What is Endianness? Write the following number in Little Endian format (still in Hex)
0x87654321
- Endianness: Byte order in memory or transmission.
- Big Endian: Most Significant Byte stored first.
- Little Endian: Least Significant Byte stored first.
- Affects data interpretation in computer systems.
Give two differences between Software Breakpoints and Hardware Breakpoints
1) Software Breakpoints:
- Debugger modifies instruction (e.g., “INT3”) at location.
- Causes interrupt, caught by software debugger.
- Debugger rewrites original code, slowing execution.
- Can’t read/write memory.
2) Hardware Breakpoints:
- Processor provides registers for breakpoints.
- No code modification needed.
- Monitors execution, even in read-only memory.
- Can monitor firmware, operating system code.
What are each of these Registers commonly used for (1-2 line answer):
o EIP
o EAX
- EIP: Instruction Pointer.
- Stores memory address of next instruction.
- Points to next instruction for CPU to fetch and execute.
- EAX: Accumulator register.
- Used for calculations, function results, system call interactions.
What is wrong with the following assembly instruction:
mov [0x12345678], [0x11111111]
It is trying to move memory directly to memory.
It is necessary to have an intermediate register to facilitate this.
Describe briefly (1-2 lines) what the following assembly functions do
- NOP
- ROR EAX,1
This would perform no operation as it I a do-nothing instruction.
This would perform a bitwise rotation of the EAX register’s value to the right by one bit position. Typically for creating a hash or encryption algorithm.
What is the primary purpose of packing for malware authors?
- Packing compresses code, using less space.
- Makes existing code more efficient.
- Malware becomes harder to analyze and detect.
- Compressed code looks different from the original.
- Difficult for reverse engineering and antivirus detection.
In the most common type of basic packer – the final file will have 2 main PE sections. Describe in 1-2 lines what each of these 2 sections does.
- First section: Compressed executable code, handles decompression at runtime
(UPX0 in UPX packers). - Second section: Original, uncompressed executable code. (UPX1 in UPX packers)
Several tools exist that help identify packers – list 3 different attributes they may use to do this.
- PE section names: Renamed when packed with packers like UPX (e.g., UPX1).
- Imports: May have niche imports indicating UPX when unpacking.
- Strings: Packed content can contain strings referencing the packer (e.g., error messages).
Describe 1-2 signs you may have reached the original Entry point (1-2 lines each)
Detect a point in the assembly where decryption operations conclude, and the code transitions into recognisable or meaningful instructions, indicating the end of obfuscation and the start of program logic.
Malware might use dynamic memory allocation functions like WriteProcessMemory or VirtualAlloc to allocate memory for its payload.
Dumping a process from memory will frequently break what part of the file, which will need to be patched before analysis?
Import Address Table is frequently broken by dumping a process. It must be fixed as it contains the addresses of DLLs required for analysis.
This can be patched using OllyDumpEx which may be temperamental. Failing this use ImpRec to fix it.
Name 3 major file extensions that commonly use the PE File Format
- .exe executable files
- .dll dynamic link library
- .sys windows system files
In a executable file that has some compression or packing, what difference would you expect in the size of a PE Section on disk vs its virtual size.
- Virtual size of a PE section is larger than its size on disk.
- Virtual size: Represents memory when fully decompressed and loaded during runtime.
- Size on disk: Actual storage space the compressed section occupies on disk.
PE Sections have a virtual size, and a size on disk – and the two may be different. In what common malware situation may be size on disk be quite a bit lower than size in memory?
- Size on disk tends to be lower than size in memory due to packing for anti-analysis.
- Malware is packed to avoid detection.
- Upon execution, malware is unpacked/decompressed, its full size is loaded into virtual memory at runtime.
Describe briefly (3-4 lines) why PE Files need to use Relative Virtual Addresses (RVA)
PE files employ Relative Virtual Addresses (RVAs) to achieve flexibility and adaptability during program loading. These RVAs guarantee that the code functions accurately, irrespective of where it’s loaded in memory. This feature ensures seamless operation across various memory locations.
An assembly function in a malware has a RVA of 0x2000 and loaded in memory at 0x63000
o What is its Image Base likely to have been?
o If the PE File instead loaded at 0x400000 where would this function end up?
Base = Load Memory Address - RVA
0x63000 - 0x2000 = 0x61000
New function address - Image Base + RVA
0x400000 + 0x2000 = 0x402000
For mobile worms – name 3 main ways that they can spread from device to device
- Bluetooth Messages to anyone in range
- Email via infected attachments or links
- SMS via sending links or infected multimedia to contacts
Apart from “normal” spyware features that are common between Windows and Mobile malware (infostealing of passwords) – name 3 interception / stealing features that are generally unique to mobile malware
• Intercept call log tracking and listen to live calls
• Geolocation tracking via phone GPS
• Intercepting SMS to bypass 2-factor authentication
Briefly (1-2 lines) explain how a Banking Mobile Trojan tends to work
• Intercepting SMS: Unauthorized access to and interception of text messages.
- only intercepts relevant banking messages to avoid detection
• Malware exploits handset permissions to send/read sms .
• Exploiting sensitive SMS for bypassing 2-factor authentication (2FA).
You have found an Android malware sample that you believe to be exfiltrating data to a number starting with +353.
Give a general overview of how to do Android malware analysis by treating it as Java code (as opposed to Dalvik assembly). In your description list:
- The main tools you would use
- 1-2 lines to describe the major steps you would carry out in order to analyse the sample and identify where the code sending the message is located
Step 0: Upload to Joe’s Sandbox to gauge suspicious behaviour and get VirusTotal analysis
Step 1: Extract contents of malware via WinZip, we now have access to Android manifest file and DEX file. These are components of APK file.
Step 2: Convert DEX to Java Jar file via Dex2Jar
Step 3: Use Java decompiler JD-GUI to analyse source code. From here analyse suspicious strings such as +353.
Name two main tools used to analyse PDF Files – and for each one give a 1-2 line description of what it does
PDF Parser - analyse components of a pdf file, such as metadata streams, images, embedded files, executables. We can interact with objects and see what they contain.
PDF ID - Brief overview of suspicious attributes in a pdf file. The metadata is extracted to give total of Embedded Files, Open Actions, Acro Forms
Which tool would be more useful in analyzing a PDF file – a Hex Editor or a Text Editor?
- Hex editor preferred for data analysis.
- Has advantage of analysing binary data unlike text editor
- Understand compression, encryption.
- Detect obfuscated data.
- Binary data analysis reveals embedded files.
What is STDCALL?
Standard Call
Requires the CALLEE (called function) to clean the stack
Default calling convention for Win32 API
What is CDECL?
C Declaration
Requires the CALLER (calling function) to clean the stack
Default calling convention for C and C++
