Jump to content
Tuts 4 You

VM Detecting in malware


Pooya

Recommended Posts

Hi Guys

As I've been searching through this topic , I've got some interesting picture aside of VM Fingerprints.... like I/O Backdoor in VMware... but my main question is that how to find a way like VMware Method ? I've read that the more reliable technique for detecting is relying on assembly-level code that behaves differently in VM... so how can I observe this behavior ???

Any little tiny clue would be appreciated

Best Regards

Link to comment
chickenbutt

sandboxie

  • loadlibrarya
  • virtualprotectex(some other ring3 thread stuff too)
  • PE struct

bufferzone

  • same as sandboxie(both also have IOCTL vulnerabilities)

virtualbox

  • IOCTL exposure, SSDT, GPT etc..
  • process enumeration structs..
  • ring3 threads(depending on configuration)

vmware

  • same as virtualbox plus a DLL interface xD

Noob authors usually just detect them and logic bomb out(wait till no detection for decryption and execution of payload). If you can get a driver loaded you can easily detect all through sniffing or table mirror or entry checks. This 'isn't a problem' though to the communities and devs..how productive..

3rd party tools like buster sandbox analyzer make medial efforts to hide them..noobs can still defeat it from ring3

most pros seem to roll their own through FASM vt/amdv lib.

Edited by chickenbutt
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...