IT321

Malware Analysis
PRACTICAL FILE

Submitted To: Name: Vansh Vig

Ms. Bhawna Kashyap Roll No: 2K22/EE/293
 INDEX

S.No Aim Date Signature

1. Write a C/C++ program to copy files 22/08/2024
from one directory and paste it in
another.

2. Implement DLL injection, process 12/09/2024

hollowing, or other injection
techniques.

3. Implement DLL ( Dynamic-link 19/09/2024

library ) technique

4. Use the strings program to analyze and 03/10/2024

generate the strings present in the
executable files generated in
experiments 1 & 2.

5. Write an analysis on Wireshark 10/10/2024

Application .
 Experiment-1
Problem1: Write a C/C++ program to copy files from one directory and paste it in
another.

Code:

#include <iostream>

#include <fstream>

#include <cstdlib> // for exit()

#include <string> // for std::string

using namespace std;

int main() { ifstream fs;

ofstream ft; char ch;

string fname1, fname2;

cout << "Enter the source file name: "; cin >> fname1; fs.open(fname1,

ios::binary); // Open in binary mode for copying all file types

if (!fs)

cerr << "Error in opening source file..!!" << endl;

exit(1);

cout << "Enter the target file name: "; cin >> fname2; ft.open(fname2,

ios::binary); // Open in binary mode for copying all file types if (!ft) {

cerr << "Error in opening target file..!!" << endl;

fs.close(); exit(2);
 }

while (fs.get(ch)) { // Read and write until reading fails

ft.put(ch);

cout << "File copied successfully..!!" << endl;

fs.close();

ft.close();

return 0;

}
 Experiment -2

Problem 2: Implement DLL injection, process hollowing, or other injection

techniques.

1. DLL injection definition

DLL injection is a method, frequently referred to as process injection, where
developers and cyber attackers alter a program's functionality by executing
extraneous code within another process's realm. This approach hinges on the
capabilities of Windows' Dynamic Link Library (DLL), a type of file that can be
loaded and executed dynamically by programs.
See also: code injection, PHP injection

DLL injection examples

Debugging and testing: Developers often use DLL injection to detect and fix
bugs, or for stress testing under certain conditions.
Malware: Hackers use DLL injection to insert malicious code into running
processes to avoid detection by security software.

Comparison to other techniques

DLL injection can be compared to techniques such as code injection or
process hollowing. While code injection involves inserting code into a running
process, DLL injection specifically inserts a DLL. Process hollowing, on the
other hand, replaces the content of a running process with a malicious
executable.

Advantages and disadvantages of DLL injection

Pros:
Testing and debugging: DLL injection allows developers to alter the behavior
of a program without changing its source code.
Cons:
Malware: DLL injection can be used maliciously to run code that compromises
system security
Using DLL injection
While DLL injection can be used for legitimate purposes, it's important to be
aware of its potential for misuse. Ensuring security software is up-to-date is
vital to protect against malicious DLL injections.

2. Process Hollowing
Adversaries may inject malicious code into suspended and hollowed
processes in order to evade process-based defenses. Process hollowing is a
method of executing arbitrary code in the address space of a separate live
process.
Process hollowing is commonly performed by creating a process in a
suspended state then unmapping /hollowing its memory, which can then be
replaced with malicious code. A victim process can be created with native
Windows API calls such as CreateProcess, which includes a flag to suspend
the processes primary thread. At this point the process can be unmapped
using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection
before being written to, realigned to the injected code, and resumed via
VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread
respectively.
This is very similar to Thread Local Storage but creates a new process rather
than targeting an existing process. This behavior will likely not result in
elevated privileges since the injected process was spawned from (and this
inherits the security context) of the injecting process. However, execution via
process hollowing may also evade detection from security products since the
execution is masked under a legitimate process.

Example
In easy terms to understand this technique is let us imagine this is a piece of
code that runs the famous calculator.
B8F73405B620443B4325B0943287B9R
This code is the one responsible for executing the calc.exe binary in windows
In process hollowing we are trying to suspend the process, carve out a piece
of code and insert our own and have it execute. Now let's say this code is the
one that runs our payload (Hello World).
AHIUDSGHIODSH
Now we want to insert this code into our calculator process. So the technique
will simply grab:
B8F73405B620443B4325B0943287B9R
Remove some code
B8F7340287B9R
And inject our payload
B8F7340AHIUDSGHIODSH287B9R

3. Reflective DLL Injection

This method allows a DLL to be loaded into a process without using the
standard Windows API functions. The DLL contains the code necessary to
load itself, which avoids detection by security software.

4. Code Injection via Command Execution

This type of injection occurs when an application executes system
commands based on user input without proper validation. For instance, using
functions like eval() in PHP or similar constructs in other languages can lead
to vulnerabilities. Other Code Injection Techniques

5. SQL Injection
This occurs when an attacker is able to execute arbitrary SQL code on a
database through unsanitized user input. This can lead to unauthorized
access to data, data manipulation, or even deletion.
6. Cross-Site Scripting (XSS)
XSS involves injecting malicious scripts into web pages that are viewed by
other users. This can lead to session hijacking, redirecting users to malicious
sites, or stealing cookies.

7. Command Injection
This type of attack allows an attacker to execute arbitrary commands on the
host operating system via a vulnerable application. For example, if an
application uses user input to construct command line calls without proper
validation, it can be exploited.

8. XML Injection
This occurs when an attacker injects malicious XML data into an application
that processes XML. This can lead to unauthorized access or manipulation of
data.

9. Template Injection In web applications

if user input is used to render templates without proper sanitization, an
attacker can inject malicious code that gets executed in the template engine.
Mitigation Strategies
General Best Practices
• Input Validation: Always validate and sanitize user input to prevent injection
attacks.
• Use Parameterized Queries: For database interactions, use parameterized
queries to avoid SQL injection.
• Limit Permissions: Run applications with the least privilege necessary to
limit the impact of successful injections.
• Regular Security Audits: Conduct regular code reviews and security audits to
identify and fix vulnerabilities.
• Utilize Security Tools: Implement static analysis tools and security linters to
catch vulnerabilities during development.

Conclusion
Understanding these injection techniques is crucial for developing secure
applications and defending against potential attacks. Continuous education
and awareness of emerging threats are essential for maintaining robust
security practices.
 Experiment -3

AIM: Implement DLL ( Dynamic-link library ) technique

Steps: 1. MathLibrary.h
//Create a header file named MathLibrary.h:
#pragma once
extern "C" {
__declspec(dllexport) int Add(int a, int b);
__declspec(dllexport) int Subtract(int a, int b);
}

Step 2. MathLibrary.cpp
//Create a source file named MathLibrary.cpp:
#include "MathLibrary.h"
int Add(int a, int b) {
return a + b;
}
int Subtract(int a, int b){
return a - b;
}

Step 3: Create the Client Application

int main() {
int a = 79;
int b = 30;
std::cout << "Add: " << Add(a, b) << std::endl;
std::cout << "Subtract: " << Subtract(a, b) << std::endl;
return 0;
}
 Experiment – 4

AIM: Use the strings program to analyze and generate the strings present in the
executable files generated in experiments 1 & 2.
Steps 1:
Open new terminal and type:

Output:
 Experiment-5
Aim: Write an analysis on Wireshark Application .

1. Overview of Wireshark
Wireshark provides a graphical interface to help users visualize
and analyze network data. It can capture packets traveling across
a network and offers detailed insight into the protocols and
communications occurring on the network. These packets can be
analyzed for a range of purposes, from identifying faulty network
components to investigating malicious activity.
Features:
• Packet Capture: Wireshark captures network packets in
real time and allows users to inspect them in detail.
• Protocol Support: It supports over 1,000 network protocols,
including HTTP, TCP, UDP, DNS, FTP, and others, making it
suitable for analyzing almost any type of network traffic.
• Packet Filtering: Wireshark provides powerful filtering
options that allow users to focus on specific types of traffic
or protocols.
• Deep Packet Inspection: It dissects packet data, allowing
users to see the layers of network communication (from
physical layer to application layer).
• Graphical Analysis: Wireshark includes several graphing
and statistics tools, such as TCP stream graphs, to visually
interpret network traffic trends.

2. Use Cases
Wireshark can be used in various fields, including network
troubleshooting, performance tuning, cybersecurity, and
education.
a. Network Troubleshooting
Network administrators often use Wireshark to diagnose network
issues by capturing traffic and analyzing packet-level information.
For example:
• Latency Diagnosis: By capturing traffic, administrators can
determine which device is causing delays in packet
transmission.
• Protocol Errors: Wireshark can help diagnose incorrect
protocol implementations or misconfigurations.
b. Performance Tuning
Wireshark helps monitor the efficiency of network devices and
protocols, allowing for performance tuning. It assists in:
• Identifying Bottlenecks: By analyzing network traffic
patterns, administrators can find bottlenecks and optimize
bandwidth usage.
• Measuring Latency and Jitter: Wireshark provides precise
timestamping of packets, allowing the measurement of
latency and jitter, which are crucial for applications like VoIP.
c. Cybersecurity
Wireshark plays an essential role in cybersecurity by capturing
suspicious traffic and identifying potential security breaches.
Security professionals use it for:
• Intrusion Detection: Malicious traffic or abnormal patterns
can be identified by inspecting traffic for specific attack
signatures, such as DDoS or man-in-the-middle (MITM)
attacks.
• Forensic Analysis: In case of a network breach, Wireshark
logs can be analyzed to determine the source and method of
attack.
d. Education
Wireshark is commonly used in academic settings to teach
students about networking and protocols. It provides a hands-on
tool for understanding how different protocols operate at different
layers of the OSI model.

3. Architecture
Wireshark is built on a modular architecture that consists of the
following main components:
• Capture Engine: Responsible for capturing live network
traffic from the network interface card (NIC). Wireshark uses
libraries such as libpcap on Unix/Linux or WinPcap on
Windows to capture packets.
• Dissector Modules: Each network protocol is dissected and
parsed by a dissector module. This modularity allows the
addition of new protocols by creating new dissectors.
• Graphical User Interface (GUI): Wireshark’s GUI is built
using GTK or Qt. This interface allows users to interact with
the application, apply filters, and analyze packets.

4. Benefits of Wireshark
• Real-time Analysis: It allows users to capture and analyze
packets in real-time, making it suitable for monitoring live
network events.
• Detailed Visibility: Wireshark provides deep insight into
each layer of communication, which is helpful for
diagnosing complex network issues.
• Cross-platform Support: Wireshark works on multiple
platforms, including Windows, Linux, macOS, and others,
making it versatile across different environments.
• Extensibility: New protocol dissectors can be written and
added to Wireshark, enabling it to adapt to new networking
standards or proprietary protocols.

5. Challenges and Limitations

Despite its powerful capabilities, Wireshark has certain
limitations:
• Volume of Data: Capturing traffic on a busy network
generates massive amounts of data, which can be difficult
to manage and analyze efficiently.
• Encrypted Traffic: Wireshark cannot decrypt encrypted
data (e.g., SSL/TLS traffic) unless provided with the
necessary encryption keys, limiting its ability to analyze such
traffic.
• Resource Intensive: Packet capture and analysis on high
traffic networks can be resource-intensive, leading to high
CPU and memory usage.

6. Security Concerns
Using Wireshark can present certain security risks if not properly
managed:
• Packet Injection: An attacker could potentially inject
malicious traffic onto the network, making Wireshark
capture malicious packets. This could lead to erroneous
analysis or system compromise if the malicious data is
executed.
• Unauthorized Access: If Wireshark is used improperly, an
unauthorized user could capture sensitive network traffic. It
is important to restrict its usage to trusted administrators in
secure environments.

Step-by-Step Process for Downloading and Using Wireshark

Step 1: Downloading and Installing Wireshark
1. Visit the Official Wireshark Website
o Go to https://www.wireshark.org/.
2. Download Wireshark
o On the homepage, click the Download button.
Wireshark is available for Windows, macOS, and Linux.

Choose the Version for Your Operating System

o Select the installer based on your operating system.
For example, if you're using Windows, download the
.exe file.
3. Install Wireshark
o Run the installer and follow the installation steps. For
Windows users, you’ll also be prompted to install
WinPcap or Npcap (for packet capture). These are
required for Wireshark to capture live traffic.
Step 2: Capturing Traffic with Wireshark
1. Open Wireshark
o After installation, launch Wireshark.
2. Choose a Network Interface
o In Wireshark’s main window, you’ll see a list of
available network interfaces. Select the one you want
to capture traffic on. For example, your Wi-Fi or
Ethernet interface.
3. Start Capturing Packets
o Click the shark fin icon (green triangle) at the top left to
start capturing packets.

4. Live Packet Capture

o You’ll see packets being captured in real-time. The
columns will show details such as time, source,
destination, protocol, length, and information about
the packet.

5. Stop Capturing
o After you’ve captured enough packets, click the red
square icon at the top to stop capturing.
Step 3: Analyzing Captured Packets
Filter the Traffic
o Wireshark allows you to filter the traffic to focus on
specific protocols, IP addresses, or ports. Use the filter
bar at the top. For example, type http to filter all HTTP
packets.
2. Inspect Packets
o Click on any packet to see detailed information about it
in the lower panel. You can drill down into various
protocol layers (Ethernet, IP, TCP, etc.).
3. Follow TCP Streams
o If you want to see the full communication between two
devices, you can right-click on a packet and select
Follow > TCP Stream (or HTTP Stream for web traffic).
This will show the entire communication in a readable
format.
Step 4: Exporting and Saving Captured Data
1. Save the Capture
o You can save your captured data to analyze it later. Go
to File > Save As and choose a location and file format
(Wireshark uses .pcap by default).
2. Exporting Data
o If you want to export certain parts of the captured
traffic (like statistics or specific packets), Wireshark
also offers export options under the File menu.