Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Malware Reverse Engineering Final Exam Review Newest 2025-2026. Questions & Correct Answer, Exams of Software Engineering

Malware Reverse Engineering Final Exam Review Newest 2025-2026. Questions & Correct Answers. Graded A

Typology: Exams

2024/2025

Available from 07/05/2025

zaza-maica
zaza-maica 🇬🇧

2.2

(5)

3.3K documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Malware Reverse Engineering Final
Exam Review Newest 2025-2026.
Questions & Correct Answers. Graded A
Antivirus vs. Sandbox – ANS Antivirus tools will look for particular patterns
in files that might indicate it is malware. Sandboxes will actually run the
malware to see what it does
Autoruns – ANS Microsoft SysInternals Tool that uses comprehensive list
of Windows auto-start locations to identify programs configured to start
automatically. Can be configured to ignore Microsoft-signed executables.
Benefits and drawbacks of sandboxes - ANSBenefits:
- You will think you don't need a malware analyst
Drawbacks:
- It won't specify command-line options
- It may not record important events
- It may not execute malicious code due to anti-analysis techniques. This is
inevitable due to Rice's Theorem
- Environment may not trigger malicious behavior
- Report may not capture actual risks associated with the malware
- Also, some malware authors may see the malware sample they wrote
was uploaded and that might indicate to them that their attack was
successful. This also applies to antivirus software
pf3
pf4
pf5
pf8

Partial preview of the text

Download Malware Reverse Engineering Final Exam Review Newest 2025-2026. Questions & Correct Answer and more Exams Software Engineering in PDF only on Docsity!

Malware Reverse Engineering Final

Exam Review Newest 2025-2026.

Questions & Correct Answers. Graded A

Antivirus vs. Sandbox – ANS Antivirus tools will look for particular patterns in files that might indicate it is malware. Sandboxes will actually run the malware to see what it does Autoruns – ANS Microsoft SysInternals Tool that uses comprehensive list of Windows auto-start locations to identify programs configured to start automatically. Can be configured to ignore Microsoft-signed executables. Benefits and drawbacks of sandboxes - ANSBenefits:

  • You will think you don't need a malware analyst Drawbacks:
  • It won't specify command-line options
  • It may not record important events
  • It may not execute malicious code due to anti-analysis techniques. This is inevitable due to Rice's Theorem
  • Environment may not trigger malicious behavior
  • Report may not capture actual risks associated with the malware
  • Also, some malware authors may see the malware sample they wrote was uploaded and that might indicate to them that their attack was successful. This also applies to antivirus software

Compilation vis. Interpretation - ANSCompilation: Translation of a program in a higher-level language to an equivalent program in a lower-level language. Translation to assembly language is often one step in this process Interpretation: Direct execution of a program represented in a higher-level language Most interpreters actually involve translation from source code into some intermediate form, often bytecodes. Components of a packed program - ANS1. Unpacker (executable code to restore the packed program)

  1. Packed representation of the original program Context-triggered piecewise hashes - ANS"SSDEEP" tool provides a unique way of hashing files so that if they are similar, their hashes will be similar. It does thing using a rolling hash The ssdeep hash of similar files will usually have a small edit distance (number of editing actions needed to make them identical) Cryptographic Hash - ANSMaps arbitrary data called a message into a fixed size string of bits called a hash. It also satisfies the following properties:
  2. The function is relatively easy to compute

SF: Sign flag (Last operation yielded a value with MSB set) ZF: Zero flag (Set if the result of an arithmetic operation is 0) AF: Adjust flag (Carry or borrow to/from least 4 significant bits) PF: Parity flag (1 if number of 1 bits in the result is even, 0 if odd) CF: Carry flag (Arithmetic carry or borrow occurred in MSB position) How to run a DLL file? - ANSUse the rundll32.exe (or rundll64.exe) file INetSim - ANSProvides numerous simulated services to which a piece of malware may connect. By default responds in a way that is consistent with any request to a port it supports. Can be configured to give more specific responses. Intel register names - ANSAccumulator (EAX, AX, AH, AL) Count (ECX, CX, CH, CL) Data (EDX, DX, DH, DL) Base (EBX, BX, BH, BL) Stack Pointer (ESP, SP) Base Pointer (EBP, BP) Source (ESI, SI) Destination (EDI, DI) lea instruction - ANSLoad effective address. Calculates an indirect address using arithmetic like mov, but stores the address, not the memory contents of that address, in the destination lea destination, value

Library functions - ANSFunctions that are called by a program but are not defined within the program Little-endian vs. Big-endian - ANSWord: 2 bytes Double word: 4 bytes Quad word: 8 bytes These words must be stored either LSB or MSB (byte, not bit) first. Microcode/firmware - ANSThe hardware of a CPU may be controlled by a program that causes it to emulate the behavior of a CPU that directly executes the instruction set. This emulation layer is referred to as microcode or firmware. mov instruction - ANSMoves data from one location to another without modifying it. Most often used to move data to and from memory but may exchange register values as well. mov destination, source Multiplication and division instructions in x86 - ANSmul value: EAX must contain operand to be multiplied by value. The 64-bit result is stored in with most significant bits in EDX and least-significant bits in EAX div value: EDX and EAX must contain the 64-bit operand to be divided by value. Result is stored in EAX, and remainder is stored in EDX

  • Properties->String Show strings in live image or Memory Can launch dependency walker from context menu
  • Opening malware documents may spawn new processes Process Hacker - ANS- Open source alternative to Process Explorer
  • Extendable through plugins
  • Largely similar to Process Explorer in capabilities but they diverge on some logging capabilities
  • Supports more options for stopping hard to kill processes
  • Both Process Hacker and Process Explorer may be useful Rice's Theorem - ANSAny nontrivial property of a program's behavior is undecideable. A nontrivial property is one that some programs have, and others don't. These are properties of program behavior rather than syntax or structure. A program property is undecideable if you cannot write a decider program that will decide whether or not any given program satisfies the property of not This is related to the HALTING PROBLEM, because cannot decide ahead of time if program will halt or not Rotate instructions in x86 - ANSror destination, count rol destination, count CF is set to bit last rotated around end rcl destination, count rcr destination, count

Rotates value into (and out of) CF, augmenting destination value by 1 bit Runtime linking - ANSLinking happens after program execution has already begun Static linking - ANSLinking happens as the object code is generated TCPDump - ANSCapture, filter, manipulate packets Things monitored by Procmon - ANS1. Registry

  1. File system
  2. Network* (not consistent across MS versions)
  3. Processes
  4. Threads Typical opcode register order in Intel - ANSAX, CX, DX, BX, SP, BP, SI, DI Typical program memory layout - ANSFrom low to high memory addresses:
  • Data
  • Code
  • Heap
  • Stack Why is hashing used in malware analysis? - ANSHashes are used for identifying malware file versions. SHA-256 is most common now (MD5 is still common, but does have known collisions that have been exploited by malware)