Jump to content
Tuts 4 You
ONDragon

Malware VMProtect

Recommended Posts

ONDragon

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

Share this post


Link to post
Share on other sites
xoring

Can you share the sample?:)

Share this post


Link to post
Share on other sites
null_endian

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

Share this post


Link to post
Share on other sites
Aesculapius
On 26/8/2017 at 4:22 AM, ONDragon said:

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

Share this post


Link to post
Share on other sites
zixkhalid
On 10/4/2017 at 1:16 AM, null_endian said:

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 

 

On 10/14/2017 at 2:17 PM, Aesculapius said:

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

i try all stuff that i can find in google but still the same problem idk what to do 

Share this post


Link to post
Share on other sites
Aesculapius
19 hours ago, zixkhalid said:

the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 

 

i try all stuff that i can find in google but still the same problem idk what to do 

WM detection tricks are limited, although VMP3 uses new methods, here's a compilation that could help narrow the search:

 

https://shasaurabh.blogspot.ca/2017/07/virtual-machine-detection-techniques.html

 

several other possible paths come to mind, you can run you malware in a test machine without VM, you can easily reach OEP, and at that point you can carefully set your breakpoints to cover all possible malware techniques like process injection or process hollowing, etc, to get the unpacked sample. Once you get the unpacked code, you can kill the process and avoid any unneeded damage to your test windows installation. Also, most samples are already analyzed by someone else (google it). You can drop your sample here: https://www.hybrid-analysis.com/ and learn as much as possible from it, look for similar upload samples, etc.  BR.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×