Jump to content
Tuts 4 You

Malware VMProtect

ONDragon

By ONDragon
in Malware Reverse Engineering

 Share

Recommended Posts

ONDragon

ONDragon

Posted
Posted

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

  • 1 month later...
null_endian

null_endian

Posted
Posted

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

  • 2 weeks later...
Aesculapius

Aesculapius

Posted
Posted
On 26/8/2017 at 4:22 AM, ONDragon said:

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

  • 6 months later...
zixkhalid

zixkhalid

Posted
Posted
On 10/4/2017 at 1:16 AM, null_endian said:

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 

 

On 10/14/2017 at 2:17 PM, Aesculapius said:

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

i try all stuff that i can find in google but still the same problem idk what to do 

Aesculapius

Aesculapius

Posted
Posted
19 hours ago, zixkhalid said:

the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 

 

i try all stuff that i can find in google but still the same problem idk what to do 

WM detection tricks are limited, although VMP3 uses new methods, here's a compilation that could help narrow the search:

 

https://shasaurabh.blogspot.ca/2017/07/virtual-machine-detection-techniques.html

 

several other possible paths come to mind, you can run you malware in a test machine without VM, you can easily reach OEP, and at that point you can carefully set your breakpoints to cover all possible malware techniques like process injection or process hollowing, etc, to get the unpacked sample. Once you get the unpacked code, you can kill the process and avoid any unneeded damage to your test windows installation. Also, most samples are already analyzed by someone else (google it). You can drop your sample here: https://www.hybrid-analysis.com/ and learn as much as possible from it, look for similar upload samples, etc.  BR.

  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...