VM Detecting in malware

[Pooya]

Hi Guys

As I've been searching through this topic , I've got some interesting picture aside of VM Fingerprints.... like I/O Backdoor in VMware... but my main question is that how to find a way like VMware Method ? I've read that the more reliable technique for detecting is relying on assembly-level code that behaves differently in VM... so how can I observe this behavior ???

Any little tiny clue would be appreciated

Best Regards

[chickenbutt]

sandboxie

• loadlibrarya
  
• virtualprotectex(some other ring3 thread stuff too)
  
• PE struct
  

bufferzone

• same as sandboxie(both also have IOCTL vulnerabilities)
  

virtualbox

• IOCTL exposure, SSDT, GPT etc..
  
• process enumeration structs..
  
• ring3 threads(depending on configuration)
  

vmware

• same as virtualbox plus a DLL interface xD
  

Noob authors usually just detect them and logic bomb out(wait till no detection for decryption and execution of payload). If you can get a driver loaded you can easily detect all through sniffing or table mirror or entry checks. This 'isn't a problem' though to the communities and devs..how productive..

3rd party tools like buster sandbox analyzer make medial efforts to hide them..noobs can still defeat it from ring3

most pros seem to roll their own through FASM vt/amdv lib.

Edited May 13, 2011 by chickenbutt