GREM In-Depth Executable Analysis Questions and Answers

Question 1

An analyst is examining a malware sample that does not list any suspicious Windows APIs in its Import Address Table (IAT). During dynamic analysis, the analyst observes the malware loading `kernel32.dll`, enumerating its exported functions, calculating a hash for each function name, and comparing it against a hardcoded list of values. This technique is primarily used for what purpose?

Accepted Answer

To dynamically resolve API function addresses and evade static analysis detection.

Answer

This technique, known as API hashing, is a common method used by malware to conceal its intended functionality from static analysis tools. [1, 5] Instead of directly importing functions and leaving a clear trail in the IAT, the malware computes hashes of required API names at runtime and compares them to pre-calculated hash values stored within its code. [1] When a match is found, it can call the function using its resolved address, thus hiding suspicious imports like `CreateProcessA` or `VirtualAllocEx` from initial inspection. [7]

Question 2

A malware analyst observes a sequence of actions: a legitimate process, such as `svchost.exe`, is created in a suspended state. The memory associated with its main executable module is then unmapped and replaced with malicious code. Finally, the process's primary thread is resumed. Which of the following code injection techniques best describes this scenario?

Accepted Answer

Process Hollowing

Answer

Process Hollowing is a malware technique where a legitimate process is created in a suspended state (`CREATE_SUSPENDED`). [18, 21] The malware then deallocates or 'hollows out' the memory of the legitimate executable and replaces it with its own malicious code. [3, 8] The entry point is updated to point to the new code, and the process is resumed, making the malicious code run under the guise of a trusted process. [8, 21]

Question 3

During static analysis of a PE file, a large amount of seemingly random data is found within the `.rsrc` section. Further investigation reveals that the malware's code at some point reads from this section, performs a decryption routine, and then writes the result into a newly allocated executable memory region. What is the most likely purpose of storing data in the `.rsrc` section in this manner?

Accepted Answer

To conceal a secondary malicious payload or shellcode.

Answer

The `.rsrc` section is intended to store resources like icons, images, and menus. [2, 17] However, malware authors often abuse this section to hide encrypted or obfuscated data, including entire secondary payloads, DLLs, or shellcode. [14] Storing the malicious payload here can help evade security products that may not scrutinize the resource section as heavily as the executable code sections. The malware then contains logic to extract, decrypt, and execute this hidden payload.

Question 4

A sophisticated malware sample will only execute its primary malicious function if it detects a specific corporate domain name and a particular registry key value is present on the system. If these conditions are not met, it remains dormant. This advanced anti-analysis technique is best described as:

Accepted Answer

Environmental Keying

Answer

Environmental Keying is an advanced evasion technique where the malware's execution is tied to specific, unique characteristics of the target environment. [12, 15] Instead of just checking for a sandbox, it actively looks for specific artifacts—like a domain name, file path, username, or registry key—that would only be present on the intended victim's machine. [23] This can be used to derive a decryption key for the payload or as a simple gate to prevent execution, making analysis difficult unless the specific environment can be replicated. [6, 23]

Question 5

While analyzing a 32-bit PE file in a disassembler, a reverse engineer notices that the file lacks a `.reloc` section. What is the primary implication of a missing relocation section for this executable?

Accepted Answer

The executable cannot be loaded if its preferred base address is already in use by another module.

Answer

The `.reloc` section contains a base relocation table, which is necessary for the Windows loader to fix up hardcoded addresses in the code if the executable cannot be loaded at its preferred `ImageBase` address. [14, 31] This is crucial for Address Space Layout Randomization (ASLR). If the `.reloc` section is stripped, the loader cannot adjust these addresses, and the application will fail to load if its preferred base address is unavailable. [31, 33]

(GREM) Giac Reverse Engineering Malware Practice Test

(GREM) Giac Reverse Engineering Malware Practice Test

GREM In-Depth Executable Analysis Questions and Answers