Analyze the malware Lab17-03.exe inside VMware. This lab is similar to
Lab12-02.exe, with added anti-VMware techniques.
1. What happens when you run this malware in a virtual machine?
The malware terminates.
2. How could you get this malware to run and drop its keylogger?
we can patch the jump instructions at the following address
3. Which anti-VM techniques does this malware use?
Analyze the malware found in the file Lab17-02.dll inside VMware. After
answering the first question in this lab, try to run the installation exports
using rundll32.exe and monitor them with a tool like procmon. The following
is an example command line for executing the DLL:
rundll32.exe Lab17-02.dll,InstallRT (or InstallSA/InstallSB)
1. What are the exports for this DLL?
2. What happens after the attempted installation using rundll32.exe?
The dll gets deleted. A File xinstall.log was dropped. vmselfdelete.bat file was dropped,executed and subsequently deleted as well. From the log file created, it seems that the malware has detected that it is running in a VM thus deleting itself.
3. Which files are created and what do they contain?
2 files are created; xinstall.log & vmselfdel.bat.
vmselfdel.bat can be traced to the subroutine @10005567 using IDA Pro. Needless to say, the purpose of the batch file is to delete the dll and itself from the system.
4. What method of anti-VM is in use?
querying I/O communication port.
VMware uses virtual I/O ports for communication between the virtual
machine and the host operating system to support functionality like copy
and paste between the two systems. The port can be queried and compared
with a magic number to identify the use of VMware.
The success of this technique depends on the x86 in instruction, which
copies data from the I/O port specified by the source operand to a memory
location specified by the destination operand. VMware monitors the use of
the in instruction and captures the I/O destined for the communication
channel port 0x5668 (VX). Therefore, the second operand needs to be loaded with VX in order to check for VMware, which happens only when the EAX register is loaded with the magic number 0x564D5868 (VMXh). ECX must be loaded with a value corresponding to the action you wish to perform on the port. The value 0xA means “get VMware version type” and 0x14 means “get the memory size.” Both can be used to detect VMware, but 0xA is more popular
because it may determine the VMware version.
-Referenced from Page 375 (Practical Malware analysis)
5. How could you force the malware to install during runtime?
Patch the jump condition (3 places need to patch since checkVM sub routine is xref 3 times)
patch the in instruction in Figure 4 to nop
6. How could you permanently disable the anti-VM technique?
Just patch the above and make the changes to the disk. Based on Figure 5, we could also patch the string @ offset 10019034 -> 10019248 from [This is DVM]5 to [This is DVM]0 to disable the check.
7. How does each installation export function work?
Inject dll into either iexplore.exe or a custom process name that is passed in as argument.
In brief the subroutine @1000D847 will do the following
Analyze the malware found in Lab17-01.exe inside VMware. This is the same
malware as Lab07-01.exe, with added anti-VMware techniques.
NOTE The anti-VM techniques found in this lab may not work in your environment.
1. What anti-VM techniques does this malware use?
The malware uses vulnerable instruction: sidt,sldt and str
The malware issues the sidt instruction as shown above, which stores the contents
of IDTR into the memory location pointed to by var_428. The IDTR is 6 bytes,
and the fifth byte offset contains the start of the base memory address. That
fifth byte is compared to 0xFF, the VMware signature. We can see that var_428+2 is set to var_420. Later on in the opcodes we can observe that var_420 is shifted right by 3 bytes thus pointing it to the 5th byte.
2. If you have the commercial version of IDA Pro, run the IDA Python
script from Listing 17-4 in Chapter 17 (provided here as findAntiVM.py).
What does it find?
00401121 – sldt
004011b5 – sidt
00401204 – str
3. What happens when each anti-VM technique succeeds?
00401121 – sldt; service created but thread to openurl is not created the program terminates.
004011b5 – sidt; sub routine 0x401000 will be invoked, the program will be deleted
00401204 – str; sub routine 0x401000 will be invoked, the program will be deleted
4. Which of these anti-VM techniques work against your virtual machine?
5. Why does each anti-VM technique work or fail?
It depends on the hardware and the vmware used.
6. How could you disable these anti-VM techniques and get the malware