- IDA Pro
- Lab17-01.exe SHA256: 14c0c9bef6830d139c36c1cea8f0ef1010e49373aad52c55f167e677ce4c6bd5
- Detection Rate: 19/56
- Analyzed on 2016-03-19
Compilation Date: 2011-10-23 03:37:19
- View report here
Analyze the malware found in Lab17-01.exe inside VMware. This is the same
malware as Lab07-01.exe, with added anti-VMware techniques.
NOTE The anti-VM techniques found in this lab may not work in your environment.
1. What anti-VM techniques does this malware use?
The malware uses vulnerable instruction: sidt,sldt and str
The malware issues the sidt instruction as shown above, which stores the contents
of IDTR into the memory location pointed to by var_428. The IDTR is 6 bytes,
and the fifth byte offset contains the start of the base memory address. That
fifth byte is compared to 0xFF, the VMware signature. We can see that var_428+2 is set to var_420. Later on in the opcodes we can observe that var_420 is shifted right by 3 bytes thus pointing it to the 5th byte.
2. If you have the commercial version of IDA Pro, run the IDA Python
script from Listing 17-4 in Chapter 17 (provided here as findAntiVM.py).
What does it find?
- 00401121 – sldt
- 004011b5 – sidt
- 00401204 – str
3. What happens when each anti-VM technique succeeds?
- 00401121 – sldt; service created but thread to openurl is not created the program terminates.
- 004011b5 – sidt; sub routine 0x401000 will be invoked, the program will be deleted
- 00401204 – str; sub routine 0x401000 will be invoked, the program will be deleted
4. Which of these anti-VM techniques work against your virtual machine?
5. Why does each anti-VM technique work or fail?
It depends on the hardware and the vmware used.
6. How could you disable these anti-VM techniques and get the malware
- nop the instruction
- patch the jmp instruction