121 Proj X14: Analyzing Running Programs with LordPE (10 pts.)

What you need:

Purpose

Malware is often "packed" or otherwise obfuscated, confounding static analysis by obscuring strings and source code. To analyze it, you need to run it and analyze the RAM image it creates. We'll use the LordPE tool to do that.

This Project is "Safe"

I'm not giving students real malware at this point--we'll use a harmless program I wrote and packed with the MPRESS packer.

Download Strings

If you don't already have Strings on your Windows system, open a browser and go here:

http://technet.microsoft.com/en-us/sysinternals/bb897439

Click the "Download Strings" link.

Save the Strings.zip file on your desktop. Unzip it, and copy strings.exe to the C:\Windows\System32 folder.

Download the Packed Executable

Open a browser and go here:

http://samsclass.info/121/proj/message.exe

Save the message.exe file on your desktop.

Running message.exe

On your desktop, double-click message.exe. In the "Open File - Security Warning" box, click Run.

A box opens, with the message "Enter the password", as shown below:

If you see a message saying "This application has failed to start because MSVCR100D.dll was not found", download that file here, and put it in the same folder as message.exe:

msvcr100d.dll

If you try a password, you see the message "Fail!".

Your task is to find the correct password. Guessing is impractical, but finding the password should be easy with Strings.

Type Q and press Enter to close the message.exe box.

Running Strings on message.exe

Click Start, Computer. Navigate to C:\Temp.

On your desktop, right-click message.exe and click Copy.

In the C:\Temp window, right-click and click Paste.

Now you have a copy of message.exe in C:\Temp for analysis.

Open a Command Prompt window. Execute these commands:

cd \Temp

strings message.exe > s.txt

notepad s.txt

The readable strings in the file open in Notepad, as shown below:

Hunt through this file and look for likely candidates for the password. There are only fragments--the password cannot be seen.

Running message.exe Again

On your desktop, double-click message.exe.

In the "Open File - Security Warning" box, click Run.

A box opens, with the message "Enter the password".

The "Enter the password" message is readable. That suggests that the image of the running program in RAM has readable strings, even though the disk file message.exe does not.

So to find the password, we'll analyze the RAM image.

Download LordPE

On your Windows machine, open a browser and go to http://www.woodmann.com/collaborative/tools/index.php/LordPE

Click the "Locally archived copy" link.

Download the Bin_LordPE_2010-6-29_3.9_LordPE_1.41_Deluxe_b.zip file. Right-click the file and click "Extract All...", Extract. Two more Zip archives appear in a folder, as shown below:

Right-click the LPE-DLX_1.4.zip file and click "Extract All...", Extract.

A folder appears, as shown below. Double-click the LordPE.EXE file.

If an "Open File - Security Warning" box pops up, click Run.

LordPE opens, showing all the currently running processes, as shown below.

Scroll down and find the "message.exe" process, as shown above. The folder path on the left will be different, but it should end in "message.exe".

Right-click the "message.exe" line and click "Dump Full...", as shown below:

A "Save As" box appears. Save the file on your desktop with the name dumped.exe

Analyzing the Dump with Strings

Copy the dumped.exe file from your desktop to C:\Temp, as you did before.

In a Command Prompt window. Execute these commands:

cd \Temp

strings dumped.exe > s.txt

notepad s.txt

The readable strings in the file open in Notepad, as shown below:

Now all the strings are visible. Find the "Enter the password". message, as shown above, and look for the password.

When you find it, enter it into the running message.exe box to see the secret message, as shown below:

Saving the Image

Make sure the secret message is visible.

Save this image with the filename Proj X14 from YOUR NAME

Turning in your Project

Email the images to cnit.121@gmail.com with the subject line: Proj X14 from YOUR NAME

Sources

This is based on a class I took at the HoneyNet conference, from Felix Leder.

I made the executable with Visual Studio Express, following these excellent tutorials:

http://msdn.microsoft.com/en-us/library/dd492171.aspx

I packed it with MPRESS:

http://www.matcode.com/mpress.htm


Last modified 5-3-11 3 am