Hi all, pretty beginner problem here I suppose.
I've been debugging for a few years and am always looking to learn new things everyday. I've RE'd a few postmortem crash dumps regarding rootkits but have never attempted a liveKD on one. I set up a quick 'isolated lab' using VMware, with the guest OS as Windows 7 x86. I tried executing three droppers, all rootkits:
Is this stemming from virtual environment detection, and if it is, is my best bet just to use an *actual* system to RE malware on? Or am I missing something completely different and really obvious?
Thanks.
I've been debugging for a few years and am always looking to learn new things everyday. I've RE'd a few postmortem crash dumps regarding rootkits but have never attempted a liveKD on one. I set up a quick 'isolated lab' using VMware, with the guest OS as Windows 7 x86. I tried executing three droppers, all rootkits:
Code: Select all
I figured after the above happened that they're simply noticing they are being executed in a virtual environment, so I did some research and stumbled on making the following additions to the cfg:Dr.Rustock.PE386 // Access violation appcrash.
Dr.Rustock B huy32 // Access violation appcrash.
Runtime2 // .exe deletes after execution and nothing is dropped.
Code: Select all
This has done nothing to help.isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
Is this stemming from virtual environment detection, and if it is, is my best bet just to use an *actual* system to RE malware on? Or am I missing something completely different and really obvious?
Thanks.
