ONDragon Posted August 26, 2017 Share Posted August 26, 2017 When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways. The Questions: If I encounter the MALWARE , what shound I do? PS: How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!! Please help ME . THANKS!!! Link to comment Share on other sites More sharing options...
xoring Posted August 27, 2017 Share Posted August 27, 2017 Can you share the sample?:) Link to comment Share on other sites More sharing options...
null_endian Posted October 4, 2017 Share Posted October 4, 2017 Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one. Link to comment Share on other sites More sharing options...
Aesculapius Posted October 14, 2017 Share Posted October 14, 2017 On 26/8/2017 at 4:22 AM, ONDragon said: When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways. The Questions: If I encounter the MALWARE , what shound I do? PS: How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!! Please help ME . THANKS!!! do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards. Link to comment Share on other sites More sharing options...
zixkhalid Posted May 6, 2018 Share Posted May 6, 2018 On 10/4/2017 at 1:16 AM, null_endian said: Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one. the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 On 10/14/2017 at 2:17 PM, Aesculapius said: do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards. i try all stuff that i can find in google but still the same problem idk what to do Link to comment Share on other sites More sharing options...
Aesculapius Posted May 7, 2018 Share Posted May 7, 2018 19 hours ago, zixkhalid said: the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 i try all stuff that i can find in google but still the same problem idk what to do WM detection tricks are limited, although VMP3 uses new methods, here's a compilation that could help narrow the search: https://shasaurabh.blogspot.ca/2017/07/virtual-machine-detection-techniques.html several other possible paths come to mind, you can run you malware in a test machine without VM, you can easily reach OEP, and at that point you can carefully set your breakpoints to cover all possible malware techniques like process injection or process hollowing, etc, to get the unpacked sample. Once you get the unpacked code, you can kill the process and avoid any unneeded damage to your test windows installation. Also, most samples are already analyzed by someone else (google it). You can drop your sample here: https://www.hybrid-analysis.com/ and learn as much as possible from it, look for similar upload samples, etc. BR. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now