Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Conclusion
Дальше: 18. Packers and Unpacking

in (provided here as findAntiVM.py). What does it find?

Q:

3. What happens when each anti-VM technique succeeds?

Q:

4. Which of these anti-VM techniques work against your virtual machine?

Q:

5. Why does each anti-VM technique work or fail?

Q:

6. How could you disable these anti-VM techniques and get the malware to run?

Analyze the malware found in the file Lab17-02.dll inside VMware. After answering the first question in this lab, try to run the installation exports using rundll32.exe and monitor them with a tool like procmon. The following is an example command line for executing the DLL:

rundll32.exe Lab17-02.dll,InstallRT (or InstallSA/InstallSB)

Q:

1. What are the exports for this DLL?

Q:

2. What happens after the attempted installation using rundll32.exe?

Q:

3. Which files are created and what do they contain?

Q:

4. What method of anti-VM is in use?

Q:

5. How could you force the malware to install during runtime?

Q:

6. How could you permanently disable the anti-VM technique?

Q:

7. How does each installation export function work?

Analyze the malware Lab17-03.exe inside VMware. This lab is similar to Lab12-02.exe, with added anti-VMware techniques.

Q:

1. What happens when you run this malware in a virtual machine?

Q:

2. How could you get this malware to run and drop its keylogger?

Q:

3. Which anti-VM techniques does this malware use?

Q:

4. What system changes could you make to permanently avoid the anti-VM techniques used by this malware?

Q:

5. How could you patch the binary in OllyDbg to force the anti-VM techniques to permanently fail?

Назад: Conclusion
Дальше: 18. Packers and Unpacking

sss
sss