Lab 10-1 Solutions
Short Answers
If you run procmon to monitor this program, you will see that the only call to write to the registry is to
RegSetValue
for the valueHKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
. Some indirect changes are made by the calls toCreateServiceA
, but this program also makes direct changes to the registry from the kernel that go undetected by procmon.To set a breakpoint to see what happens in the kernel, you must open the executable within an instance of WinDbg running in the virtual machine, while also debugging the kernel with another instance of WinDbg in the host machine. When Lab10-01.exe is stopped in the virtual machine, you first use the
!drvobj
command to get a handle to the driver object, which contains a pointer ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.