Lab 17-1 Solutions
Short Answers
This malware uses vulnerable x86 instructions to determine if it is running in a VM.
The script finds three potential anti-VM instructions and highlights them in red:
sidt
,str
, andsldt
.The malware will delete itself if either
sidt
orstr
detects VMware. If thesldt
instruction detects malware, the malware will exit without creating its main thread, but it will create the malicious service MalService.On our machine running VMware Workstation 7 on an Intel Core i7, none of the techniques succeeded. Your results will vary depending on the hardware and software you use.
See the detailed analysis for an explanation of why each technique did or didn’t work.
You can NOP-out the
sidt
andstr
instructions or flip the jump ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.