Q:

1. Which anti-debugging techniques does this malware employ?

Q:

2. What happens when each anti-debugging technique succeeds?

Q:

3. How can you get around these anti-debugging techniques?

Q:

4. How do you manually change the structures checked during runtime?

Q:

5. Which OllyDbg plug-in will protect you from the anti-debugging techniques used by this malware?

Q:

1. What happens when you run Lab16-02.exe from the command line?

Q:

2. What happens when you run Lab16-02.exe and guess the command-line parameter?

Q:

3. What is the command-line password?

Q:

4. Load Lab16-02.exe into IDA Pro. Where in the main function is strncmp found?

Q:

5. What happens when you load this malware into OllyDbg using the default settings?

Q:

6. What is unique about the PE structure of Lab16-02.exe?

Q:

7. Where is the callback located? (Hint: Use CTRL-E in IDA Pro.)

Q:

8. Which anti-debugging technique is the program using to terminate immediately in the debugger and how can you avoid this check?

Q:

9. What is the command-line password you see in the debugger after you disable the anti-debugging technique?

Q:

10. Does the password found in the debugger work on the command line?

Q:

11. Which anti-debugging techniques account for the different passwords in the debugger and on the command line, and how can you protect against them?

Q:

1. Which strings do you see when using static analysis on the binary?

Q:

2. What happens when you run this binary?

Q:

3. How must you rename the sample in order for it to run properly?

Q:

4. Which anti-debugging techniques does this malware employ?

Q:

5. For each technique, what does the malware do if it determines it is running in a debugger?

Q:

6. Why are the anti-debugging techniques successful in this malware?

Q:

7. What domain name does this malware use?