Lab 17-2 Solutions
The exports are
The DLL is deleted from the system using a .bat file.
A .bat file containing self-deletion code is created, as well as a file named xinstall.log containing the string
"Found Virtual Machine, Install Cancel".
This malware queries the VMware backdoor I/O communication port using the magic value
VXand the action
0xAby using the
To get the malware to install, patch the
ininstruction at 0x100061DB at runtime.
To permanently disable the VM check, use a hex editor to modify the static string in the binary from
[This is DVM]5to
[This is DVM]0. Alternatively, NOP-out the check in OllyDbg ...