DELHI TECHNOLOGICAL UNIVERSITY

ISY 6321 MALWARE ANALYSIS

Assignment 2
Generating HashCode and comparing Human
Readable Part of an executable before and after
Packing.

Submitted To: Submitted By:

Prof. Kapil Sharma Mayank Singhal
M. Tech(ISY)
2K19/ISY/11
Generating HashCode and comparing Human Readable Part of
an executable before and after Packing.
Theory :-

This Practical uses a client program that connects to server program on a remote device in a LAN using
its IP address. Since the client program is able to access the server program on a remote device, there
are several system calls that are made on the either side at kernel level.

The executable of Server and Client program are made as Client.exe and Server.exe iand the actions
performed on Client.exe are as follows:-

Step 1: - Generating the executable.

Step 2:- Generating the Hashcode for Client.exe.

Step 3: - Extracting Human readable part from Client.exe.

Step 4:- Packing Client.exe.

Step 5:- Extracting Human readable parts from Packed Client.exe.

System Configuration.

The experiment was run on a windows environment.

OS:- Windows 10.

RAM: - 8GB

HDD: - 1TB

CPU :- i5-6200u

Tools Used:-

1. Code Blocks EP (Portable)

a. To make executables Client.exe and Server.exe
2. Strings.exe
a. To extract human readable part i.e strings from the .exe files.
3. WinMD5
a. To generate MD5 hashcode for Client.exe.
4. UPX 3.96 (64 bit)
a. To pack Client.exe
Step 1: Generating the executable
Following is a Client - Server Application where a client accesses a remote server on the LAN given the IP
address of the server.

The Source Code for Server is as:

The source code for client app is as:-
The code was run on Code Blocks EP (portable) that generated statically linked Client.exe and Server.exe
files. These files can standalone run on windows systems.
Step 2: Calculating the Hashcode of the Client.exe
MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified
in 1992 as RFC 1321The MD5 message-digest algorithm is a widely used hash function producing a 128-
bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has
been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data
integrity, but only against unintentional corruption.

WinMD5Free v1.20 GUI tool was used generate MD5. With GUI tool we need to provide the location of
the .exe file and the tool generates the hashcode for us.

HashCode Obtained: - b3dbc0d0d4ad73f7380b0375fd5d26e5

Step 3: Finding the human readable part of the above code.

Introduction

Working on NT and Win2K means that executables and object files will many times have embedded
UNICODE strings that you cannot easily see with a standard ASCII strings or grep programs. So we
decided to roll our own. Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default
length of 3 or more UNICODE (or ASCII) characters. Note that it works under Windows 95 as well.

Using Strings

usage: strings [-a] [-f offset] [-b bytes] [-n length] [-o] [-q] [-s] [-u] <file or directory>

Strings takes wild-card expressions for file names, and additional command line parameters are defined
as follows:

USING STRINGS
Parameter Description
-a Ascii-only search (Unicode and Ascii is default)
-b Bytes of file to scan
-f File offset at which to start scanning.
-o Print offset in file string was located
-n Minimum string length (default is 3)
-s Recurse subdirectories
-u Unicode-only search (Unicode and Ascii is default)  
-nobanner Do not display the startup banner and copyright message.

Tool used:- strings

Command Used:- string -u -n 10 Client.exe

Initial Lines of strings from the Screenshots.

<Vt5<rt1<Kt-
~5<Stt<Zu1
\$ 3L$$3t$
l$`+l$l9l$t
T$ t.9|$Lt
9|$ }[+|$ 9
libgcc_s_dw2-1.dll
__register_frame_info
libgcj_s.dll
_Jv_RegisterClasses
__deregister_frame_info
192.168.1.213
Can't start winsock, Err
Can't create socket,Err #
Can't connect to server,Err#
basic_string::_S_create
basic_string::at
basic_string::compare
basic_string::_S_construct NULL not valid
basic_string::basic_string
basic_string::substr
basic_string::copy
basic_string::append
basic_string::assign
basic_string::_M_replace_aux
basic_string::replace
basic_string::insert
basic_string::erase
basic_string::resize
std::exception
std::bad_exception
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
basic_ios::clear
ios_base::_M_grow_words allocation failed
ios_base::_M_grow_words is not valid
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
basic_string::_S_create

The bold lines in the above the text are the error statement in Clients.cpp.
Step 4: Packing Client.exe.
Malware writers often use packing or obfuscation to make their files more difficult to detect or analyze.
Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed
programs are a subset of obfuscated programs in which the malicious program is compressed and
cannot be analyzed. Both techniques will severely limit your attempts to statically analyze the malware.
Legitimate programs almost always include many strings. Malware that is packed or obfuscated contains
very few strings. If upon searching a program with Strings, you find that it has only a few strings, it is
probably either obfuscated or packed, suggesting that it may be malicious.

Tool Used: - UPX packer

Command Used: - upx p Client.exe
Step 5: Checking for human readable part in packed Client.exe
Tool used: - strings

Command Used: - string -u -n 10 Client.exe

Initial lines of text from the screenshots.

tuvwddddxyz{
tiU_2u`E?_
D:HLLTP\^^^^TdXl\t`|^^^^d
48<@ddddDHLPddddTX\`dddddhlp
DVt5Lt1<Kt-
\G?Aw\4XD<so
a%ER222BBB
JpI %+xPkUU4
h,.=t%[@=M
Slibgcc_s_dw2-1.dll
ster_frame_info
}Jv_RIClassesldeq
wBsock, Err1c
ta faiZdW
+lx_:zth()=
N12_GLOBAL_
cdefABCDEl7
PRINTF_EXP
biv115\o2-0TRd
GNU C++ 4.
9U.7 lga/%,
1;~;5FrUcY^
D/AUR/lgw32/m
TEND_WITDA

We see that error lines in the Client.cpp are not visible in the packed version of Client.exe.