O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 10-1 Solutions

Short Answers

  1. If you run procmon to monitor this program, you will see that the only call to write to the registry is to RegSetValue for the value HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed. Some indirect changes are made by the calls to CreateServiceA, but this program also makes direct changes to the registry from the kernel that go undetected by procmon.

  2. To set a breakpoint to see what happens in the kernel, you must open the executable within an instance of WinDbg running in the virtual machine, while also debugging the kernel with another instance of WinDbg in the host machine. When Lab10-01.exe is stopped in the virtual machine, you first use the !drvobj command to get a handle to the driver object, which contains a pointer ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required