Sample Paper

Question 1

What is Endianness? Write the following number in Little Endian format (still in Hex)

0x87654321

Answer 1

• Endianness: Byte order in memory or transmission.
• Big Endian: Most Significant Byte stored first.
• Little Endian: Least Significant Byte stored first.
• Affects data interpretation in computer systems.

Question 2

Give two differences between Software Breakpoints and Hardware Breakpoints

Answer 2

1) Software Breakpoints:
- Debugger modifies instruction (e.g., “INT3”) at location.
- Causes interrupt, caught by software debugger.
- Debugger rewrites original code, slowing execution.
- Can’t read/write memory.

2) Hardware Breakpoints:
- Processor provides registers for breakpoints.
- No code modification needed.
- Monitors execution, even in read-only memory.
- Can monitor firmware, operating system code.

Question 3

What are each of these Registers commonly used for (1-2 line answer):
o EIP
o EAX

Answer 3

• EIP: Instruction Pointer.
• Stores memory address of next instruction.
• Points to next instruction for CPU to fetch and execute.
• EAX: Accumulator register.
• Used for calculations, function results, system call interactions.

Question 4

What is wrong with the following assembly instruction:

mov [0x12345678], [0x11111111]

Answer 4

It is trying to move memory directly to memory.

It is necessary to have an intermediate register to facilitate this.

Question 5

Describe briefly (1-2 lines) what the following assembly functions do
- NOP
- ROR EAX,1

Answer 5

This would perform no operation as it I a do-nothing instruction.

This would perform a bitwise rotation of the EAX register’s value to the right by one bit position. Typically for creating a hash or encryption algorithm.

Question 6

What is the primary purpose of packing for malware authors?

Answer 6

• Packing compresses code, using less space.
• Makes existing code more efficient.
• Malware becomes harder to analyze and detect.
• Compressed code looks different from the original.
• Difficult for reverse engineering and antivirus detection.

Question 7

In the most common type of basic packer – the final file will have 2 main PE sections. Describe in 1-2 lines what each of these 2 sections does.

Answer 7

• First section: Compressed executable code, handles decompression at runtime
  (UPX0 in UPX packers).
• Second section: Original, uncompressed executable code. (UPX1 in UPX packers)

Question 8

Several tools exist that help identify packers – list 3 different attributes they may use to do this.

Answer 8

• PE section names: Renamed when packed with packers like UPX (e.g., UPX1).
• Imports: May have niche imports indicating UPX when unpacking.
• Strings: Packed content can contain strings referencing the packer (e.g., error messages).

Question 9

Describe 1-2 signs you may have reached the original Entry point (1-2 lines each)

Answer 9

Detect a point in the assembly where decryption operations conclude, and the code transitions into recognisable or meaningful instructions, indicating the end of obfuscation and the start of program logic.

Malware might use dynamic memory allocation functions like WriteProcessMemory or VirtualAlloc to allocate memory for its payload.

Question 10

Dumping a process from memory will frequently break what part of the file, which will need to be patched before analysis?

Answer 10

Import Address Table is frequently broken by dumping a process. It must be fixed as it contains the addresses of DLLs required for analysis.

This can be patched using OllyDumpEx which may be temperamental. Failing this use ImpRec to fix it.

Question 11

Name 3 major file extensions that commonly use the PE File Format

Answer 11

• .exe executable files
• .dll dynamic link library
• .sys windows system files

Question 12

In a executable file that has some compression or packing, what difference would you expect in the size of a PE Section on disk vs its virtual size.

Answer 12

• Virtual size of a PE section is larger than its size on disk.
• Virtual size: Represents memory when fully decompressed and loaded during runtime.
• Size on disk: Actual storage space the compressed section occupies on disk.

Question 13

PE Sections have a virtual size, and a size on disk – and the two may be different. In what common malware situation may be size on disk be quite a bit lower than size in memory?

Answer 13

• Size on disk tends to be lower than size in memory due to packing for anti-analysis.
• Malware is packed to avoid detection.
• Upon execution, malware is unpacked/decompressed, its full size is loaded into virtual memory at runtime.

Question 14

Describe briefly (3-4 lines) why PE Files need to use Relative Virtual Addresses (RVA)

Answer 14

PE files employ Relative Virtual Addresses (RVAs) to achieve flexibility and adaptability during program loading. These RVAs guarantee that the code functions accurately, irrespective of where it’s loaded in memory. This feature ensures seamless operation across various memory locations.

Question 15

An assembly function in a malware has a RVA of 0x2000 and loaded in memory at 0x63000
o What is its Image Base likely to have been?
o If the PE File instead loaded at 0x400000 where would this function end up?

Answer 15

Base = Load Memory Address - RVA
0x63000 - 0x2000 = 0x61000

New function address - Image Base + RVA
0x400000 + 0x2000 = 0x402000

Question 16

For mobile worms – name 3 main ways that they can spread from device to device

Answer 16

• Bluetooth Messages to anyone in range
• Email via infected attachments or links
• SMS via sending links or infected multimedia to contacts

Question 17

Apart from “normal” spyware features that are common between Windows and Mobile malware (infostealing of passwords) – name 3 interception / stealing features that are generally unique to mobile malware

Answer 17

• Intercept call log tracking and listen to live calls
• Geolocation tracking via phone GPS
• Intercepting SMS to bypass 2-factor authentication

Question 18

Briefly (1-2 lines) explain how a Banking Mobile Trojan tends to work

Answer 18

• Intercepting SMS: Unauthorized access to and interception of text messages.
- only intercepts relevant banking messages to avoid detection
• Malware exploits handset permissions to send/read sms .
• Exploiting sensitive SMS for bypassing 2-factor authentication (2FA).

Question 19

You have found an Android malware sample that you believe to be exfiltrating data to a number starting with +353.

Give a general overview of how to do Android malware analysis by treating it as Java code (as opposed to Dalvik assembly). In your description list:

• The main tools you would use
• 1-2 lines to describe the major steps you would carry out in order to analyse the sample and identify where the code sending the message is located

Answer 19

Step 0: Upload to Joe’s Sandbox to gauge suspicious behaviour and get VirusTotal analysis

Step 1: Extract contents of malware via WinZip, we now have access to Android manifest file and DEX file. These are components of APK file.

Step 2: Convert DEX to Java Jar file via Dex2Jar

Step 3: Use Java decompiler JD-GUI to analyse source code. From here analyse suspicious strings such as +353.

Question 20

Name two main tools used to analyse PDF Files – and for each one give a 1-2 line description of what it does

Answer 20

PDF Parser - analyse components of a pdf file, such as metadata streams, images, embedded files, executables. We can interact with objects and see what they contain.

PDF ID - Brief overview of suspicious attributes in a pdf file. The metadata is extracted to give total of Embedded Files, Open Actions, Acro Forms

Question 21

Which tool would be more useful in analyzing a PDF file – a Hex Editor or a Text Editor?

Answer 21

• Hex editor preferred for data analysis.
• Has advantage of analysing binary data unlike text editor
• Understand compression, encryption.
• Detect obfuscated data.
• Binary data analysis reveals embedded files.

Question 22

What is STDCALL?

Answer 22

Standard Call

Requires the CALLEE (called function) to clean the stack

Default calling convention for Win32 API

Question 23

What is CDECL?

Answer 23

C Declaration

Requires the CALLER (calling function) to clean the stack

Default calling convention for C and C++