. Scanning the malware for new functions, we find two: sub_401000, a self-deletion method, and sub_401100, which appears to call the sldt instruction. We can run Lab17-01.exe in a VM and see what happens differently from . The dynamic analysis results vary from system to system and might be identical to on your machine.

in , or use the script named findAntiVM.py provided with the labs. To run the script in IDA Pro, select File ▸ Script File and open findAntiVM.py. You should see the following in IDA Pro’s output window:

at ❶. This instruction stores the most significant 4 bytes of the sidt result var_420 at ❷ for later use in the code.

004011B5         sidt    fword ptr [ebp+var_428] ❶ 004011BC         mov     eax, dword ptr [ebp+var_428+2] 004011C2         mov     [ebp+var_420], eax ❷

The malware checks for a VM a few instructions later in the binary, as you can see in .

shows the check against the first 2 bytes, which must equal 0 ❶ and 0x40 ❷ in order to match the signature for VMware.

shows the sldt usage within sub_401100.

at ❸. If the low-order bytes are not zero, the jump will be taken, and the malware will terminate without creating the thread.

or force the jnz to not jump in a debugger.

Назад: Lab 16-3 Solutions

Дальше: Lab 17-2 Solutions

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: