Tools Used

  1. IDA Pro


  1. Lab17-01.exe SHA256: 14c0c9bef6830d139c36c1cea8f0ef1010e49373aad52c55f167e677ce4c6bd5


  • Detection Rate: 19/56
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-10-23 03:37:19
  • View report here

Lab 17-1
Analyze the malware found in Lab17-01.exe inside VMware. This is the same
malware as Lab07-01.exe, with added anti-VMware techniques.
NOTE The anti-VM techniques found in this lab may not work in your environment.
1. What anti-VM techniques does this malware use?

The malware uses vulnerable instruction: sidt,sldt and str

Figure 1. sidt instruction

The malware issues the sidt instruction as shown above, which stores the contents
of IDTR into the memory location pointed to by var_428. The IDTR is 6 bytes,
and the fifth byte offset contains the start of the base memory address. That
fifth byte is compared to 0xFF, the VMware signature. We can see that var_428+2 is set to var_420. Later on in the opcodes we can observe that var_420 is shifted right by 3 bytes thus pointing it to the 5th byte.

2. If you have the commercial version of IDA Pro, run the IDA Python
script from Listing 17-4 in Chapter 17 (provided here as
What does it find?

Figure 2. 3 Anti-VM instructions found
  1. 00401121 – sldt
  2. 004011b5 – sidt
  3. 00401204 – str

3. What happens when each anti-VM technique succeeds?

  1. 00401121 – sldt; service created but thread to openurl is not created the program terminates.
  2. 004011b5 – sidt; sub routine 0x401000 will be invoked, the program will be deleted
  3. 00401204 – str; sub routine 0x401000 will be invoked, the program will be deleted

4. Which of these anti-VM techniques work against your virtual machine?


5. Why does each anti-VM technique work or fail?

It depends on the hardware and the vmware used.

6. How could you disable these anti-VM techniques and get the malware
to run?

  1. nop the instruction
  2. patch the jmp instruction

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s