- IDA Pro
- Lab09-03.exe SHA256: 1fc6a471b2a46cd882246d5bdc9d5954bf8efacf68b4e549a9756e6616848884
- DLL1.dll SHA256: 5ac89a17fc6225416cde2c3935c277fa9b9db51f5690285e7d565d04719abdce
- DLL2.dll SHA256: 9151b583754221ae1bf764d24edfd7c3a4c0377b4118d4d0e13615124059de8c
- DLL3.dll SHA256: 2ec8e8f63f298da249268cb6ea347934d200ed75c06886f4f310f4e14d6ebecc
- Detection Rate: 4/54 (1), 4/54 (2), 4/54 (3), 4/54 (4)
- Analyzed on 2016-03-05
Compilation Date: 2011-05-16 20:43:56(1), 2011-10-01 18:25:55(2), 2011-10-01 18:25:56(3), 2011-10-01 18:26:01(4)
- View report here(1) & here(2) & here(3) & here(4)
Analyze the malware found in the file Lab09-03.exe using OllyDbg and IDA Pro.
This malware loads three included DLLs (DLL1.dll, DLL2.dll, and DLL3.dll)
that are all built to request the same memory load location. Therefore, when
viewing these DLLs in OllyDbg versus IDA Pro, code may appear at different
memory locations. The purpose of this lab is to make you comfortable with
finding the correct location of code within IDA Pro when you are looking at
code in OllyDbg.
1. What DLLs are imported by Lab09-03.exe?
From IDA Pro we can see that DLL1, Dll2, KERNEL32 and NETAPI32 is imported by the malware. During runtime we can see more dlls being imported.
2. What is the base address requested by DLL1.dll, DLL2.dll, and DLL3.dll?
Loading the dll in IDA Pro we can see the base address that each dll requests for. Turns out that all 3 dlls requests for the same image base at address 0x10000000.
3. When you use OllyDbg to debug Lab09-03.exe, what is the assigned based
address for: DLL1.dll, DLL2.dll, and DLL3.dll?
From figure 2, we can observe that the base address for DLL1.dll is @0x10000000, DLL2.dll is @0x330000 and DLL3.dll is @0x390000.
4. When Lab09-03.exe calls an import function from DLL1.dll, what does
this import function do?
From figure 4, we can see that DLL1Print is called. In figure 1, we can see that DLL1Print is imported from DLL1.dll. Opening DLL1.dll in IDA Pro, we can conclude that DLL 1 mystery data %d\n is printed out. However %d is filled with values in dword_1008030 a global variable. xref check on this global variable suggests that it is being set by @0x10001009.
The above figure shows that once the dll is loaded, it will query its own process id and set the global variable dword_1008030 to the retrieved process id. To conclude DLL1Print will print out “DLL 1 mystery data [CurrentProcess ID]“.
5. When Lab09-03.exe calls WriteFile, what is the filename it writes to?
Analyzing Lab09-03.exe, we can see that the File Handle is retrieved from DLL2ReurnJ subroutine (imported from DLL2.dll)
From the above image, DLL2ReturnJ returns a global variable taken from dword_1000B078.
From the above image, things become clear. The returned File Handle points to temp.txt.
6. When Lab09-03.exe creates a job using NetScheduleJobAdd, where does it get
the data for the second parameter?
NET_API_STATUS NetScheduleJobAdd( _In_opt_ LPCWSTR Servername, _In_ LPBYTE Buffer, _Out_ LPDWORD JobId );
From Lab09-03.exe we can see that it is loading a dll dynamically during runtime by first calling LoadLibraryA(“DLL3.dll”) then GetProcAddress(“DLL3Print”) to get the pointer to the export function. The pointer is then called to get the AT_INFO structure.
7. While running or debugging the program, you will see that it prints out
three pieces of mystery data. What are the following: DLL 1 mystery
data 1, DLL 2 mystery data 2, and DLL 3 mystery data 3?
- DLL 1 mystery data prints out the current process id
- DLL 2 mystery data prints out the CreateFileA’s handle
- DLL 3 mystery data prints out the decimal value of the address to the command string “ping http://www.malwareanalysisbook.com”
8. How can you load DLL2.dll into IDA Pro so that it matches the load
address used by OllyDbg?
Select Manual Load checkbox when opening DLL2.dll in IDA Pro. You will be prompted to enter new image base address.