Scribd
Upload
134 views2 pages

Reverse Engineering Malware With Ghidra - Lab

Uploaded by

Eddie Peter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
134 views2 pages

Reverse Engineering Malware With Ghidra - Lab

Uploaded by

Eddie Peter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Reverse Engineering Malware with Ghidra - Lab

Learning Objectives:

● Understand the basic concepts of reverse engineering.


● Get familiar with the Ghidra user interface.
● Analyze a DLL file to identify functions and data.
● Identify potential indicators of malicious behavior.

Lab Environment:

● Students will need a computer with Ghidra installed. Download Ghidra from
the official website: https://ghidra-sre.org/
● The practicelab5-1.dll file will be provided by the instructor. (Warning:
This file is a safe test sample for educational purposes only. Do not download
or analyze unknown DLLs from the internet.)

Lab Instructions:

1. Opening the Sample:


○ Launch Ghidra.
○ Click on "File" -> "Import" -> "DLL".
○ Select the practicelab5-1.dll file and click "Import".
2. Exploring the Listing:
○ In the Ghidra window, navigate to the "Listing" tab. This displays the
disassembled code of the DLL.
○ Explore the different sections of the listing, such as functions, data, and
strings.
○ Double-click on a function name to see its disassembled code.
3. Identifying Functions:
○ Look for functions with suspicious names (e.g., "Inject",
"OpenProcess", "WriteMemory").
○ Analyze the code of these functions to understand their purpose.
Ghidra can help identify function calls, data types, and potential
references to system calls.
4. Analyzing Data:
○ Navigate to the "Data" tab. This displays the data structures defined in
the DLL.
○ Look for unusual data patterns or strings that might indicate malicious
behavior. Ghidra can display the data in different formats (e.g., ASCII,
hex).
5. Identifying Indicators of Malicious Behavior:
○ Based on your analysis, consider the following:
■ Does the code attempt to inject code into other processes?
■ Does it access system resources in an unexpected way?
■ Does it contain suspicious strings associated with malware?

Lab Report:

● Write a report summarizing your findings.


● Include screenshots of interesting sections of the code or data.
● Describe any potential indicators of malicious behavior you identified.
● Explain why these behaviors might be considered malicious. (e.g., injecting
code can be used to install malware)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy