debugger registry keys. 3. Debug Active Process. 4. Checking debugging flags in PEB, such as "BeingDebugged", "ForecFlags", and NTGlobalFlag". 5. INT 3 scanning. 6. Using exceptions (inserting interrupts).
What does API callback represent?
A function that will be called by the Windows API.
What is tracing? What does it change?
A powerful debugging technique that records detailed execution information for you to examine. There is a change in register values and in memory locations.
What is a Process Environment Block (PEB)? What does it contain?
A user-mode data structure that is maintained by the OS for each running process. It contains all user-mode parameters associated with a process, such as the list of loaded modules, process startup arguments, addresses in memory, and debugger status.
How does malware use the prefix \\.\?
It's used to access physical devices directly to read and write to them like a file.
What are conditional breakpoints?
Software breakpoints that will break only if a certain condition happens (true).
How could the CPU prevent a malware from modifying register values?
The CPU sets a general detect flag in DR7.
What is an operating system?
The kernel plus applications that enable users to accomplish some tasks (text editor, window manager, file system utilities, etc)
What happens when you step-into a call instruction?
The next instruction you will see in the debugger is the first instruction of the called function.
What are the two run trace options?
- Trace Into - Trace Over
What is "CreateFile" API?
A function for creating and opening files. It can open existing files, pipes, streams, I/O devices, and create new files.
What is flow-oriented disassembly?
A more advanced category of disassembly algorithms. It focuses on the control flow and only disassembles instructions if needed.
What does Windows use for API function identifiers? What does it do?
Hungarian notation It uses a prefix naming scheme that makes it easy to identify a variable's type (dwVar1, wVar2, etc.)
What is basic disassembly?
Identifying code by using headers to locate code blocks and entry points.
How does malware interact with a system?
It creates, modifies, or changes existing files/file names.
What are two ways to use a debugger?
- Start (load) the program with the debugger. - Attach a debugger to a program that is already running.
During malware analysis, you should take notes that summarize what two things?
- The location of the anti-debugging techniques. - How you bypassed the anti-debugging techniques.
What two things should a malware analyst know?
- What are the most popular anti-debugging techniques? - How could you bypass anti-bugging techniques?
What two ways can you patch a file?
1 - Change the OP code in memory and save the new binary. 2 - Skip the instruction (by changing the content of the EIP to the next instruction).
What is the difference between a debugger and a disassembler?
A disassembler shows the state of the program just before execution begins. The debugger provides a dynamic view of a program as it runs.
What is "ReadFile" and "WriteFile" APIs?
A function for reading and writing to files. Both APIs operate on files as a stream.
What is "CreateFileMapping" API? What is "MapViewOfFile" API?
A function that loads a file from disk into memory. A function that returns a pointer to the base address of the mapping, then the pointer can be used to access the file in memory.
What is WinINet? How does malware use it?
A higher-level API that implements protocols, such as HTTP and FTP at the application layer. Malware uses it to connect to a remote server and get further instructions for execution.
What is a key? What is a subkey?
A key is a folder in the registry that can contain additional folders (subkeys) or values. A subkey is like a subfolder within a folder.
What is the solution when malware spawns a child process that tries to debug the parent?
Block the creation of the child process.
What does advanced static analysis use? What does it let you do? (6)
It uses IDA Pro or GHIDRA to analyze the code. - Fix the code if it has anti-disassembly techniques. - Explore the code to determine behavior, functions, and tasks. - Focus on the big picture. - Provides good guidance for expected behavior when executing dynamic analysis. - Find the location of the main function. - Find the locations of other important functions.
What does dynamic malware analysis use? What does it let you do? (5)
It uses x32dbg (or another debugger) to perform Dynamic analysis. - Fix the code if it has anti-debugging techniques. - Adjust the base address of GHIDRA to match the base address of the debugger. - Locate the main function. Execute the malware code and confirm behavior, functions, and tasks. - Find out more information, such as effects of malware, what happens after execution, what files are created or downloaded, and what websites the malware contacted.
What does malware do to allow itself to launch automatically?
It will add an entry to the RUN key, which can set up software for automatically operation.
What happens if a disassembler is tricked into disassembling at the wrong offset?
It will display fake instructions and a valid instruction could be hidden from view.
What is the difference with kernel-mode malware?
It's more sophisticated and more destructive. It's also more difficult to detect or remove. Although, it's more difficult to develop.
What is the Windows registry?
It's used to store OS and program configuration information, such as networking, driver, startup, user account settings, and options.
What are handles (H)?
Items that have been opened or created in the OS, such as a window, process, module, menu, file, and so on.
What is kernel malware?
Malicious drivers that interact directly with the main Windows kernel components such as "Ntoslrnl.exe" and "hal.dll".
What is an assembly level debugger?
Operates on the assembly code and is considered low-level, more power. It can step through program one instruction at a time, examine memory locations, and set breakpoints. Most suitable for malware analysts because they don't have the source code.
What is a source-level debugger?
Operates on the source code and is usually built into integrated development platforms. It can set breakpoints or step through programs one line at a time.
What are the three most common registry functions? What do they do?
RegOpenKeyEx - Opens a registry for editing and querying. RegSetValueEx - Adds a new value to the registry and sets its data. RegGetValue - Returns the data for a value entry in the registry.
What does RegQueryValueEx do?
Retrieves its value.
What are the four privileges of x86? What are they?
Ring 0 - Kernel mode for kernel (highest privilege) Ring 1, 2 - Operating Systems Services (drivers) Ring 3 - User mode for applications (lowest privilege)
A _____ allows you to execute code and have x32dbg to save the register values for every executed instruction.
Run Trace
What is single-stepping?
Running a single instruction at a time and seeing everything going on within a program.
What does CheckRemoteDebuggerPresent do?
Takes a process handle as a parameter and checks if that process has a debugger attached. A process can be the malware process or any process in the local machine.
What does NtQueryInformationProcess do?
Takes a process handle as a parameter and checks if that process has a debugger attached. It retrieves the value of ProcessDebugPort. If it equals 0, a program is not attached to the debugger, if it equals 0x7, a program is attached to a debugger.
What is anti-disassembly?
Technique to delay or prevent analysis of malicious code. Malware code authors use special crafted code to cause disassembly analysis tools to produce incorrect program listing.
If IDA Pro produces inaccurate results during disassembly, what can the C key do? What can the D key do?
The C key will turn the cursor location into code. The D key will turn the cursor location into data.
What is a software execution breakpoint?
The default option for most debuggers. The debuggers overwrites the first byte of the instruction with 0xCC.
What is a kernel?
The heart of the operating system that controls and manages access to system resources.
What is a breakpoint?
The section where the run trace option will stop.
What is the difference between the server side and client side?
The server side maintains an open socket that's waiting for incoming connections. The client side connects to a waiting socket at the server side.
What are seven functions of Berkeley Compatible Sockets? What do they do?
socket - creates a socket bind - attaches a socket to a particular port listen - indicates that a socket will be listening for incoming connections accept - accepts the connection from the remote socket connect - opens a connection to a remote socket that is waiting for the connection recv - receives data from the remote socket send - sends data to the remote socket
What are three types of breakpoints?
- Software execution - Hardware execution - Conditional
What are the three types of tracing?
- Standard Back Trace - Call Stack Trace - Run Trace
After writing a malware code, malware code authors use separate tools to implement anti-disassembly techniques to delay or prevent analysis of malicious code. (T/F)
True
Anti-debugging techniques allow the malware code to realize that is running in a debugger. (T/F)
True
Anti-disassembly techniques could cause disassembly analysis tools to produce incorrect program listing. (T/F)
True
Every assembly language instruction has a unique OP code. (T/F)
True
For user mode code, debugger runs on the same system as the code being analyzed. (T/F)
True
If you didn't adjust the base memory address for the disassembler and debugger, you can use the memory offset to map a memory location from the disassembler to the debugger. (T/F)
True
Malware authors use anti-debugging techniques to slow down the analyst as much as possible. (T/F)
True
Malware commonly relies on Windows network functions (APIs) for network communication. (T/F)
True
To implement static patch steps, we could use the disassembler to change the behavior of a binary (or a function). (T/F)
True
You can use a debugger to change the control flags, the instruction pointer, or the code itself to modify the way that a program executes. (T/F)
True
What is single-stepping recommended for?
Understanding the details of a section of code (certain function)
What was the first anti-debugging API implemented by Windows?
ZwSetInformationThread and ZwCreateThreadEx
To change the behavior of binary in static patch, you can use:
- IDA Pro to change OP code - Hex editor to change OP code
How do you overcome the anti-debugging technique of using Windows API functions? (2)
- Manually modify the malware code to not call these functions. - Modify the flag's post call to these functions to ensure that the proper path is taken.
Once the malware code realizes that it's running in a debugger, what might it do? (3)
1. Change its normal code execution path. 2. Modify the code. 3. Cause a crash.
What is Windows API? How is it used?
A broad set of functionality that governs the way that malware or application interacts with the Microsoft libraries. It's used to create Windows applications with little need for third-party libraries.
What is the registry editor (Regedit)?
A built-in Windows tool used to view and edit the registry.
A standard Back Trace allows you to execute code and have x32dbg save the register values for every executed instruction.
False
After creating a window handler (HWND) with "CreateWindowEx" API, you can't use HWND with other APIs. (T/F)
False
For kernel mode code, debugger runs on the same system as the code being analyzed. (T/F)
False
When you step-over a call instruction, the next instruction you will see in the debugger is the first instruction of the called function. (T/F)
False
You may ignore the anti-disassembly techniques and continue the analysis without removing it. (T/F)
False
What does IsDebuggerPresent do?
For the malware process, it searches the Process Environment Block (PEB) structure for the BeingDebugged field. It returns 0 (false) if a program is not attached to a debugger, returns 1 (true) if a debugger is attached.
What are the five root keys? What are they used for?
HKEY_LOCAL_MACHINE (HKLM) - Stores settings that are global to the local machine. HKEY_CURRENT_USER (HKCU) - Stores settings specific to the current user. HKEY_CLASSES_ROOT - Stores information defining types. HKEY_CURRENT_CONFIG - Stores settings about the current hardware configuration, specifically the differences between the current and standard configuration. HKEY_USERS - Defines settings for the default user, new users, and current users.
What WinINet APIs does Wininet.dll include? What do they do?
InternetOpen - Used to initialize a connection to the Internet. InternetOpenUrl - Used to connect to a URL (which can be an HTTP page or an FTP resource). InternetReadFile - Used to allowed the program to read the data from a file downloaded from the Internet.
Why is it useful to attach a debugger to a program that is already running?
It can debug certain processes that are affected by malware.
How does malware use the Windows registry?
It could add entries into the registry that allow it to run automatically when the computer boots up (persistence). It can also add or change entries to modify some OS configuration.
What are breakpoints used for?
To pause execution and allow you to examine a program's state. They're needed because you can't access registers or memory addresses while a programming is running, since the values are changing.
What is a hardware execution breakpoint used for?
To pause on access rather than on execution. This sets a hardware breakpoint to break whenever a certain memory location is read or written from any place in the program.
How do malware authors use anti-debugging techniques?
To slow down the malware analyst as much as possible.
How does trace into interact with the breakpoint? How does trace over interact with the breakpoint?
Trace into will step into and record all executed instructions within functions until a breakpoint is hit. Trace over will record only the instructions that occur before and after executed functions until a breakpoint is hit.
How is the class HideThreadFromDebugger used?
When passed as an argument, it can be used to prevent debuggers from receiving events, such as breakpoints and exiting the program.
What happens when you step-over call instructions?
You bypass them. The debugger completes the calls and returns without pausing. You will see the instruction after the function call returns.
How can debuggers be used to change program execution?
You can change the control flags, the instruction pointer, or the code itself to modify the way that a program executes.
What can you do with a conditional breakpoint?
You can set the debugger to break only if the parameter being passed to "GetProcAddress" is a certain value.
What is standard back trace?
You don't need to choose any options. By default, the debugger is recording your movements. You can move through the debugger the way you like.
