--- title: 'Projects' tags: cs6501-spring22 --- # Projects * Please use **Collab** to submit your answers to the homeworks. * Deadlines are posted in the collab. * Feedback will be available after the grading. ## Project 1: Dissecting Malware via Pin ### Background You are an administrator of a system. After you find out your system is compromised, you find a **malware binary** left in the system. As you were curious about the malware, you run the program. As usual, **the malware just terminate without doing anything**. Can you figure out **how to run the malware**, so that it would do malicious activities that you can analyze? ### A toy example * [Read this page](https://hackmd.io/@yonghwikwon/SykitGBeu) to understand the context of this assignment. ### Full Description * [Read this description (Required)](https://hackmd.io/@yonghwikwon/rJjCv8s1q) * [Download the Project 1 Package, including all files (timebomb2, documents, extra credit samples) needed](https://virginia.box.com/s/c0bvwfq279eaenfoyc1okg6dwo60ggq2) ### Supplymentary Material for Pin * [Read this page](https://hackmd.io/@yonghwikwon/HJoOIh9y5) ### Objectives * Your goal is to **create a pin tool** that can analyze **timebomb2** file (the sample file hereafter) to find out * (1) **what is the hidden suspicious behavior** and * (2) **what is the triggering conditions of the sample**. ### What to submit 1. Pin tool that can automatically find and answer the above two questions. 2. A report that describes how you implement your pin tool to find out the answers, including the challenges caused by packed binaries. ## Project 2: Reconstructing Inputs from Memory Buffer ### Background You are a cyber forensic investigator. You obtain a criminal's computer, and locate **a suspicious program** that the criminal was running when he was arrested. The criminal was **trying to send a secret message** through this program, and that's what we want to know. Unfortunately, the program **already deleted its input file** after it gets **the secret message** from the input file. Luckily, you obtain a **memory dump of the process from the criminal's computer**. Your goal is to **identify the original message** that the criminal wanted to send, from the memory dump. You have the program's binary too. ### A toy example [Read this document](https://hackmd.io/@yonghwikwon/SywFaXrg_) to understand the context of this assignment. ### Full Description * [Read this description (Required)](https://hackmd.io/@yonghwikwon/HJLbIDo15) ### Objective * Your goal is to recover the original secret message from the memory dump files provided ([project2.zip](https://virginia.box.com/s/dj7n6z9e57cohy4zcg736e1digokj4tu)). * In the [project2.zip](https://virginia.box.com/s/dj7n6z9e57cohy4zcg736e1digokj4tu) file, you will find: 1. `steg.out` -- a binary program that contained the secret message. you will inject the memory dump files' contents to this application. a. `run.sh` -- a shell script to run the `steg.out`. please see the lecture video how it works b. `run_pin_offset.sh` -- please see the lecture video how it works 2. `str_to_ptr.cpp` -- an example program to show how the str2ptr function works. 3. `memory dump` folder: this folder contains memory dump files. See the description in the pdf file for the details. 4. `Steganography_From_GitHub`: The `steg.out` program is using the source code of this github project. However, it doesn't use 100% of the code. So, if you plan to look at this, understand that the code might be changed in `steg.out`. ### What to submit 1. **Your Pintool code**. (Submit a single .cpp file please) 2. **A report** that describes how your pintool works and explanations on the **challenges and solutions** you encountered during the memory injection tasks. ### Hints * How the memory dump created? * To create the memory dump files, I have used the following command. ```=shell $ cat dumpproc.sh #!/bin/bash grep rw-p /proc/$1/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | while read start stop; do gdb --batch --pid $1 -ex "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; done $ sudo ./dumpproc.sh [pid] ``` ## Project 3: Emulating Partial Program (Shellcode) ### Backgrounds **Remote exploitation** of vulnerable program is a common tactic in cyber attacks. Typically, an attacker sends a **maliciously crafted input** to a vulnerable program. Such an input often contains a **malicious payload**, which will be executed after a successful exploitation. ![](https://i.imgur.com/PTTlmbo.png) The above figure shows an example. * First, an attacker sends a malicious payload to a vulnerable program. * Second, when the program processes the input, it triggers a vulnerability, allowing a malicious payload within the input to be injected to the program and executed. * Third, after the vulnerability is exploited, it runs the injected malicious payload (in the red box in this figure), which will create a process of `/bin/sh`. Since the malicious payload is essentially code bytes of a sequence of instructions, it can be anything. In practice, there are two typical forms of malicious payload: shellcode or ROP. In this project, we only focus on shellcode. The following website gives a few examples of popular shellcode: http://shell-storm.org/shellcode/. ### What is this project about? Assume you identified a few shellcode that you do not know what they are doing. We can run them in the VM (or our host machine) while if the exploitation is successful, your VM (or machine) will be exploited and compromised. This project asks you to create a tool that **automatically analyze them** safely **using code emulation techniques**. Specifically, give a sequence of code bytes (i.e., instructions), you **run them** and **report what actions they make** (e.g., call a system call, doing a particular computations, etc.). ### Full Description * [Read this description](https://hackmd.io/@yonghwikwon/rkHm4ArBq) ### Objective * This assignment asks you to 1. **improve the given program to handle 5 example shellcodes (2 of them is already supported)**, 2. create a summary report including the screenshots of the 5 example shellcode running as expected.