O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 17-3 Solutions

Short Answers

  1. The malware immediately terminates inside a VM, unlike Lab 12-2 Solutions, which performs process replacement on svchost.exe.

  2. If you force the jumps at 0x4019A1, 0x4019C0, and 0x401467 to be taken, and the jump at 0x401A2F to not be taken, the malware performs process replacement using a keylogger from its resource section.

  3. The malware uses four different anti-VM techniques:

    • It uses the backdoor I/O communication port.

    • It searches the registry key SYSTEM\CurrentControlSet\Control\DeviceClasses for the string vmware.

    • It checks the MAC address to see if it is the default used by VMware.

    • It searches the process list with a string-hashing function for processes starting with the string vmware.

  4. To avoid the anti-VM techniques ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required