Tools Used

  1. IDA Pro
  2. Procmon


  1. Lab17-02.dll SHA256: 7f26bcad404867f92ee0f3de9257758132b2ea06884f436e7900e820ddd6646a


  • Detection Rate: 49/56
  • Analyzed on 2016-03-19
  • Compilation Date: 2008-06-09 12:49:29
  • View report here

Lab 17-2
Analyze the malware found in the file Lab17-02.dll inside VMware. After
answering the first question in this lab, try to run the installation exports
using rundll32.exe and monitor them with a tool like procmon. The following
is an example command line for executing the DLL:
rundll32.exe Lab17-02.dll,InstallRT (or InstallSA/InstallSB)
1. What are the exports for this DLL?

Figure 1. Exports

2. What happens after the attempted installation using rundll32.exe?

The dll gets deleted. A File xinstall.log was dropped. vmselfdelete.bat file was dropped,executed and subsequently deleted as well. From the log file created, it seems that the malware has detected that it is running in a VM thus deleting itself.

Figure 2. xinstall.log

3. Which files are created and what do they contain?

2 files are created; xinstall.log & vmselfdel.bat.

vmselfdel.bat can be traced to the subroutine @10005567 using IDA Pro. Needless to say, the purpose of the batch file is to delete the dll and itself from the system.

Figure 3. self delete

4. What method of anti-VM is in use?

querying I/O communication port.

VMware uses virtual I/O ports for communication between the virtual
machine and the host operating system to support functionality like copy
and paste between the two systems. The port can be queried and compared
with a magic number to identify the use of VMware.

The success of this technique depends on the x86 in instruction, which
copies data from the I/O port specified by the source operand to a memory
location specified by the destination operand. VMware monitors the use of
the in instruction and captures the I/O destined for the communication
channel port 0x5668 (VX). Therefore, the second operand needs to be loaded
with VX in order to check for VMware, which happens only when the EAX
register is loaded with the magic number 0x564D5868 (VMXh). ECX must be
loaded with a value corresponding to the action you wish to perform on the
port. The value 0xA means “get VMware version type” and 0x14 means “get
the memory size.” Both can be used to detect VMware, but 0xA is more popular
because it may determine the VMware version.

-Referenced from Page 375 (Practical Malware analysis)

Figure 4. Querying I/O comm port

5. How could you force the malware to install during runtime?

  1. Patch the jump condition (3 places need to patch since checkVM sub routine is xref 3 times)
  2. patch the in instruction in Figure 4 to nop
Figure 5. patching

6. How could you permanently disable the anti-VM technique?

Just patch the above and make the changes to the disk. Based on Figure 5, we could also patch the string @ offset 10019034 -> 10019248 from [This is DVM]5 to [This is DVM]0 to disable the check.

7. How does each installation export function work?


Inject dll into either iexplore.exe or a custom process name that is passed in as argument.

In brief the subroutine @1000D847  will do the following

  1. Get the dll filename via GetModuleFileNameA
  2. Get System Directory path via GetSystemDirectoryA
  3. Copy the current dll into system directory with the same file name
  4. Get the pid of a process; either iexplore.exe by default or a custom process name passed in as an argument
  5. Get higher privilege by changing token to SeDebugPrivilege
  6. Inject dll via CreateRemoteThread on the pid retrieved in 4.
Figure 6. Install RT


Install as a Service

In brief the subroutine @1000D847  will do the following

  1. RegOpenKeyExA – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
  2. RegQueryValueExA – netsvcs
  3. loop through the data to find either Irmon or a custom string passed in as an argument
  4. CreateServiceA – with service name as Irmon or a custom string passed in as an  argument
  5. Add data to HKLM\SYSTEM\ControlSet001\Services\[Irmon | custom]\description
  6. Creates a parameter key in HKLM\SYSTEM\CurrentControlSet\Services\[Irmon | custom]
  7. Creates a Servicedll key in HKLM\SYSTEM\CurrentControlSet\Services\[Irmon | custom] with the path of the dll as the value
  8. Start the service
  9. Creates a win.ini file in windows directory
  10. Writes a Completed key to SoftWare\MicroSoft\Internet Connection Wizard\ if SoftWare\MicroSoft\Internet Connection Wizard\ does not exists
Figure 7. InstallSA

3. InstallSB

It first calls sub rountine 0x10005A0A to

  1. Attain higher privileges via adjusting token to SeDebugPrivilige
  2. It then gets the WinLogon Pid
  3. It then get the windows version to determine which sfc dll name to use
  4. It then uses CreateRemoteThread to get Winlogon process to disable file protection via sfc

It then  calls the subroutine @0x1000DF22 to

  1. It first query service config of NtmsSvc service
  2. If service dwStartType is > 2, it will then change the service to SERVICE_AUTO_START
  3. If then checks if the service is running or paused. If it is running or in paused state, it will stop the service.
  4. It then queries HKLM\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\\Netsvc values
  5. It then gets the PID of svchost and check if the malicious module is loaded
  6. backup c:\\windows\\system32\\ntmssvc.dll to c:\\windows\\system32\\ntmssvc.dll.obak
  7. copy current dll to c:\\windows\\system32\\ntmssvc.dll
  8. If ntmssvc.dll isn’t loaded, the malware will then inject it into svchost
  9. Starts the created service
  10. Creates a win.ini file in windows directory
  11. Writes a Completed key to “SoftWare\MicroSoft\Internet Connection Wizard\” if “SoftWare\MicroSoft\Internet Connection Wizard\” does not exists

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s