Scribd Logo
Upload

Welcome to Scribd!

  • 3 views

    Practice Lab - Reverse Engineering Lab06-03

    Uploaded by

    Eddie Peter

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Practice Lab - Reverse Engineering Lab06-03

    Uploaded by

    Eddie Peter
    3 views2 pages

    Original Title

    Practice Lab_ Reverse Engineering Lab06-03

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views2 pages

    Practice Lab - Reverse Engineering Lab06-03

    Uploaded by

    Eddie Peter

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Practice Lab: Reverse Engineering Lab06-03.

    exe with
    Ghidra
    This lab will guide you through analyzing a (potentially malicious) program,
    Lab06-03.exe, using Ghidra, a free and open-source reverse engineering tool.

    Disclaimer: This lab is for educational purposes only. Modifying or executing


    suspicious programs can be risky. Perform this lab in a safe isolated environment.

    Software Needed:

    ● Ghidra: Download and install the latest version from https://ghidra-sre.org/


    ● (Optional) Virtual Machine: Consider using a virtual machine to isolate the
    analysis process.

    Steps:

    1. Download Lab06-03.exe:
    ○ Warning: Downloading malware can be risky. Obtain Lab06-03.exe
    from a trusted source used for educational purposes, such as the
    resources accompanying the book "Practical Malware Analysis" by
    Michael Sikorski and Andrew Honig.
    2. Launch Ghidra: Open Ghidra by running ghidraRun from the command line
    or double-clicking the Ghidra icon.
    3. Import Lab06-03.exe:
    ○ Go to Project -> Import -> Import File.
    ○ Select Lab06-03.exe and choose an appropriate program language
    (likely x86-64 or x86 depending on the file).
    ○ Click Finish to import the file.
    4. Analyze the Code:
    ○ Explore the disassembled code in Ghidra's decompiler view. Look for
    suspicious functions or patterns:
    ■ Strings: Go to Analyze -> Search for Strings. Look for
    interesting strings that might indicate functionality (e.g., URLs,
    file names).
    ■ API Calls: Check for calls to suspicious Windows APIs that
    could be used for malicious purposes (e.g., file system access,
    network communication).
    ■ Control Flow: Analyze how the code executes, looking for
    loops, conditional statements, and function calls that might
    reveal the program's behavior.
    5. Identify Functionality:
    ○ Based on your analysis, try to understand what the program might be
    doing. Does it:
    ■ Write or modify files?
    ■ Communicate with a remote server?
    ■ Inject code into other processes?
    6. Document your Findings:
    ○ Keep track of your observations and analysis steps. Note down and
    take screenshots interesting functions, strings, and API calls.

    You might also like