Lab 10-1 Solutions

Short Answers

  1. If you run procmon to monitor this program, you will see that the only call to write to the registry is to RegSetValue for the value HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed. Some indirect changes are made by the calls to CreateServiceA, but this program also makes direct changes to the registry from the kernel that go undetected by procmon.

  2. To set a breakpoint to see what happens in the kernel, you must open the executable within an instance of WinDbg running in the virtual machine, while also debugging the kernel with another instance of WinDbg in the host machine. When Lab10-01.exe is stopped in the virtual machine, you first use the !drvobj command to get a handle to the driver object, which contains a pointer ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.