Tools Used

  1. IDA Pro
  2. Ollydbg


  1. Lab17-03.exe SHA256: b3b4c065849c81d856558e9cf91e8cef5d481648fd8aa88cdda534ab6b75e988


  • Detection Rate: 44/56
  • Analyzed on 2016-03-20
  • Compilation Date: 2011-10-14 19:35:33
  • View report here

Lab 17-3
Analyze the malware Lab17-03.exe inside VMware. This lab is similar to
Lab12-02.exe, with added anti-VMware techniques.
1. What happens when you run this malware in a virtual machine?

The malware terminates.

2. How could you get this malware to run and drop its keylogger?

we can patch the jump instructions at the following address

  1. 0x004019A1
  2. 0x004019C0
  3. 0x00401A2F
  4. 0x00401467

3. Which anti-VM techniques does this malware use?

@00401A80: I/O communication port

Figure 1. Backdoor I/O Comm Port

@004011C0: checking registry key SYSTEM\CurrentControlSet\Control\DeviceClasses\vmware

Figure 2 Checking vmware registry

@00401670: checking mac address

Figure 3. Checking Mac address

@00401130: checking for vmware process name (hash of first 6 chars)

Figure 4. Checking vmware process name hash


4. What system changes could you make to permanently avoid the anti-VM
techniques used by this malware?

  1. Patch the binaries
  2. Change Mac Address
  3. Remove VMware tools

5. How could you patch the binary in OllyDbg to force the anti-VM techniques
to permanently fail?

Change the following instruction to xor instead

Figure 5. in instruction patch

Change the following instruction to xor instead

Figure 6. Registry checking patch

Nop out the calling of this subroutine

Figure 7. Mac Address patching

Change the hash to AAAAAAAAh to invalidate the search

Figure 8. Process Name Hash patching


Tools Used

  1. IDA Pro
  2. Procmon


  1. Lab17-02.dll SHA256: 7f26bcad404867f92ee0f3de9257758132b2ea06884f436e7900e820ddd6646a


  • Detection Rate: 49/56
  • Analyzed on 2016-03-19
  • Compilation Date: 2008-06-09 12:49:29
  • View report here

Lab 17-2
Analyze the malware found in the file Lab17-02.dll inside VMware. After
answering the first question in this lab, try to run the installation exports
using rundll32.exe and monitor them with a tool like procmon. The following
is an example command line for executing the DLL:
rundll32.exe Lab17-02.dll,InstallRT (or InstallSA/InstallSB)
1. What are the exports for this DLL?

Figure 1. Exports

2. What happens after the attempted installation using rundll32.exe?

The dll gets deleted. A File xinstall.log was dropped. vmselfdelete.bat file was dropped,executed and subsequently deleted as well. From the log file created, it seems that the malware has detected that it is running in a VM thus deleting itself.

Figure 2. xinstall.log

3. Which files are created and what do they contain?

2 files are created; xinstall.log & vmselfdel.bat.

vmselfdel.bat can be traced to the subroutine @10005567 using IDA Pro. Needless to say, the purpose of the batch file is to delete the dll and itself from the system.

Figure 3. self delete

4. What method of anti-VM is in use?

querying I/O communication port.

VMware uses virtual I/O ports for communication between the virtual
machine and the host operating system to support functionality like copy
and paste between the two systems. The port can be queried and compared
with a magic number to identify the use of VMware.

The success of this technique depends on the x86 in instruction, which
copies data from the I/O port specified by the source operand to a memory
location specified by the destination operand. VMware monitors the use of
the in instruction and captures the I/O destined for the communication
channel port 0x5668 (VX). Therefore, the second operand needs to be loaded
with VX in order to check for VMware, which happens only when the EAX
register is loaded with the magic number 0x564D5868 (VMXh). ECX must be
loaded with a value corresponding to the action you wish to perform on the
port. The value 0xA means “get VMware version type” and 0x14 means “get
the memory size.” Both can be used to detect VMware, but 0xA is more popular
because it may determine the VMware version.

-Referenced from Page 375 (Practical Malware analysis)

Figure 4. Querying I/O comm port

5. How could you force the malware to install during runtime?

  1. Patch the jump condition (3 places need to patch since checkVM sub routine is xref 3 times)
  2. patch the in instruction in Figure 4 to nop
Figure 5. patching

6. How could you permanently disable the anti-VM technique?

Just patch the above and make the changes to the disk. Based on Figure 5, we could also patch the string @ offset 10019034 -> 10019248 from [This is DVM]5 to [This is DVM]0 to disable the check.

7. How does each installation export function work?


Inject dll into either iexplore.exe or a custom process name that is passed in as argument.

In brief the subroutine @1000D847  will do the following

  1. Get the dll filename via GetModuleFileNameA
  2. Get System Directory path via GetSystemDirectoryA
  3. Copy the current dll into system directory with the same file name
  4. Get the pid of a process; either iexplore.exe by default or a custom process name passed in as an argument
  5. Get higher privilege by changing token to SeDebugPrivilege
  6. Inject dll via CreateRemoteThread on the pid retrieved in 4.
Figure 6. Install RT


Install as a Service

In brief the subroutine @1000D847  will do the following

  1. RegOpenKeyExA – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
  2. RegQueryValueExA – netsvcs
  3. loop through the data to find either Irmon or a custom string passed in as an argument
  4. CreateServiceA – with service name as Irmon or a custom string passed in as an  argument
  5. Add data to HKLM\SYSTEM\ControlSet001\Services\[Irmon | custom]\description
  6. Creates a parameter key in HKLM\SYSTEM\CurrentControlSet\Services\[Irmon | custom]
  7. Creates a Servicedll key in HKLM\SYSTEM\CurrentControlSet\Services\[Irmon | custom] with the path of the dll as the value
  8. Start the service
  9. Creates a win.ini file in windows directory
  10. Writes a Completed key to SoftWare\MicroSoft\Internet Connection Wizard\ if SoftWare\MicroSoft\Internet Connection Wizard\ does not exists
Figure 7. InstallSA

3. InstallSB

It first calls sub rountine 0x10005A0A to

  1. Attain higher privileges via adjusting token to SeDebugPrivilige
  2. It then gets the WinLogon Pid
  3. It then get the windows version to determine which sfc dll name to use
  4. It then uses CreateRemoteThread to get Winlogon process to disable file protection via sfc

It then  calls the subroutine @0x1000DF22 to

  1. It first query service config of NtmsSvc service
  2. If service dwStartType is > 2, it will then change the service to SERVICE_AUTO_START
  3. If then checks if the service is running or paused. If it is running or in paused state, it will stop the service.
  4. It then queries HKLM\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\\Netsvc values
  5. It then gets the PID of svchost and check if the malicious module is loaded
  6. backup c:\\windows\\system32\\ntmssvc.dll to c:\\windows\\system32\\ntmssvc.dll.obak
  7. copy current dll to c:\\windows\\system32\\ntmssvc.dll
  8. If ntmssvc.dll isn’t loaded, the malware will then inject it into svchost
  9. Starts the created service
  10. Creates a win.ini file in windows directory
  11. Writes a Completed key to “SoftWare\MicroSoft\Internet Connection Wizard\” if “SoftWare\MicroSoft\Internet Connection Wizard\” does not exists


Tools Used

  1. IDA Pro


  1. Lab17-01.exe SHA256: 14c0c9bef6830d139c36c1cea8f0ef1010e49373aad52c55f167e677ce4c6bd5


  • Detection Rate: 19/56
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-10-23 03:37:19
  • View report here

Lab 17-1
Analyze the malware found in Lab17-01.exe inside VMware. This is the same
malware as Lab07-01.exe, with added anti-VMware techniques.
NOTE The anti-VM techniques found in this lab may not work in your environment.
1. What anti-VM techniques does this malware use?

The malware uses vulnerable instruction: sidt,sldt and str

Figure 1. sidt instruction

The malware issues the sidt instruction as shown above, which stores the contents
of IDTR into the memory location pointed to by var_428. The IDTR is 6 bytes,
and the fifth byte offset contains the start of the base memory address. That
fifth byte is compared to 0xFF, the VMware signature. We can see that var_428+2 is set to var_420. Later on in the opcodes we can observe that var_420 is shifted right by 3 bytes thus pointing it to the 5th byte.

2. If you have the commercial version of IDA Pro, run the IDA Python
script from Listing 17-4 in Chapter 17 (provided here as
What does it find?

Figure 2. 3 Anti-VM instructions found
  1. 00401121 – sldt
  2. 004011b5 – sidt
  3. 00401204 – str

3. What happens when each anti-VM technique succeeds?

  1. 00401121 – sldt; service created but thread to openurl is not created the program terminates.
  2. 004011b5 – sidt; sub routine 0x401000 will be invoked, the program will be deleted
  3. 00401204 – str; sub routine 0x401000 will be invoked, the program will be deleted

4. Which of these anti-VM techniques work against your virtual machine?


5. Why does each anti-VM technique work or fail?

It depends on the hardware and the vmware used.

6. How could you disable these anti-VM techniques and get the malware
to run?

  1. nop the instruction
  2. patch the jmp instruction

Hacky Easter 2016

Been playing HackyEaster CTF recently. Completed all challenges. It was fun =). Try it if you have the time =D

Challenge 19 is a binary problem. Try it to test your debugging skills.

Figure 1. Me at the top of the list…

I am not the first to complete all challenges… but the system decided to put me at the top of the score list. =D

Hacky Easter 2016