O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 17-1 Solutions

Short Answers

  1. This malware uses vulnerable x86 instructions to determine if it is running in a VM.

  2. The script finds three potential anti-VM instructions and highlights them in red: sidt, str, and sldt.

  3. The malware will delete itself if either sidt or str detects VMware. If the sldt instruction detects malware, the malware will exit without creating its main thread, but it will create the malicious service MalService.

  4. On our machine running VMware Workstation 7 on an Intel Core i7, none of the techniques succeeded. Your results will vary depending on the hardware and software you use.

  5. See the detailed analysis for an explanation of why each technique did or didn’t work.

  6. You can NOP-out the sidt and str instructions or flip the jump ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required