当前位置:天才代写 > course代写,Online course代写代做-品原创拿高分! > 逆向工程代写 Coursework代写 static analysis代写 DGA代写

逆向工程代写 Coursework代写 static analysis代写 DGA代写

2021-01-21 16:19 星期四 所属: course代写,Online course代写代做-品原创拿高分! 浏览:877

Reverse Engineering1代写

IY3840 (2018-2019) – Coursework #1

逆向工程代写 This assignment is due on Tuesday, March 19th, 2019, 11:59pm (UK Time)In this assignment, you will practice reverse engineering

Reverse Engineering Botnet Domain Generation Algorithms

Daniele Sgandurra

Overview 逆向工程代写

This assignment is due on Tuesday, March 19th, 2019, 11:59pm (UK Time)

In this assignment, you will practice reverse engineering as a form of manual static analysis. This assignment will count 20% towards your final course mark.

逆向工程代写
逆向工程代写

Coursework description Reverse Engineering1代写

Some families of botnets contact their C&C servers with domain names generated using domain generation algo- rithms (DGAs). Sometimes, every new version of a bot binary is embedded with a different set of DGA input parameters (e.g., a seed, known to the cyber attackers only, and the date of the generation – usually, the cur- rent date) as to generate several, different domain names of C&C servers in an attempt to make it hard for law enforcement agencies and cyber-security researchers to shut down botnet operations.逆向工程代写

For this coursework, you will be provided with a binary implementing a DGA, which you have to reverse engineer (using IDA1, on any supported platform) and run (on a Linux system) to understand its inner working. In particular, you are interested in discovering the way future domains are generated. The ELF-64 binary file to be analyzed is available on Moodle, and is called dga2.

Questions 逆向工程代写

NOTE: Please note that for each answer to each question you need to report the requested values (if any) and justify the answer (e.g., how/why/what) in the submitted answers document. Furthermore, for some questions, some additional fifiles have to be included in the submission (these fifiles do not have to be included in the document as well, e.g. screenshots) – see “Submission” Section below for the submission specififi-cation. Full marks will be given for an answer/solution that is complete and does not have inconsistencies.逆向工程代写

You should try all questions and submit what you have done,even if you are unable to complete some of the questions. Some marks are given for a correct approach even when the overall solution is incomplete or incorrect.If you have trouble understanding something, please ask a question on the Moodle discussion forum. However, if the question gives away solution details, write a private e-mail instead of a public question. Similarly, if answering questions of others (on Moodle or in person), do not give any form of help that you would not expect the course lecturer to give. In the following, studentSeed has to be computed using the SHA256 of your candidate ID, taking the fifirst four characters of the resulting hash and converting them in ASCII code – see the provided example below.逆向工程代写

1A free version of IDA can be obtained here: .

2Please note that the provided binary is benign.

1.Using IDA,

find the values in dga of (i) the seed and (ii) the attack date (day, month, year) passed to the DGA function. Then, rename these variables in dgabinary with meaningful names using IDA.逆向工程代写

Answers document: provide these values and briefly justify how you have found them. Additional files: pro- vide a screenshot of IDA assembly snippet showing these variables (renamed). The file with the screenshot should be named studentSeed-IY3840-Coursework1-IDA1.png.10 marks

2.Using IDA,

try to understand how to get the domain name generated by DGA by running dga without modifications,and then run  Hint: understanding the edi and rsi registers might help3.逆向工程代写

Answers document: provide the name of the generated domain name and briefly justify how you were able to retrieve it. Additional files: provide a screenshot of the relevant IDA assembly snippet and a screenshot of the generated domain. These files should be named, respectively, studentSeed-IY3840-Coursework1- IDA2.png and studentSeed-IY3840-Coursework1-domain1.png. 20 marks

3.Using IDA,

patch dga4to replace the embedded seed and attack date with, respectively, your studentSeed and the date of the submission (19 March 2019). Then, run the patched dga (on a Linux system) to retrieve the new domain as in the previous  step.

Answers document: provide the name of the new generated domain. Additional files: provide the patched dga, which should be named studentSeed-IY3840-Coursework1-dga-patched1, and a screenshot of IDA showing the assembly snippet with the patched variables (with their replaced value), which should be named studentSeed-IY3840-Coursework1-IDA3.png, as well as the screenshot of the new generated do- main, which should be named studentSeed-IY3840-Coursework1-domain2.png.10 marks

4.Using IDA,

find a way to patch dga (in two points) so that the seed can be read from command line andpassedto the DGA  Hint: find an existing variable that can be user-controlled.逆向工程代写

Answers documentbriefly describe your approach. Additional files: provide the patched dga, which should be named studentSeed-IY3840-Coursework1-dga-patched2.30 marks

5.Generate 10 domains by running the patched dga with 10 seeds (as in the previous step),

from (your stu- dentSeed+ 1) to (your studentSeed + 10). For each domain, compute its “frequency value”5 using the Freq tool6, and similarly compute the “frequency value” on the top 10 sites7. Create a chart graph with these val- ues composed of two lines with different colours (one for the 10 DGA domains, one for the top 10 Alexa).逆向工程代写

Answers documentbriefly explain the results. Additional files: provide the screenshot of the generated do- mains, which should be named studentSeed-IY3840-Coursework1-domain3.png,  as well  as the graph of  the frequency values, which should be named studentSeed-IY3840-Coursework1-frequency.png.20 marks

6.Answersdocument:

briefly explain the flow/logic of the main function in dga binary (you don’t need to de- scribe the inner working of the DGA function).5 marks

7.Answers document: brieflyexplain a possible way to disarm the botnet operations once you have retrieved the domain name of a future C&C server from the dga

binary.5 marks 逆向工程代写

3 See X86 Calling conventions on Linux: https://en.wikipedia.org/wiki/X86_calling_conventions#System_V_AMD64_ABI.

4 See here: https://www.hex-rays.com/products/ida/support/idadoc/526.shtml.

5 See https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893/.

6Available at: https://github.com/markbaggett/freq

7According to Alexa: https://www.alexa.com/topsites

Submission 逆向工程代写

You have to submit your work electronically via the Moodle submission link at the course page. You must submit a single zip file named studentSeed-IY3840-Coursework1.zip containing a folder called studentSeed-IY3840- Coursework1 including the following files (and nothing else):

  • Answers document: a 1-page PDF document including the answers using a 11pt font and 0.5in margins (both like this document’s formatting). The PDF should report at the top, IY3840, Coursework#1, and your studentSeed. The PDF should be named studentSeed-IY3840-Coursework1-answers.pdf.逆向工程代写
  • Additionalfiles: screenshots and patched binaries as specified in the  questions.

The files you submit cannot be uploaded/updated/read by anyone else. You can, however, update your sub- mission as often as you like by resubmitting, though only the last version submitted will be kept. Please note that all your submissions will be graded anonymously. Hence, do not include any form of identification in the submission (e.g., student ID, candidate ID, name, surname, etc.). Regardless of anything else, a submission might be given 0 mark in the following cases:

  • Nothing is submitted or the submission cannot beopened/read
  • Submitted after thedeadline

A submission that does not follow the given specifications (e.g., providing a PDF longer than 1 page, not submitting a zip file, etc.)逆向工程代写

  • Plagiarism or similarbehaviours

NOTE: All the work you submit should be solely your own work. Coursework sub

missions are routinely checked for this.

An example of a submission is shown in the following.

Submission example

Student with candidate ID 18001234 wants to submit their coursework. To get the studentSeed, the student computes the SHA2568 of 18001234: in this example, the first four characters of the computed SHA256 string are 3147. When encoding 3147 in ASCII9, the student gets 51495255, which is their studentSeed. This student submits a single zip file, called 51495255-IY3840-Coursework1.zip. This zip file contains a folder, called 51495255- IY3840-Coursework1, which includes the following files:逆向工程代写

51495255-IY3840-Coursework1-answers.pdf 51495255-IY3840-Coursework1-dga-patched1 51495255-IY3840-Coursework1-dga-patched2 51495255-IY3840-Coursework1-domain1.png 51495255-IY3840-Coursework1-domain2.png 51495255-IY3840-Coursework1-domain3.png 51495255-IY3840-Coursework1-frequency.png 51495255-IY3840-Coursework1-IDA1.png 51495255-IY3840-Coursework1-IDA2.png 51495255-IY3840-Coursework1-IDA3.png

An example of the answers document submitted by this student (file named 51495255-IY3840-Coursework1- answers.pdf) is shown in the next page.逆向工程代写

8You can use this online tool: https://passwordsgenerator.net/sha256-hash-generator/

9You can use this online tool: https://onlinestringtools.com/convert-string-to-ascii

IY3840, Coursework#1, 51495255 

  1. Loremipsum dolor sit amet, consectetur adipiscing  Quisque in volutpat mauris. Pellentesque pulvinar dapibus feugiat. Morbi vitae auctor nulla. In hac habitasse platea dictumst. Sed nec diam in purus condi- mentum consectetur. Praesent rhoncus, nisl non congue placerat, justo libero tincidunt diam, vel laoreet enim lectus sit amet justo. Aenean porttitor nec diam sit amet vestibulum. Vestibulum ac tempus mi, vitae pulvinar metus. Nunc scelerisque magna nec tellus auctor finibus. Praesent semper nisi a gravida mollis. 逆向工程代写Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Mauris convallis porttitor elit, at scelerisque ligula condimentum vitae. Sed vehicula, augue sit amet ornare varius, nullaquam pulvinar nibh, quis faucibus felis odio id odio. Phasellus congue vestibulum auctor.
  2. Donec gravida elementum arcu, vitae bibendum mi tempus eu. Etiam scelerisque mi lacus, sit amet tin- cidunt neque venenatis sit amet. Aliquam facilisis quam a justo condimentum laoreet. Maecenas eleifend scelerisque magna et consequat. Aliquam venenatis venenatis justo, in consectetur mi dictum et. Aliquam exlacus, auctor quis dignissim id, faucibus sit amet  Phasellus id ante nec felis luctus porta. Donec laoreet purus velit, sit amet ultricies eros rutrum et. Quisque accumsan ipsum non aliquam volutpat. Aenean eu urna maximus diam iaculis rhoncus id ac turpis. Nullam placerat, lacus consectetur fringilla vulputate, metus sapien faucibus mi, eu blandit lacus felis pellentesque neque.

3.Duis dapibus bibendum libero.逆向工程代写

Etiam ullamcorper finibus metus. Aliquam dignissim diam massa, id congue nisi gravida eget. Cras feugiat ornare feugiat. Morbi tincidunt risus id ex interdum, ut bibendum mi porttitor. Aliquam erat volutpat. Nullam quis nulla imperdiet, congue risus in, fermentum mauris. Sus- pendisse potenti. Fusce maximus tristique varius. Donec tincidunt est in vulputate ornare. Integer eget vulputateerat, sed ullamcorper  Nam eleifend lorem in mi vehicula, id consectetur tortor lacinia. Duis fringilla commodo vulputate. Proin imperdiet a nisi sit amet molestie. Sed tortor eros, tincidunt sed lorem ac, aliquam vestibulum magna.

4.Donecposuere eget augue nec  Maecenas ac venenatis ante. Nulla placerat quam sed ante malesuada imperdiet. Phasellus euismod tortor ut urna finibus maximus. Nam fermentum iaculis interdum. Donec non sollicitudin lorem. Donec aliquam mollis cursus. Vestibulum ante ipsum primis in faucibus orci luc- tus et ultrices posuere cubilia Curae; Quisque euismod mattis augue, ac sodales augue vulputate sit amet. 逆向工程代写Morbi scelerisque placerat neque sit amet iaculis. Donec non ornare magna, a posuere neque. Morbi dictum vulputate diam id vehicula. In iaculis nisl euismod augue finibus tempus. Sed porta ornare scelerisque.

5.Maurisac diam  Donec commodo hendrerit justo sed condimentum. Aliquam malesuada viverra ipsum et volutpat. Nam ut ullamcorper mauris. In vitae nulla et neque egestas iaculis. Etiam quis enim congue, dictum metus a, posuere mauris. Suspendisse ac vulputate odio, a gravida enim. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Suspendisse potenti. Cras nec urna non risus commodo ullamcorper in mollis magna. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Lorem ipsum dolor sit amet, consectetur adipiscing elit.

6.Quisque malesuada libero libero,逆向工程代写

et egestas neque cursus a. Cras blandit nec magna id Maecenas quis est nec diam sollicitudin ullamcorper quis nec enim. Integer sed luctus risus, nec vestibulum quam. Vestibulumin volutpat leo. Nullam pulvinar eu leo eget tristique. Duis dignissim nunc nisl, sit amet aliquet orci pulvinar in. Quisque enim nibh, lobortis eu diam vitae, hendrerit convallis dolor. Integer nisl metus, vestibulum in mauris vel, malesuada dapibus odio. Morbi rutrum tincidunt erat eu laoreet. Donec purus dui, aliquet sit amet purus in, lacinia tempor tellus.

7.Nam eget libero commodo, semper justo congue, faucibus dui. Curabitur tempor felis ornare, porttitor eros non, auctor mauris. Nulla in augue in nibh ultrices lobortis hendrerit nec orci. Etiam posuere, justoac varius tempus, ipsum odio volutpat libero, sed finibus dui nunc a  Phasellus vitae convallis purus, quis condimentum arcu. Quisque accumsan turpis ex, suscipit rhoncus libero ultricies eget. Curabitur semper, 逆向工程代写nisi ac consequat tempor, tortor nisl ultricies lectus, eget convallis neque ipsum tincidunt nisi. Suspendisse eu lacus quis odio consectetur cursus. Praesent tristique justo arcu, non tempor elit vulputate non. Sed vulputate risus eu odio cursus scelerisque.

逆向工程代写
逆向工程代写
 

天才代写-代写联系方式