Lab 17-2 Solutions

Short Answers

  1. The exports are InstallRT, InstallSA, InstallSB, PSLIST, ServiceMain, StartEXS, UninstallRT, UninstallSA, and UninstallSB.

  2. The DLL is deleted from the system using a .bat file.

  3. A .bat file containing self-deletion code is created, as well as a file named xinstall.log containing the string "Found Virtual Machine, Install Cancel".

  4. This malware queries the VMware backdoor I/O communication port using the magic value VX and the action 0xA by using the in x86 instruction.

  5. To get the malware to install, patch the in instruction at 0x100061DB at runtime.

  6. To permanently disable the VM check, use a hex editor to modify the static string in the binary from [This is DVM]5 to [This is DVM]0. Alternatively, NOP-out the check in OllyDbg ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.