Jump to content
Tuts 4 You
ONDragon

Malware VMProtect

Recommended Posts

ONDragon

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

Share this post


Link to post
Share on other sites
xoring

Can you share the sample?:)

Share this post


Link to post
Share on other sites
null_endian

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

Share this post


Link to post
Share on other sites
Aesculapius
On 26/8/2017 at 4:22 AM, ONDragon said:

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×