Lab write up. General Physics Lab writeup guidelines 2022-10-22
Lab write up Rating:
9,1/10
1852
reviews
A lab write-up is a document that describes the details of a laboratory experiment. It typically includes an introduction, methods, results, and a conclusion section. The purpose of a lab write-up is to communicate the results of an experiment to others, including fellow scientists and researchers, and to provide a detailed record of the experiment for future reference.
The introduction section of a lab write-up should provide background information on the experiment and its purpose. It should also state the research question or hypothesis being tested, and explain the importance of the experiment. The methods section should describe the materials and equipment used in the experiment, as well as the steps taken to conduct the experiment. This section should be written in enough detail that someone else could replicate the experiment based on the information provided.
The results section of a lab write-up should present the data collected during the experiment, including any relevant graphs or tables. It is important to present the data clearly and accurately, and to include any necessary explanations or interpretations of the data. The conclusion section should summarize the key findings of the experiment and discuss their implications. It should also suggest any future directions for research based on the results of the experiment.
Overall, a lab write-up is an important tool for communicating and documenting scientific research. It allows researchers to share their findings with others and to contribute to the advancement of scientific knowledge. It is important to be thorough and accurate when writing a lab write-up, as the document will be used as a reference for future experiments and research.
Biology Lab Write Up
Question 5 Which OllyDbg plug-in will protect you from the anti-debugging techniques used by this malware? The other imports are common among drivers; however, this particular import gives us the impression that the driver will be getting a pointer to the current process it is running from, and in essence will be either getting information about it or modifying it. To determine how this is formed to assist in the event we cannot hook OutputDebugStringA e. If it has a not zero flag set it will jump, yet our disassembler has trusted the false condition of this statement. As the test was conducted, the study shows that the difference between lacking an antibiotic and containing one is not different. Answer 4 By opening wordpad and typing out some content, we can then open up practicalmalwareanalysis. By doing this we see that it is only looking to open the file with read privileges, rather than write to it.
We would expect all the memory addresses to point to a similar location in memory and be from the same module e. Make sure that these files are in the same directory when performing the analysis. Question 15 At 0x10001701 is a call to socket. Based on the response received, we can begin to assume that the response to commands run from the C2 of this malware is encoded. By converting this to code, we find another anti-disassembly attempt at 004014D7. A brief look into Lab07-03.
Answer 1 By running strings over Lab13-01. If we run this again in a debugger such as OllyDbg2 and create a breakpoint after the file creation e. We did notice some anomalies during our experiment, however. After this a return occurs and after a few more comparisons we wind up at 0x402410. The labs are divided into four sections: the Pre-lab questions, Background, In the Lab, and Analysis. At first glance we can see a number of different jumps and conditional flows by viewing the graph overview.
Lab 16-03 Question 1 Which strings do you see when using static analysis on the binary? Based on this we need to look through other ways of unpacking it. Answer 1 When we run this file it immediately deletes itself. Lab 1-1 This lab uses the files Lab01-01. From this we can infer that the script will de-obfuscate the seemingly random data. Within this we can see what appears to be a non-standard encoding routine. Question 4 What host- or network-based indicators could be used to identify this malware on infected machines? Question 5 What type of encoding is used for command arguments? Question 1 Which networking libraries does the malware use, and what are their advantages? Given these parameters look to be related to post-compromise activity, we need to first ensure the malware is installed using -in. Lab 3-3 Question 1 What do you notice when monitoring this malware with Process Explorer? Jump Table Has a large amount of switch statements and avoids the need for so many compares.
Note: These values will likely differ per run through or system. Question 7 While running or debugging the program, you will see that it prints out three pieces of mystery data. Following the unpacking guidance, we can unpack this executable giving to a new file. More information on this operation can be found under the Question 2 Once this program is running, how do you stop it? Write a concise statement of the principle result that is described in this report. If we wanted to limit this to one hardcoded element over another it would be trivial to do; however for the purpose of thoroughly identifying every static element of this beacon for a high confidence hit, we have added all to our Snort rule.
Answer 8 Because the malware leveraged custom, yet simple encoding mechanisms, static, yet configurable domain names, User-Agent errors, and a few other static elements such as commands being sent via the C2, we can use all of this to create specific snort rules to identify this malware. We also do this by looking for the expected Hex. After graphing user defined xrefs, we can see the relation between these 2 functions. What example from the chapter used a similar methodology? Jai Minton Information and Cyber Security Professional. The experimental resultsconfirmedmy hypothesis by showing the decrease of drops the penny can hold as we increased height. The explicit ' ' declaration is common amongst keyloggers as they need a way of determining if a key pressed is capitalised or not.
This is identified by ntoskrnl. What are the advantages of this technique? We think the lower number is more of the exception than the rule - as we noticed that the next number in series was closer to the higher number than the lower number. It will then push this as the location for a structured exception handler which will be called when the divide by 0 executes. The coyote skull had a much rounder nose than the deer. Can be mitigated by not single-stepping over an icebp 0xF1 instruction. What we can see is that this is some sort of decoding routine given how it loads bytes, loops and shifts bits. Is that in use in this malware? This leaves 3 possible entries to examine, of which only one has an inbuilt function with code to examine as part of it.
Question 1 How can you get this malware to install itself? Because this needs to implement the same arguments as the send function it can be defined by setting the function type. After this further checks and calculations occur to determine what special key is being pushed, and in the event one is a specific value is outputted to the keylog file. Answer 1 Looking at the code at 0x401000 we can see pointers that reference to a number of unknown values indicated by dword, byte, and word values. Here we can see it is querying WorkTime, and WorkTime registry keys. This was found in Question 5. This gives us coverage of these interesting events.
Answer 7 We already know what these are by the analysis conducted in previous questions. Question 2 Which networking libraries does this malware use? Looking at the only calling function to this, we can see that the argument passed to this is the established socket to the C2. In some experiments an 80% error might be reasonable because of component tolerances. This is shellcode that will be copied directly as assembly to the binary in question and is stored in Hex. The salt is the independent variablethat I'm comparing to the water. After saving the shellcode to a new file Lab11-3Shellcode. At this point smsw will be used by No Pill instead.
