You are on page 1of 55

C E H

L a b

M

a n u

a

l

V

i r u s e s W

a o r m

n d

s

M odule 07

Module 07 - Viruses and Worms

V

ir u s e s

a n d

W o r m s

A

vims is a sef-replicatingprogram thatproduces its own code by attaching copies of

it onto other executable codes. Some viruses affect computers as soon as their codes are executed; others lie dormant until a predetermined logical circumstance is met.

 

ICON

KEY

  • L a b

S c e

n a r io

£Z7 Valuable

 
 

information

A computer virus attaches itself to a program or tile enabling it to spread from

Test your

   

one computer to another, leaving infections as it travels. The biggest danger with a worm is its capability to replicate itself 011 your system, so rather than

knowledge

your computer sending out a single worm, it could send out hundreds or

=

Web exercise

 

thousands o f copies o f

itself, creating a huge devastating effect. A

blended

m

Workbook review

threat is a more sophisticated attack that bundles some o f the worst aspects o f viruses, worms, Trojan horses and malicious code into one single threat. Blended threats can use server and Internet vulnerabilities to initiate, then transmit and also spread an attack. The attacker would normally serve to transport multiple attacks 111 one payload. Attacker can launch Dos attack 01־ install a backdoor and maybe even damage a local system 01־ network systems.

 

Since you are an expert Ethical Hacker and Penetration Tester, the IT director instructs you to test the network for any viruses and worms that damage 01־ steal the organization’s information. You need to construct viruses and worms and try to inject them 111 a dummy network (virtual machine) and check whether they are detected by antivirus programs 01־ able to bypass the network firewall.

 
  • L a b

O b je c tiv e s

 

The objective o f this lab is to make students learn how to create viruses and worms.

111

this lab, you w ill learn how to:

 
 

Create viruses using tools

Create worms using worm generator tool

& Tools

D:\CEH-

  • L a b

E n v ir o n m

e n t

demonstrated in this lab are

 

To earn־ this out, you need:

 

available in

■ A computer running Window Server 2012 as

host machine

Tools\CEHv8

   
 

Module 07 Viruses

 

Window Server 2008, Windows 7 and Windows 8 running 011 virtual machine as guest machine

 

and Worms

 

■ A web browser with Internet access

■ Administrative privileges to run tools

CEH Lab Manual Page 530

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

L

a b

D u ra tio

n

Tune: 30 Minutes

 

O

v e r v ie w

o

f V ir u s e s

a n d

W

o r m

s

A virus is a self-replicating program that produces its own code by attaching copies o f it onto other executable codes. Some viruses affect computers as soon as their codes are executed: others lie dormant until a predetermined logical circumstance is met

Computer worms are malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most worms are created only to replicate and spread across a network consuming available computing resources. However, some worms carry a payload to damage the host system.

=

TASK

1

Overview

L a b

T a s k s

Recommended labs to assist you 111 creating Viruses and Worms:

 

Creating a virus using the |PS Y11־us Maker tool

Vims analysis using ID A Pro

 

Yinis Analysis using Virus Total

Scan for Viruses using Kaspersky Antivirus 2013

Yinis Analysis Using OllyDbg

Creating

a Worm Using the Internet Worm Maker Tiling

  • L a b

A n a ly s is

Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

CEH Lab Manual Page 531

Ethical Hacking

and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

  • C r e a tin g

a

V ir u s

U sin g

t h e

J P S

V ir u s

M a k

e r T

o o l

JPS Virus Maker is a tool to create viruses. If also has afeature to convert a virus into a irorm.

 

ICON

KEY

1._

Valuable

information

s

Test your

knowledge

ב:

Web exercise

ea Workbook review

H

Tools

demonstrated in

this lab are available in

 

D:\CEH-

Tools\CEHv8

Module 07 Viruses

and Worms

 

L a b

S c e n a r io

111 recent rears there lias been a large growth 111 Internet traffic generated by malware, that is, Internet worms and viruses. This traffic usually only impinges 011 the user when either their machine gets infected 01־ during the epidemic stage o f a new worm, when the Internet becomes unusable due to overloaded

routers. Wliat is less well-known is that there is a background level o f malware

traffic

at

times

o f

non-epidemic

growth

and

that

anyone

plugging

an

unhrewalled machine into the Internet today w ill see a steady stream o f port

scans, back-scatter from attempted distributed denial-of-service attacks, and hostscans. We need to build better firewalls, protect the Internet router infrastructure, and provide early-warning mechanisms for new attacks.

Since you are an expert ethical hacker and penetration tester, your IT director instructs you to test the network to determine whether any viruses and worms w ill damage or steal the organization’s information. You need to construct viruses and worms, try to inject them into a dummy network (virtual machine), and check their behavior, whether they are detected by an antivirus and i f they bypass the firewall.

L a b

O b je c tiv e s

Tlie objective o f tins lab is to make students learn and understand how to make viruses and worms.

L a b

E n v ir o n m

e n t

To earn־ out die lab, you

need:

JPS tool located at D:\CEH-Tools\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker

CEH Lab Manual Page 532

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

■ A computer running Windows Server 2012 as host machine

■ Windows Server 2008 running on virtual machine as guest machine

י Run tins tool on Windows Server 2008

Administrative privileges to run tools

L

a b

D u ra tio

n

Time: 15 Minutes

 

O

v e r v ie w

o

f V ir u s

a

n d

W

o r m

s

A virus is a self-replicating program diat produces its own code by attaching copies o f it onto odier executable codes. Some vinises affect computers as soon as dieir codes are executed; odiers lie dormant until a predetermined logical circumstance is met.

k* TASK

1

Make a Virus

L a b

T a s k s

  • 1. Launch your Windows Server 2008 virtual machine.

  • 2. Navigate to Z:\CEHv8 Module 07 Viruses and WormsWirus Construction Kits\JPS Virus Maker.

  • 3. Launch die JPS Virus Maker tool. Installation is not required for JPS Virus maker. Double-click and launch the jps.exe hie.

  • 4. The JPS (Virus Maker 3.0) window appears.

Note: Take a Snapshot of the virtual machine before launching the JPS Virus Maker tool.

U i The option, Auto Startup is always checked by default and start the virus whenever the system boots on.

CEH Lab Manual Page 533

V iru s O p tio n s :

JPS ( Virus I taker 3.0 )

□ Disable Registry

□ Hide Services

□ Hide Outlook Express

□ Disable MsConfig □ Disable TaskManager

□ Hide Windows Clock

□ Disable Yahoo

□ Hide

Desktop Icons

□ Hide Al

Pioccess in T askmgr

□ Hide Al

Tasks in Taskmgr

□ Disable Media Palyer

□ Disable Internet Explorer □ Disable Time

□ Disable

Group Policy

□ Hide Run □ Change Explorer Caption

□ Disable Windows Explorer

□ Clear Windows XP

□ Disable

Norton Anti Virus

□ Disable McAfee Anti Virus □ Disable Note Pad

□ Swap Mouse Buttons □ Remove Folder Options

□ Lock

Mouse & Keyboard

□ Disable Word Pad □ Disable Windows □ Disable DHCP Client □ Disable Taskbar □ Disable Start Button □ Disable MSN Messenger □ Disable CMD □ Disable Security Center □ Disable System Restore □ Disable Control Panel □ Disable Desktop Icons □ Disable Screen Saver

□ Mute Sound □ Always CD-ROM Tun Off Monitor

□ □ Crazy Mouse □ Destroy Taskbar □ Destroy Offlines (YIMessenger) □ Destroy Protected Strorage □ Destroy Audio Service □ Destroy Clipboard □ T erminate Windows □ Hide Cursor □ Auto Startup

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

FIGURE 1.1: JPS Virus Maker main window

5. & This creation of a virus is only for knowledge purposes; don’t misuse this tooL
5.
& This creation of a
virus is only for knowledge
purposes; don’t misuse this
tooL
JPS lists die Virus Options; check the options that you want to embed 111 a
new virus hie.
JPS ( Virus Maker 3.0 )
Virus O ptions:
□ Disable
Registry
□ Disable MsConfig
□ Hide Services
□ Hide Outlook Express
□ Disable
TaskManagei
□ Hide Windows Clock
□ Disable Yahoo
□ Hide
Desktop Icons
□ Disable
Media Palyei
□ Hide All
Proccess in Taskmgt
□ Disable Internet Explorer
Tasks in Taskmgr
□ Disable
Time
□ Hide All
□ Hide Run
□ Disable
Group Policy
□ Disable Windows Explorer
□ Disable
□ Disable
□ Change Explore! Caption
□ Clear Windows XP
□ Swap Mouse Buttons
□ Remove Folder Options
□ Disable
Norton Anti Vitus
McAfee AntiVirus
Note Pad
Lock
□ Disable Word Pad
□ Mute
Mouse 1 Keyboard
Sound
□ Disable Windows
□ Disable DHCP Client
□ Disable Taskbar
□ Disable
Stait
Button
m
A list of names for
□ Disable
MSN
Messenger
□ Allways CD-ROM
□ TurnOff Monitor
□ Crazy Mouse
□ Destroy T askbar
□ Destroy Offlines (YIMessenget)
the virus after install is
shown in the Name after
Install drop-down list.
□ Disable
CMD
□ Disable
Security Center
□ Disable
System Restore
□ Disable
Control Panel
□ Disable
Desktop Icons
□ Disable
Screen Saver
□ Destroy Protected Strorage
□ Destroy Audio Service
□ Destroy Clipboard
□ T erminate Windows
□ Hide Cursor
□ Auto Startup
O
O
O Restart
LogOff
O Turn Off
O Hibrinate
None
Name After Install: |Rundll32
J
Server Name: |Sender.exe
About
JPS Virus Maker 3.0
|
|
Cieate Virus*
~~|
| »
|
FIGURE 1.2: JPS Virus Maker main window with options selected
6.
Select one o f die radio buttons to specify when die virus should start
attacking die system after creation.
O
Restart
O L o g U ff
O
Turn Off
O
Hibrinate
O
None
Name After Install:
Rundll32
J
Server Name:
Sender.exe
About
Create Virus!
JPS Virus Maker 3.0
J
FIGURE 1.3: JPS Virus Maker main window with Restart selected
m
A list of server names
7.
is present in the Server
Name drop-down list.
Select any server name.
Select the name o f the service you want to make virus behave like from die
Name after Install drop-down list.

FIGURE 1.4: JPS Virus Maker main window with die Name after Install option

Select a server name for die virus from die Server Name drop-down list.

CEH Lab Manual Page 534

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Don't forget to change die settings for every new virus creation. Otherwise, by default, it takes the same name as an earlier virus.

m TASK

2

Make a Worm

lUsa You can select any icon from the change icon options. Anew icon can be added apart from those on the list.

Module 07 - Viruses and Worms

O Restart

O Log Off

OTurnDff

O Hibrinate

O None

Name After Install: Rundll32

Server Name: Svchost.exe ■Svchost.exe

Q

JPS Virus Maker 3.0

Create Virus!

  • I Kernel32.exe ■

  • I spo o lsv.e x e■ ALG.EXE svchost.exe

־

FIGURE 1.5: JPS Vims Maker main window with Server Name option

  • 9. Now, before clicking on Create Virus! change setting and vinis options by clicking die

icon.

JPS Virus Maker 3.0

Create Virus!

FIGURE 1.6: JPS Virus Maker main window with Settings option

  • 10. Here you see more options for the vims. Check die options and provide related information 111 die respective text held.

Virus O ptions:

נ PS ( Virus M aker 3.0 )

□ Change XP Password: Jp @ sswQ(d

□ Change

Computer Name: ן Test

□ Change

IE Home Page

j www !uggyboy com

□ Close Custom Window: [Yahoo1 Me

■;nger

□ Disable

Custom Service :■Alerter

□ Disable

Custom Process :[ypaget.exe

□ Open Custom Website :

|

-,-!ey blogta c :יחו

□ Run Custom Command:

|

Enable Convert to Worm ( auto copy to path's)

 

Worm Name :

|

Copy After :

|

Change Ic o n :

O Transparnet O Love Icon

O Doc

Icon

O PDF Icon

 

O

Flash

Icon

1

O IPG Icon

O

Flash

Icon

2

O BMP Icon

O Font

Icon 3

O Help

Icon

JPS Virus Maker 3.0

1

[!I Sec'־.

 

O

EXE Icon

O BAT Icon O Setup 1 Icon O Setup2 Icon O ZIP Icon

FIGURE 1.7: JPS Virus Maker Settings option

  • 11. You can change Windows XP password. IE home page, close custom window, disable a particular custom service, etc.

  • 12. You can even allow the virus

to convert to a worm. To

do diis, check die

Enable Convert to Worm checkbox and provide a Worm Name.

CEH Lab Manual Page 535

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

  • 13. For die worm to self-replicate after a particular time period, specify die time (111 seconds) 111 die Copy after held.

  • 14. You can also change the virus

icon.

Select die

type

o f icon you want to

view for die created vims by selecting die radio button under die Change

Make sure to check all the options and settings before clicking on Create Virus!

Features Change XP Password Change Computer Name Change IE Home Page Close Custom Windows Disable Custom Service

Disable Process Open Custom Website Run Custom Command Enable Convert To Worm - Auto Copy Server To

Active

Padi With Custom

Name & Time Change Custom Icon For your created Virus (15

Icons)

Icon section.

V iru s O p tio n s :

IPS ( Virus Maker 3.0 )

 

Change XP Password :

|

□ Change Computer Name |jP S

 
 

Change IE Home Page

| www

^

 

-

□ Close Custom Window : [Yahoo' Me

••nger

Disable

Custom Seivice : J Alerter

Disable

 

Custom Process : I

Open Custom Website :

|

..

. c<

□ □ Run Custom Command:

|

□ Enable Convert to Worm ( auto copy to path's)

Worm Name : |fedevi|

Copy After :

f!

 

|

I Sec's

O Transparnet

O

Doc Icon

O

EXE Icon

O Love Icon

O

PDF Icon

O BAT Icon

O Flash

Icon 1

O JPG Icon

 

O Setup 1 Icon

O Flash

Icon 2

O Setup2 Icon

O Font Icon 3

O BMP Icon O Help Icon

O ZIP Icon

O Restart

O LogOff

O Turn Off

O Hibrinate

 

O None

Name After Install: Rundl32

Server Name:

Svchost.exe

I

JPS Virus Maker 3.0

_

FIGURE 1.8: JPS Vkus Maker main window with Options

  • 15. After completing your selection o f options, click Create Virus!

FIGURE 1.9: JPS Vkus Maker Main window with Create Vkus! Button

  • 16. A pop-up window with the message Server Created Successfully appears. Click OK.

JPS ( Virus Maker 3.0 )

CEH Lab Manual Page 536

FIGURE 1.10: JPS Vkus Maker Server Created successfully message

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

  • 17. The newly created virus (server) is placed automatically 111 the same folder as jps.exe but with name Svchost.exe.

  • 18. Now pack tins virus with a binder or virus packager and send it to the victim machine. ENJOY!

L a b

A n a ly s is

Document all die tiles, created viruses, and worms 111 a separate location.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

T o o l/U tility Inform ation Collected/Objectives Achieved To make Virus options are used: ■
T o o l/U tility
Inform ation Collected/Objectives Achieved
To make Virus options are used:
Disable Yahoo
Disable Internet Explorer
Disable Norton Antivirus
Disable McAfree Antivirus
Disable Taskbar
Disable
Security Restore
JPS Virus M aker
Tool
Disable
Control Panel
Hide Windows Clock
Hide
A ll Tasks 111 Task.mgr
Change Explorer Caption
Destroy Taskbar
Destroy Offlines (YIMessenger)
Destroy Audio Services
Terminate Windows
Auto Semp

Q u e s tio n s

  • 1. Infect a virtual macliine with the created vkuses and evaluate the behavior o f die virtual macliine.

2.

Examine whedier the created viruses are detected or blocked by any antivirus programs or antispyware.

CEH Lab Manual Page 537

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

Internet Connection Required

 

Yes

  • 0 No

Platform Supported

  • 0 !Labs

CEH Lab Manual Page 538

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

V ir u s A n a ly sis

U sin g

IDA P r o

Computer n orms are malicious programs that replicate,

execute, and spread

themselves across netirork connections independently, nithont human interaction.

 

co n

k e y

L a b

S c e n

a r io

/ Valuable

Virus, worms, or Trojans can erase your disk, send your credit card numbers

and passwords to a stranger, 01־ let others use your computer for illegal

information

 

S

Test your

purposes like denial ol service attacks. Hacker mercenaries view Instant

________£_____ knowledge

Messaging clients as their personal banks because o f the ease by which they can

flB Web exercise

 

access your computer via the publicly open and interpretable standards. They

 

Workbook review

unleash a Trojan horse, virus, 01־ worm, as well as gather your personal and

m

confidential information. Since you are an expert ethical hacker and penetration

 

tester, the IT director instructs you to test the network for any viruses and

worms that can damage 01־ steal the organization’s information. You need to

construct viruses and worms, try to inject them 111 a dummy network (virtual

machine), and check their behavior, whether they are detected by any antivirus

programs 01־ bypass the firewall o f an organization.

 

L a b

O b je c tiv e s

 

The objective of tins lab is to make students learn and understand how to make

vinises and worms to test the organization’s firewall and antivirus programs.

IS 7 Tools

 

L a b

E n v ir o n m

e n t

demonstrated in

 

this lab are

 

To earn* out die lab, you need:

 

available in

 

D:\CEH-

 

IDA Pro located at D:\CEH-T00ls\CEHv8 Module 07 Viruses and

Tools\CEHv8

 

Worms\Malware Analysis Tools\IDA Pro

 

Module 07 Viruses

 

A computer running Windows Server 2012

as host machine

and Worms

 
 

Windows Server 2008 running 011 virtual machine as guest machine

Run tins tool 011 Windows Server 2008

 

You

can also download the latest version o f

IDA Pro from the link

http: / / www.hex-ravs.com / products / ida / lndex.shtml

CEH Lab Manual Page 539

Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

Administrative privileges to run tools

L

a b

D u ra tio n

 

Time: 15 Minutes

 

O

v e r v ie w

o f V ir u s

a

n d

W

o

r m

s

Computer worms are malicious programs that replicate, execute, and spread

across network connections independently, without human interaction. Attackers

use worm payloads to install backdoors in infected computers, which turn them

into zombies and create botnets; these botnets can be used to carry out further

TASK

1

IDA Pro

cyber-attacks.

L a b

T a s k s

  • 1. Go to Windows Server 2008 Virtual Machine.

  • 2. Install IDA Pro, which is located at D:\CEH-Tools\CEHv8 Module 07 Viruses and Worms\Malware Analysis Tools\IDA Pro.

  • 3. Open IDA Pro, and click Run 111 die Open File-Security Warning dialog

m You have to agree the License agreement before proceeding further on this tool

box.

Open File - Security W arning

The publisher could not be verified run this software?

Are you sure you want to

Name:

.rs\Administrator\Pesktop\idademo63_windows.exe

Publisher:

Unknown Publisher

Type: Application

From:

C: '!]Users \Administrator desktop 'jdademoo 3_windo ...

Run

Cancel

I? Always ask before opening this file

This file does not have a valid digital signature that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run ~

FIGURE 2.1: IDA Pro About.

  • 4. Click Next to continue die installation.

CEH Lab Manual Page 540

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

\

Setup - IDA Demo v6_S

I M

-

Welcome to the IDA Demo v6.3

Setup Wizard

This will install IDA Demo v6.3 on your computer.

xj

It is recommended that you dose all other applications before continuing.

Click Next to continue, or Cancel to exit Setup.

Read the License

Agreement

accepting.

carefully before

 

Demo

Version 6.3

Hex-Rays 2012

 

Cancel

 

FIGURE 2.2: IDA Pro Setup

 
  • 5. Select the I accept the agreement radio button for the ID A

Pro license

 

agreement.

  • 6. Click Next.

 

^

Setup - IDA Demo v63

 

License Agreement Please read the following important information before continuing.

S ' Reload die input file

Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.

This command reloads the

IDA License Agreement

same input file into the database. IDA tries to

SPECIAL DEMO VERSION LICENSE TERMS

retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained.

This demo version of IDA is intended to demonstrate the capabilities of the foil version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project.

The IDA computer programs, hereafter described as 'the software’ are licensed, not sold, to you by Hex-Rays SA pursuant to the

(• I accept the agreement

  • C I do not accept the agreement

< Back

Next >

FIGURE 2.3: IDA Pro license.

z\

Cancel

  • 7. Keep die destination location default, and click Next.

CEH Lab Manual Page 541

Ethical Hacking

and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

a Add breakpoint

This command adds a breakpoint at the current address. If an instruction exists at diis address, an instruction breakpoint is created. Or else, IDA

offers to create a hardware breakpoint, and allows the

user to edit breakpoint settings.

FIGURE 24: IDA Pro destination folder

  • 8. Check the Create a desktop icon check box, and click Next.

^

Setup - IDA Demo v63

J H

3

Select Additional Tasks Which additional tasks should be performed?

Select the additional tasks you would like Setup to perform while installing IDA Demo v6.3, then dick Next.

H Trace window

In tills window, you can view some information related to all traced events. The tracing events are the information saved during the execution of a program. Different type of trace events are available:

instruction tracing events , function tracing events and write, read/write or execution tracing events.

Additional icons:

W Create a desktop icon

< Back

j

Next >

\

Cancel

FIGURE 3.5: Creating IDA Pro shortcut

  • 9. The Ready to Install window appears; click Install.

CEH Lab Manual Page 542

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

Add execution trace

This command adds an execution trace to the current address.

LJ Instruction tracing

This command starts instruction tracing. You can

then use all die debugger commands as usual: the debugger will save all the modified register values for each instruction. When you click on an instruction trace event in the trace window, IDA displays the corresponding register values preceding the execution of this instruction. In the 'Result'

column of the

Trace

window, you can also see which registers were modified by this instruction.

\

Setup ־

Ready to Install

Setup is now ready to begin installing IDA Demo v6.3 on your computer.

 

Click Install to continue with the installation, or dick Back if you want to review or change any settings.

Destination location:

 
 

C: ,'Program Files (x86)\IDA Demo 6.3

 

Additional tasks:

Additional icons:

Create a desktop icon

L j

 

< Back

Install

Cancel

FIGURE 26: IDA Pro install

  • 10. Click Finish.

.

Setup - IDA Demo v63

1 0 *

Completing the IDA Demo v6.3

Setup Wizard

Setup has finished installing IDA Demo v6.3 on your computer. The application may be launched by selecting the installed icons.

Demo

Version 6.3

I Hex-Rays 2012

Click Finish to exit Setup.

R

Launch IDA Demo

Finish

FIGURE 2.7: IDA Pro complete installation

  • 11. The IDA License window appears. Click I Agree.

CEH Lab Manual Page 543

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

The configuration files

are searched in the ID A. EXE directory. In the configuration files, you can use C, C++ style comments and include files. If no file is found, IDA

uses default values.

Module 07 - Viruses and Worms

IDA License Agreement

SPECIAL DEMO VBISION LICENSE TERMS

This demo version of IDA is intended to demonstrate the capabilities of the full version of IDA whose license terms are described hereafter. The demo version of IDA may not, under any circumstances, be used in a commercial project.

The IDA computer programs, hereafter described as 'the software" are licensed, not sold, to you by Hex-Rays SA pursuant to the

terms and conditions of this Agreement. Hex-Rays SA reserves any

right not expressly granted to you. You own the media on which the

software is delivered but Hex-Rays SA retains ownership of al copies of the software itself. The software is protected by copyright law.

The software is licensed on a "per user" basis. Each copy of the software can only be used by a single user at a time. This user may instal the software on his office workstation, personal laptop and home computer, provided that no other user uses the software on those computers. This license also allows you to

Make as many copies of the installation media as you need for backup or installation purposes. Reverse-engineer the software. Transfer the software and all rights under this license to an other party together with a copy of this license and all material, written or electronic, accompanying the software, provided that the other party reads and accepts the terms and conditions of this license. You lose the right to use the software and all other rights under this license when transferring the software.

Restrictions

// Compile an IDC script.

// The input should not

/ / currendy executing -

You may not distribute copies of the software to another party or

You may not modify, adapt, translate, rent, lease, resell, distribute,

rr rrmxtm rW1\/;»hva •A!rvrlcc K»caiH 1 irvnn

cnft\A>Ar<» nr *rtv/ rvart

I Agree

I Disagree

|

contain functions that are

electronically transfer the software from one computer to another if one computer belongs to another party.

 

otherwise the behavior of the replaced

// functions is undefined.

FIGURE 2.8: IDA Pro License accepts.

//

input - if isfile != 0,

then this is die name of file

  • 12. Click die New button in die Welcome window.

to compile

\

IDA: Quick start

/ /

otherwise it

hold the text to compile

// returns: 0 - ok, otherwise it returns an error message.

New

I Disassemble a new file

string CompileEx(stri11g input, long isfile);

Go

| Work on your own

f

t

// Convenience macro:

Previous

| Load the old disassembly

#define Compile(file)

CompileEx(file, 1)

W Display at startup

FIGURE 2.9: IDA Pro Welcome window.

  • 13. A file browse window appears; select Z:\CEHv8 Module 07 Viruses and Worms\Viruses\Klez Virus Livel\face.exe and click Open.

CEH Lab Manual Page 544

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

3־ _j?rr ■ 0־D9n« ־״־ |»| :aarod'iec |.| tvp. Povari* Lr*3 Function tracing _ ^ f^
_j?rr
0־D9n« ־״־
|»| :aarod'iec
|.| tvp.
Povari* Lr*3
Function tracing
_ ^ f^ 2 i20U12S0_=ieFod£_
U
Desktop
-;?.:):3:0;^^
Apsfcatisr
•V26■ZZQ 3 9:52 PM
^:3/2003 1:02 AM
Apdc335r
This command starts
function tracing. You can
then use all debugger
commands as usual: the
jil Dqcutc-C
Application
200310:36־/27,׳...
Apdraiior
P
«
״
.
g} kuct:
Qf Recently C־en5ed
P S&atch»
I
I
PiMc
debugger will save all
addresses where a call to a
function or a return from a
function
occured.
Sl Add/Edit an
enum
FIGURE 2.10: IDA Pro file browse window.
Action
14. The Load a new file window appears. Keep die default settings and click
name: AddEnum
OK
Action
name: EditEnum
^
Load a new file
These commands
Load file Z:\CEHv8 Module 07 Viruses and Worms\V1rusesV0ez Virus Live!\face.exe as
Portable executable for 80386 (PE) [pe.ldw]
allow you to define
and to edit an enum
type. You need to
specify:
- name of enum
Processor type
Intel 80x86 processors:
metapc
B
- its serial
Analysis
number
Loading segment 10x00000000
(1 ,2
.)
Loading offset |0ג
W Enabled
W Indicator enabled
representation
Options
of enum
members
W Create segments
Load resources
1✓ Rename DLL entries
Kernel options 2
P
F
Manual load
Rll segment gaps
17
Make imports segment
Processor options
V
Create FLAT group
DLL directory | C:\W1ndows
OK
Cancel
Help

FIGURE 2.11: Load a new file window.

  • 15. I f any warning window prompts appear, click OK.

CEH Lab Manual Page 545

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

m Select appropriate options as per your requirement

&TMP or TEMP:

Specifies the director)' where the temporary files will be created.

a Add read/write trace

This command adds a read/write trace to the current address.

Each time the given address will be accessed in read or write mode, the debugger will add a trace event to the Trace window

16. The Please confirm window appears; read die instructions carefully and click Yes. IDA-View has now
16.
The Please confirm window appears; read die instructions carefully and
click Yes.
IDA-View has now a new mode: proximity view.
This mode allows you to browse the interrelations between functions and data items.
When inside a function, press
to toggle the proximity viewer and '+ ' to zoom back into a function.
Do you want to switch to proximity view now?
I־־ Don't display this message again
FIGURE 2.12: Confirmation wizard.
17.
The final window appears after analysis.
File
Edt
Jjmp
Search
View
Debuacer
Options
Windows
Help
^ Hill
י״ ■»- II **] *fa ^ »|»|>a ||g|g|Mrii *f
+
X|ll ► O O FW
dlfrlrf Ija irr
III
hex View-A
J
j [a] Structures
l
ש
=ajrrs
j gf]
Imports
1
m
Exports
ם
I
Finction rone
71
sub_^0:0C0
3
3
sub_<01198 sub_«01284
3
sub.■•():^
3
subjIOUfA
71
StartAddress
T j tub_0:74*־B
3
3
sub_1017■* sub_-<0:8C8
71
־ub.-Wietl
i
t
3
3
tub_«01AIE sub_<0;8t9 sub_<O*02
3
7\ sub_40220C
3
־ub_<023:9
'־ ,mMltM'i
100.03% <4193,30 | (377,171:1 |300C73I2 0C4073Z2: WinMain
Compiling
fi le
'C:\Fr3grem F ill
:3€)MDA Eemo S. 3\idc\9nleai. idc ’
Executing
runc-lar.
' OaLo=a'
.
IDA
is
an alysin g
th e
in p u t
r i l e
.
.
You
may
s ta
rt
to
exp lore
th e
.
in p u t
f i l e
r ig h t
!Pawn
FIGURE 2.13: IDA Pro window after analysis.
18.
Click View ־־^ Graphs ־־> Flow Chart from die menu bar.

CEH Lab Manual Page 546

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

B Create alignment directive

Action name: Make Alignment

This command allows you to create an alignment directive.

ca Zoom in to have a better view of the details

File

Edt

Jurro

Sea־<±

Deougger

Opliors

Windows

Help

Open stbvtews

k־ /־׳׳*

si X l It

 
 

Ill

־oofears

f

Functions vwndow

Q

.

?

Flticoot rame

Ful screen

F ll

FuncfoncaDs

CtH4F12

 

3

r

Output ivirdcw

1גא

Xrefisto

SUbj-OlOOO

Sllb_401198

sub_4012S4

3

5ub_«013A9

sub_4013FA

3

71 StartAddrcss

3

3

^

Graph Cvervew

Reiert sa־pt3

Database snapshot manager ...

jp] Pmt segment registers

Alt+F9

CtH 4-Shift+T

ct!1+5pace

^

Xrefs from

.Si

User *refs * a rt ..

 

sub_017»־«

J

3

3 sub_<017^ *ub_4018C8

Print nterral flags

rtoe

F

Ctri+NuT1pad+-

S sub_4018«l

sub_*018F9

•fr UOTiOC

CtH-lNunpodi ■f

  • 71 9ub_401A:E

3

subj01־EC2

3

ttoeal

3*. unr*oeal

X

Occfc hidden o'co

  • 3 «ub_4032CC sul_402319

  • 0 SUb_־«O26־« «*_40680ל

7] 5ub_020*־■©

  • 3 7] Subj02־C38

*uh_40»00

7] 71 sub_402D72

Sub_402DCE

2

1 sub_-i02EE0

Seuc hdden items

«[

LOO.OO»[T4i9C.-־ -:j

:114,25)

OOCO’ 312

C0<0312־: M ir.M air.(I,

 

!Oltpu: window

Executing

fu n c tio n

,m ain*__

Conpilina

fi le

'C:\Eroara2! F ile s

(x£6)\IEA Demo S.3\idc\cnload.idc'

Executing

fur-etian ,On Load י

IDA i a

analysing

the

input

.

.

.

f i l e

Toa may

3- a rt

to

exp lore

one lapuc

r i l e

r ig h t

now.

IDC

|

Display flow chart cf the cuirene function

Edit

Jump

Search

Debugger

Option;

III

Rk

View

Zoom

Move

Hep

Function name

nov

©tp, 6-ef.

7

] sub_H01כ0כ

Ha

]

  • 3 sub_401196

71

sub_401284

(xer!

!xen

ea-c

2

j

preciu

; imionteqfiaM

 
  • 3 Sub_H013^9

71

SUb_4013R\

71

StartAdcress

■י׳־ sub_4017-e

JL

7

] sub_4017^E

7

] sub_01303

enp

|jz

byte.41nni4, P

ehort 10c.4d74;d|

  • 3 SUb_<DlMl

71

sub_4013B

דה־.

71

6ub_401A IE

71

SUb_401E02

t

Wl»o

 

3

sub 40220C

7

] eub_402319

71

5ub_H0^)*«

3

sub 40268כ

71

sub_40234D

[«ftp*v*r_8!, 0

71

3

3

3

3

subjoacs

sub 402DCD

«ub_402D72

subjezxt

sub 02EED

1 »0c_«»7«*

pwft

l«©p*v*r_4|, 0

ן<®p*-3«־v1»3Urtr4bH.lj8«vv«««»»], 0ff**t 5*r־v1c«Mil#

•w

(«&p*?«rvl «034.׳r< Tab 1* . 1 pflccvtocfr 0©], effort lot_4l7־»r»

d«: 3t1rt3erv 1 osctrID Up* to her A

1 lp9»rvlo«3trtTt01•

04m, [«tp*vrv1co»t4nr4M«]

J=c

Executing C o g p ilin g Executing

runct f i l e fu n ct

You may S ta rt t u 1-n.pxi l.—m. xi.^juu liil

an alysir. 57 !4% (0 0) 8 nodes, 2£ edge segments, 0 crossirgs

i s

t.un.--

IDC

id le

Dcwn

|r® debugger

|

|

§1

FIGURE 2.14: IDA Pro flow chart menu.

»J | fc

| ^

]

f l)

Imports

J m Exports

19. A Graph window appears with die flow; zoom to view clearly.

---------------- 3 ־

4

JD Jxj

FIGURE 2.15: IDA Pro flow chart

CEH Lab Manual Page 547

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

Zoom in to have a better view of the details ט
Zoom in to have a
better view of the details
ט

FIGURE Z16: IDA Pro zoom flow chart.

[ 3 WnGraph32

jFte Mew 2001

Graph at _WnMain«>16

 

How Hejp

___________________________________

 

♦ IIIR* © ® §5 *

י*

 

byte_410004, 0

 

short loc_407420

 

r

tru e

 

push

o ffset byte_4100D4;

 

dword_4938F8, 0

short loc_407449

c a ll

sub_4CJ5B0F

arp

jz

test

eax,

eax

 

pop

jnz

ecx

short loc_407457

[et)p+-var_8l , 0 [ebp+-var_4J, 0 eax, [ebp+Ser viceStartTable]

 

[ebp^ServiceStartTable.lpServiceName], offset ServiceNare

eax

;

lpServiceStartTable

 

[ebp+ServiceStartTable .lpServiceProc], offset d s:StartServ־iceCtrlD־ispatcherA

loc_4073C3

[|a|1K 3. % *

end and lea rov push rov c a ll

 

~ 1

1

x|

 

3

lpFileName

 

J

 

nor

eax, eax

|ca11

sub_4tn2F2|

leave

 

retn

lOh

85.71% (-153,-240) 8 nodes, 28 edge segments, 0 crossings

FIGURE 217: EDA Pro zoom flow chart

if 1

__A

20. Click View ־־^ Graphs ־־^ Function Calls from die menu bar.

CEH Lab Manual Page 548

Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

S Empty input file

The input file doesn't

contain

any instructions

01־ data. i.e. there is

nothing

to disassemble.

Some

file formats

allow

the simation

when the file is not

empty but it doesn't

contain anything to

disassemble. For

example,

COFF/OMF/EXE

formats could contain a

file header which just

declares that there are

no executable sections

in the file.

tJ'fm X I ► ש

Flow chart FI2 III ~odbdrs ► ✓ Print flow c!a׳t labels p] . ] | 13jJ
Flow chart
FI2
III
~odbdrs
Print
flow c!a׳t labels
p]
.
]
|
13jJ Impotls
|
[f+] Expoits
| r J
Hi screen
F ll
Function rame
r
Output tvird«w
sub ]7 _»01000
1
Xrefisfran
sub JQ1198 3
Graoh Cvervev>
sub 21_4012£4
1
User xrefe :Kart ..
Recent sarpts
Alt+F9
SUb_*013A9 21
Database snapshot manager
...
Ctri+Shift+T
sub_*013FA 3
StartAddress 71,
Ip] Pnnt segment registers
ctri+5pace
I sub_4017»
ן
Print nterral flags
F
sub ]7 _*017^
5 ub_-1018ce 21
=
ftoe
Ctr1+Numpad+-
sub_*018*l ]7
Ct7H4J1mpod-f *
sub_< 018F9 3
Hweal
£ 5ub_-H)lA
]7
sub_< 01EC2 ]7
v}, urmoean
ib_40:?cr « 3
^ Dccfc Hddcn o־co
9u b ]7
_*02319
Seuc hdden items
5ub ]7 _4026־C
1 h_<0?fiP0« ]2
sub 21_־K(28־©
sub_< 02C3B 2
tub_4O3D0D 3
sub 21_־K)2D72
Sub 71_־»02DCE
ub* ]7 _־s0XE0
.11_____
J
Line 7 of 258
LOO.00%[ (419C, - 6 ל)
i r s
d
|000073Ei !00407112: Ud fainb .z .z tz > ־
vwncow
Executing fu n c tio n
,m a in • ...
C o n p ilin a
f i l e
י C :\Eroaran
F ile s
(x£6)\IE&
Dem3
6 .3 \id c \o n lo a d .id c '
Ix a c u tin
g
fu r.e tia n
,O n lo ad •.--
IDA
is
an alysin g ta e
in p u t
f
i
l e
.
.
.
Tou
may
3- a rt
to
exp lore
one input;
r i l e
r ig h t
now.
10C
|־־
Display graph
of
fucction ca lls
FIGURE 2.18: IDA Pro Function
calk menu.
21. A qindow showing call flow appears; zoom to have a better view.

7

CEH Lab Manual Page 549

FIGURE 2.19: IDA Pro call flow of face.

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 07 - Viruses and Worms

H Emptr input file

The input file doesn't

contain

any instructions

or data.

i.e. there is

nothing

to disassemble.

Some file formats

allow

the

simation

when the file is not

empty but it doesn't

contain anything to

disassemble. For

example,

COFF/OMF/EXE

formats could contain a

file header which just

declares that there are

no executable sections

in the file.

FIGURE 2.20: IDA Pro call flow of face with zoom.

22. Click Windows ־־^ Hex View-A. I V IDA Z:\CCItve Module 07 Vituses and Worms\V1ruscs\Klcz Virus
22.
Click Windows ־־^ Hex View-A.
I V IDA Z:\CCItve Module 07 Vituses and Worms\V1ruscs\Klcz Virus Live1 \focc.cxc
File
Edt
Jump
Sea׳d*
Vtew
De9ugger
Opbors I Windows I Help
1+
*111 *j]
% ]
&
1־^
I
f
® I
Load
desktop ...
rP Sjve
.
III
i
£
Delete desktop ...
D?! IDA View Reset desktop
7
| Functions wooov»
Reset hidden
.
7
] Sub_־H)10C0
71
sub_011־־S8
©
Windows list
2
sub_4012S4
Next v\lndow
7
] SUb_013־־A9
״
Previous window
Shift+F6
[Z] sub_^013FA
]
Ctose windo/v
Alt־H=3
71
StartAddress
Focus command Ine
■'־ SUb_4017^J
3
sub_4017^E
jT]
Functions window
Ait 41
6ub_^018C8
!
1
IDA WewA
At42
3
SUb_40JB41
3
sub_^018E9
7
] 6ub_401A£
I
Al Structure3
Alt 44
7
] sub_-0£C2
Enums ]01
Alt+5
3
sub_40220C
5H !״ports
At-K)
7
] 5ub_402319
Export 0
Alt 47
3
sub_<0*<6
7
) sub_<0»80
7
] 3ub_*028־©
3
sub_402C»
3
sub_403XC
7
] 5ab_-K)2D72
H
sub_402xt
Vn sub.OPFFO
1L
Line 7 of 258
[T] Outpu: wncov.־
--A'-י-'. TTBK i 'BUU
Executing fr a c tio n
•m a in * ...
Compi1ing
fi le
'Crvlrograa Fil•■
(xSCJVICA Dema
6.3\ide\onload idc
ix ־ cutiag
fur.ctisr. ,Onl-o&d1 - - -
IDA
is
an alysin g
tne
input-
.
.
.
You may
s ta
rt
to
exp lore
r i l e
cfce inp ut;
f i l e
r ig h t
a!
roc r
ב. l i e
Down
23.

L*־ l«1 X

J

O

Q

| to debugger

 

*—□ 10כ E־v*ns

 

j 51

Import

100.00* [ (4190,-76) | (1S2, 21) |0000?3£^ -04073E2: WmMslc(x, x, x,x '

FIGURE 221: IDA Pro Hex View-A menu.

The tollowmg is a window showing Hex View-A.

-

?

f

־TH3

J [I♦]

Export

~n

—1

_zj

CEH Lab Manual Page 550

Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 07 - Viruses and Worms

Zi\C£Mv8 f־Kxkj*e 07 /irusndiHl Wonm\V)nn»<f*\Kk^ V1ru5» Lvc!\ldtc.cxc

 

Tile

Edit

Junp

Ssaci

'ftew Debugger

Op boro

Windows help

 

II1•^ slII •׳ י♦ י

 

*I4 |j|g 0 |

 

4

0S

I #

■s+ ״

&

X

II

|no cebugger

 

Functions windovr

d!DAMe>v-A

 

10]hexvew-AQ

|

לג] Structures

 

[JO

fruns

 

|

£1)

[irports

|

(j*\ Expons

cton na־ne

-

004073B2

00

00

00

FF

35

1C

39

49

00

FF

15

58

 

DO

40

00

E8

.

.

.

5.91.

.x - e .F

 

sjb_־KD10X

 

8C4073B2

93

D8

FF

FF

85

CO

74

05

E8

33

FF

FF

FF

C9

C2

04

o ■*־

a

*t.F 3

sjb_40113S

5G4073C2

00

68

7C

73

40

60

68

DC

33

49

00

FF

15

34

DO

40

.tl|s@

.h

3 1 .

.4 -0

sub_401234

SJb_4013A9

9C4073D2

464073E2

00

60

8B

00

EC

03

81

1C

EC

39

fiO

49

01

00

00

E8

60

9D

8D

FF

85

FF

60

FF

FE

C2

FF

08

FF

08

58

.

j

.U .9 I.F .

Ui'8 .8 d

Y

\

P

 

8P4073F?

6B

0?

FF

15

F 0

01

40

00

FB

FF

F1

FF

FF

85

CO

74

j

.

ft

a + t

 

sub_4013FA

0G4O74O2

54

E8

F5

F9

FF

FF

80

3D

D4

06

 

41

60

00

74

OF

68

TF)־

Q =♦.A. • t . h

a«-V117a=

 

StartAodress

8P40741?

D4

08

41

80

F8

F4

E6

FF

FF

85

CQ

59

75

37

83

3D

♦ . A .F()1

SJb_־W17<*

9G407422

F8

38

49

00

00

74

20

83

65

F8

00

83

65

FC

00

8D

"81.-t

E=!E=

a e °.a e n ..

sjb_40174E

flP40743?

45

F ft

r.7

45

F0

nr.

33

49

00

50

C7

45

F4

C3

73

48

31 -P! E(+«;P

SJb.'WlSDfi

9G407 442

00

FF

15

U4

D 0

40

00

E8

r o

D7

FF

FF

85

CO

74

05

.

.-@ .Fu»

a»t.

sjb 401841

cub_4018E5

SJb 401A1E

0P4O745?

FB

9R

FF

FF

FF

33

CO

09

0?

00

55

8R

EC

RB

8n

F t!

3

+

* 8

4

)115.

.־

I

00407462

38

01

00

E0

r6

on

00

00

53

r6־

TF

75

'3(

E8

10

0D

8

.F t

.S

U

u . F

.

.

 

0 0 4 0 /4 /2

UO

00

8B

D8

33

F6

3b

Db

59

89

5D

F4

8V

75

FB

89

!' ♦3F : !YeJ( eu״ e

00407482

75

rc

75

87

33

CO

E9

DD

00

86

00

57

68

80

38

01

U

h g 8 .

SJb_401K)2

0040/4y2

10

8D

85

/4

U/

FE

FE

56

50

1H

5.1

02

00

00

b:i

C4

.

.

a

t

!

!

3 ־

eub_4022X

00407*102

oc

33

CO

8D

BD

78

C7

FE

FF

3B

45

OC

73

66

8B

<1D

. 3*

.

|

|

; E .s fi'H

 

SJb_40231־S

004074B2

08

88

OC

OH

84

C9

74

OD

88

8C

IE

46

48

89

/ ל

FC

. ^

.a * t.§ ..

F

« e u n

sub_40264e

00407MC2

3B

45

0C

72

E9

3B

45

OC

73

4n

8B

C8

8e

55

08

80

. sJIl+IU .C

Cjb_40263C

0040/402

3U

11

00

fb

06

41

3B

4D

0U

r /

F1

BB

D1

28

DO

83

<

..

u.A;M.rtI־+־a

SJb

40280

SJb_402C3C

0O4O74E2

004074F2

00407502

FB

IE

F8

00

46

89

73

40

47

11

EB

FC

38

EF

89

C1

81

17

73

7D

83

C1

F8

C7

8B

08

10

55

27

8B

08

00

C1

8A

60

EB

14

73

9C

10

OF

89

88

FF

75

14

45

FC

• . s . ;- s - i'U . e

.© .

. FQUll. <

S.

E

°eC n e.2 J .1 -d£oun

Cjb_402D00

00407512

33

F6

EB

48

88

45

F8

89

75

FC

88

F8

Cl

E7

03

8D

3+dH1E״ e u n i* ־ t

.

.

SJb.402C72

0040752?

5C

37

04

53

F8

64

00

00

00

8B

 

F 0

RB

45

F8

57

89

 

\7 .S F d .

.

A*-YF°W»

..

.

P .F .P F ..

11 ( PF ^

.

.

   
 

sjL

sjb

402CCE

402EC

 

-

I

00407532

0040754?

06

00

8D

FF

85

75

74

FT

C7

RD

FE

44

FF

37

50

04

8D

FF

46

75

04

F4

50

50

 

E8

Ffi

BD

BD

06

06

00

00

at׳ ; un .D7 .

 

1

H

00407552

00

80

45

16

83

C4

1C

89

18

80

5D

r 4

53

E8

87

06

. i ’E .a

.e .i]( S F 5 •

 

T ] Dutpu: v.irdovi

 

Executing fu n c tio n

־n ^ in '

._

.

 

f i l e

'C:\Prcgrazn F ile s

.׳x8S)\IDA

Demo

6 .3 \id c \o n lo a d .id s

 
 

C on piling iio c iirin c

fim s tio a

*Or-losd1

IDA

is

analysing

־.Le

In p u t

.

.

r i l e

.

.

.

f

i l e

You

nay

s ta rt

to

explore the

in p u t

r ig h t

now.

IDC

[”

 

Disk:

S4GS

 

F I G

U

R

E

2.22: I D

A

P r o

H e x

V ie w - A

result.

 
 

24.

Click Windows ־־^ Structures.

 

I V IDA Z:\CCItve Module 07 Vituses and Worms\V1ruscs\Klcz Virus Live1 \focc.cxc

File

Sdt

Jump

Sea׳d־

View

De3ugger

Opbors I Wirdowsl Help

 
 

1+

*111 *j]

% ]

&

1־^

I

f

® I

Load desktop ...

 
 

III

 

rP

Sjve

.

Delete desktop ...

 

7

| Functions woeov»

 

[Jcj IE A View ■

Rcse t desktop

 

* —

1

0 כ

E־v*ns

 

|

ft!} Imports

|

(ן♦] Export

Ftncaon rarae

 

0040730?

 

58

 

no

un

no

f 8

.

.

.

■5-91-

.X-(a.F

 

7

] Sub_־H)10C0

 

0O4073B2

Reset hidden

 

..

FF

FF

C9

C2

01*

0♦

a+t.F3

+-.

71

7

7

Sub_011־־S8

] sub_4012S4

] SUb_013־־A9

004073C2

0040 /3 02

064073E2

©

Windows list

Next v\lndow

F6

3

8

0

49

9D

8D

00

FF

85

FF

FF

60

 

15

FF

FE

3 *

C2

FF

DO

08

FF

40

OB

50

.111 b@.h_3I. -**־@

. j. U

. 9 1

U18.8a

- F

.

a'|

P

 

0A4073F2

Previous window

 

Shift+F6

8

FF

E1

FF

FF

85

C0

7U

j

.

.a-G .F

ft

a+t

[Z] sub_^013FA

71

StartAddress

00407402

00407412

Ctose windoA׳

 

AH4P3

 

U CO 111

F

85

CO

0O

59

 

00

75

74

37

OF

83

68

3D

TF)•

+ .A.F(>1

.t.h

a+Vu7a-

 
 

■'־ SUb_4017^J

00407422

Focus commard Ine

 

5

F8

00

83

65

FC

00

8D

“81

..

t

de°.den

..

3

sub_4017^E

6ub_^018C8

 

0040/432

00407442

00407452

|71

f^=]

Functions window

IDA View־A

 

AH+1

Alt+2

 

0

50

C7

45

FF

  • 7 D7

B

FF

10 00

55

F4

85

SB

C3

C0

EC

73

74

B8

40

05

8C

E־ |E=_3I.P!E(+S@

.

.-@.Fu*

a+t.

FCJ

.1118*1

7

] sub_40JB41

00407462

[o]

hex V1ew־A

 

Alt

43

3

56

FF

75

0C

E8

־ID

00

8

.F t

.SU

U.F

..

3

sub_^018E9

00407472

9

89

5D

F4

89

75

F8

89

.

.

3

<נ*; ; V e ](e u ״ e

 

7

] sub_401A£

 

0040/482

Alt 44

 

1 57

 

68

80

38

01

.wny8.

 

7

] SUb_-01EC2

00407492

I״] Enums

 

Alt

45

0

E8 5 0

 

02

00

..

at!!

UPFP

a-

3

sub_<022CC

0040740?

51

inports

At4<>

 

F

3B 115

0n

73

.3+.+x!! ;E.sFi'M

 

7

] 5ub_402319

00407482

8

PC 1E

**6

>10

.a«-t .0

FOcun

7

] sub_<0 *<6

0O4074C2

g ]

Exports

Alt47

3

'*A 80

<