O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 17-2 Solutions

Short Answers

  1. The exports are InstallRT, InstallSA, InstallSB, PSLIST, ServiceMain, StartEXS, UninstallRT, UninstallSA, and UninstallSB.

  2. The DLL is deleted from the system using a .bat file.

  3. A .bat file containing self-deletion code is created, as well as a file named xinstall.log containing the string "Found Virtual Machine, Install Cancel".

  4. This malware queries the VMware backdoor I/O communication port using the magic value VX and the action 0xA by using the in x86 instruction.

  5. To get the malware to install, patch the in instruction at 0x100061DB at runtime.

  6. To permanently disable the VM check, use a hex editor to modify the static string in the binary from [This is DVM]5 to [This is DVM]0. Alternatively, NOP-out the check in OllyDbg ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required