




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Malware Reverse Engineering Final Exam Review Newest 2025-2026. Questions & Correct Answers. Graded A
Typology: Exams
1 / 8
This page cannot be seen from the preview
Don't miss anything!
Antivirus vs. Sandbox – ANS Antivirus tools will look for particular patterns in files that might indicate it is malware. Sandboxes will actually run the malware to see what it does Autoruns – ANS Microsoft SysInternals Tool that uses comprehensive list of Windows auto-start locations to identify programs configured to start automatically. Can be configured to ignore Microsoft-signed executables. Benefits and drawbacks of sandboxes - ANSBenefits:
Compilation vis. Interpretation - ANSCompilation: Translation of a program in a higher-level language to an equivalent program in a lower-level language. Translation to assembly language is often one step in this process Interpretation: Direct execution of a program represented in a higher-level language Most interpreters actually involve translation from source code into some intermediate form, often bytecodes. Components of a packed program - ANS1. Unpacker (executable code to restore the packed program)
SF: Sign flag (Last operation yielded a value with MSB set) ZF: Zero flag (Set if the result of an arithmetic operation is 0) AF: Adjust flag (Carry or borrow to/from least 4 significant bits) PF: Parity flag (1 if number of 1 bits in the result is even, 0 if odd) CF: Carry flag (Arithmetic carry or borrow occurred in MSB position) How to run a DLL file? - ANSUse the rundll32.exe (or rundll64.exe) file INetSim - ANSProvides numerous simulated services to which a piece of malware may connect. By default responds in a way that is consistent with any request to a port it supports. Can be configured to give more specific responses. Intel register names - ANSAccumulator (EAX, AX, AH, AL) Count (ECX, CX, CH, CL) Data (EDX, DX, DH, DL) Base (EBX, BX, BH, BL) Stack Pointer (ESP, SP) Base Pointer (EBP, BP) Source (ESI, SI) Destination (EDI, DI) lea instruction - ANSLoad effective address. Calculates an indirect address using arithmetic like mov, but stores the address, not the memory contents of that address, in the destination lea destination, value
Library functions - ANSFunctions that are called by a program but are not defined within the program Little-endian vs. Big-endian - ANSWord: 2 bytes Double word: 4 bytes Quad word: 8 bytes These words must be stored either LSB or MSB (byte, not bit) first. Microcode/firmware - ANSThe hardware of a CPU may be controlled by a program that causes it to emulate the behavior of a CPU that directly executes the instruction set. This emulation layer is referred to as microcode or firmware. mov instruction - ANSMoves data from one location to another without modifying it. Most often used to move data to and from memory but may exchange register values as well. mov destination, source Multiplication and division instructions in x86 - ANSmul value: EAX must contain operand to be multiplied by value. The 64-bit result is stored in with most significant bits in EDX and least-significant bits in EAX div value: EDX and EAX must contain the 64-bit operand to be divided by value. Result is stored in EAX, and remainder is stored in EDX
Rotates value into (and out of) CF, augmenting destination value by 1 bit Runtime linking - ANSLinking happens after program execution has already begun Static linking - ANSLinking happens as the object code is generated TCPDump - ANSCapture, filter, manipulate packets Things monitored by Procmon - ANS1. Registry