Pre-Lab 3 - Malware - pre lab 3 questions PDF

Preview

Summary

pre lab 3 questions...

Description

CSE-4380/5380 InfoSec 1

Pre-Lab 3 (Malware) Worth 40% of your Lab 3 grade

Due Sun, Oct 22, 2017 at 11:59 PM

All questions are worth 1 point unless otherwise stated. Submit your answers as a simple list like: 1) a 2) short answer etc. Part 1 – Windows Registry: The following questions are generic and can be answered by using any version of Windows (XP, Vista or Windows 7, 8, or 10). Helpful links: http://support.microsoft.com/kb/256986 http://www.outertech.com/en/windows-registry-faq-and-howto-tutorial For the security of your machine: Answering the following questions involves making changes to the Windows Registry, which is considered as a sensitive operation. Incorrect registry changes might cause serious problems to your machine and you might need to reinstall your Windows system. Fortunately, the operations that you are going to perform in Windows Registry for this pre-lab are not that critical. However, for the security of your machine, you might want to make a backup of the Windows Registry before you modify any settings. This backup operation is for the security of your own machine and not a part of the prelab. Please see the following link for more details: http://support.microsoft.com/kb/136393 1. What is the function of Windows Registry? a. Register a valid copy of Windows b. Perform system restore periodically c. Store various configuration settings d. Display application and device specific error messages 2. Which Windows command lets you to edit the Windows Registry? 3. (2 pts.) Write down the names of the five hives of the Windows Registry. Which hive contains information about the currently logged-in user? 4. (2 pts.) Find the following key in your Windows Registry: My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a. Provide a screenshot of the current setting of the key. What is the function of the key? b. Make necessary changes inside that key so that when you restart your Windows machine, the program Notepad (the simple default text editor of Windows) appears automatically at startup. Test that it works. Copy the modified setting of the key here. 5. (2 pts.) Instead of doing Step 4 (b) manually, it is possible to write a simple C++ program that automatically does the same thing. What C++ functions do you need for this purpose?

CSE-4380/5380 InfoSec 1

Pre-Lab 3 (Malware) Worth 40% of your Lab 3 grade

Due Sun, Oct 22, 2017 at 11:59 PM

Part 2 – Malware Basics and Hooks: See these three references for this section: http://en.wikipedia.org/wiki/Hooking http://www.symantec.com/connect/articles/introduction-spyware-keyloggers http://www.symantec.com/connect/articles/detecting-rootkits-and-kernel-level-compromises-linux 6. Hooking is used for which purpose? a. Debugging b. Augmenting the behavior of an operating system c. Intercepting function calls d. All of the above 7. Which of these types of hook is most useful for a rootkit? a. A wallhack b. One that intercepts keyboard events c. One that modifies the Microsoft Word import table d. One that intercepts an API call that lists running processes 8. What is the key difference between physical modification and runtime modification? a. In physical modification, system files are altered b. In physical modification, hardware is altered c. In runtime modification, the hooks only take effect at system reboot. d. In runtime modification, the memory of other processes is not typically modified. 9. What type of keylogger can you build mainly with Windows functions? a. Hardware keylogger b. Software using a hook mechanism c. Kernel/driver keyloggers d. All of the above 10. Which of these methods is capable of detecting a newly developed non-kernel software keylogger? a. Signature-based anti-keylogger b. Hook based anti-keylogger c. Virtual keyboard d. All of the above 11. Why are sys_open and sys_read system calls are important to an attacker? a. They are the most powerful system calls. b. They could be used to evade file integrity checkers. c. They are the easiest to be modified. d. They could be processed in both kernel and user modes.

CSE-4380/5380 InfoSec 1

Pre-Lab 3 (Malware) Worth 40% of your Lab 3 grade

Due Sun, Oct 22, 2017 at 11:59 PM

12. How can you detect whether an attacker has overwritten the address of the original system call in the system call table? a. By checking a trusted copy of the System.map file b. By running an intrusion detection system c. By invoking the sys_query_module system call d. By watching the system call IDs using gdb 13. Why should you be suspicious when you disassemble a system call function and see instructions like jmp and call? a. It is an indication that the system call table might have been modified. b. It is an indication of a memory dump error. c. It is an indication of a possible system call hooking. d. It is an indication that a packer is being called. 14. (2 pts.) Assume that you have run the gdb tool with appropriate parameters to print the entries of the system call table. The output appears as below: 0xc0342a14 0xc011e1d0 0xc8821f21 0xc0302c40 0xc013fcb0 0xc013f0e0 0xc013f230 0xc011e5b0 0xc0302c50 0xc013f180 0xc014cb10 0xc014c670 0xc0107940 0xc0302c60 0xc013e620 0xc011f020 0xc014bcd0 0xc013e9a0

What exactly is suspicious about this? What might the suspicious address indicate? Part 3 – Win32 API Hooking: You can get a good overview about hooking from MSDN. Particularly, the following link will be a useful resource for getting yourself introduced to hook functions, notifications, and structures: http://msdn.microsoft.com/en-us/library/windows/desktop/ff468841(v=vs.85).aspx For a basic understanding of the Win32 API, you can have a look at the following lin k: http://www.winprog.org/tutorial/ 15. Which function in Win32 API is equivalent to the main()function of C or C++? 16. (2 pts.) Write down the name of the parameters of the function referenced in the previous question. 17. Which of these is true about HINSTANCE? (check all that apply) a. It is a file handle to a DLL. b. It is passed to the Win32 application entry point at startup. c. It is a window handle. d. It is a hardware driver instance. 18. Which of these is true about HWND? (check all that apply) a. It is a Windows data type. b. It is passed to the Win32 application entry point at startup. c. It is an OS handle. d. It is a window handle.

CSE-4380/5380 InfoSec 1

Pre-Lab 3 (Malware) Worth 40% of your Lab 3 grade

Due Sun, Oct 22, 2017 at 11:59 PM

19. (6 pts.) Write down the functionality of each of the following functions/structures of Win32 API. a. SetWindowsHookEx() b. KBDLLHOOKSTRUCT c. CallNextHookEx() 20. Which function is used to hide a window in Win32 API? 21. (2 pts.) How many parameters are there for the CreateWindowEx() function? How many members are there in the WNDCLASSEX structure? Part 4 – File Access in C++: 22. (8 pts.) Write a simple C++ program (which works in Windows) that: a. asks the user for her last name and writes the last name inside a file named “name.txt” b. opens “name.txt”, reads its content and displays the content as output Submit the program code in a .cpp file separate from your answer key. We will compile and test your code in Microsoft Visual Studio and grade the code based on whether it works. You must write your own code.

Special instruction: Microsoft Visual Studio For Lab 3, you will be asked to modify a C++ program using Microsoft Visual Studio. Be sure that you are familiar with the IDE before you come to the lab. You will not have access to the Internet on the lab machine so make sure to bring your own device for Internet access....