Anti VMWare Techniques

Dear Guys,

Deep dive into malware world, I would like to share some common techniques that malare author usually put into their code to evade sandbox by detecting the presents of VMWare artefacs.

Running Process

Malware during their initiation will usually check the present of this running process in order to detect VMWare

1. VMwareService.exe
2. VMwareTray.exe
3. VMwareUser.exe

VMware Artifacts - Practical Malware Analysis [Book]

Registry

The present of Virtual Machine can also be detected from the registry that inform the OS is running on top of VMware

SCSI Device Map

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0

PS/2 Mouse Port

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96F-E325-11CE-BFC1-08002BE10318}\0000
InfSection = VMMouse

MAC Address

By default, VMware uses the Organizationally Unique Identifier (OUI) 00:50:56 for manually generated addresses, but all unique manually generated addresses are supported.

#include <winsock2.h>
#include <iphlpapi.h>
#include <stdio.h>
#include <Windows.h>
#pragma comment(lib, "IPHLPAPI.lib")

void PrintMACaddress(BYTE* addr)
{
    for (int i = 0; i < 6; i++)
    {
        printf("%x:", *addr++);
    }
    printf("\n");
}

static void GetMACaddress(void)
{
    IP_ADAPTER_INFO AdapterInfo[16];       // Allocate information for up to 16 NICs
    DWORD dwBufLen = sizeof(AdapterInfo);  // Save memory size of buffer

    DWORD dwStatus = GetAdaptersInfo(AdapterInfo, &dwBufLen);                  // [in] size of receive data buffer
    if (dwStatus != ERROR_SUCCESS)
    {
        printf("GetAdaptersInfo failed. err=%d\n", GetLastError());
        return;
    }

    PIP_ADAPTER_INFO pAdapterInfo = AdapterInfo; // Contains pointer to  current adapter info
    do
    {
        printf("Adapter %s: ",pAdapterInfo->Description);
        PrintMACaddress(pAdapterInfo->Address); // Print MAC address
        pAdapterInfo = pAdapterInfo->Next;    // Progress through linked list
    } while (pAdapterInfo);                    // Terminate if last adapter
}

int main()
{
    GetMACaddress();
}

Red Pill Anti-VM

Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. So to resolve this the virtualisation software will move the IDTR to a different memory location. This then generate another way to check if the environment is a “physical” one or a “virtual” one. Here below is the code

int swallow_redpill () {
unsigned char m[2+4], rpill[] = "x0fx01x0dx00x00x00x00xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

CPU ID

This instruction is executed with EAX=0x1 as input, and the return value describes the processors features. The 31st bit of ECX on a physical machine will be equal to 0. On a guest VM, it will equal to 1. 

#include <iostream>

using namespace std;


int main()
{
	bool IsUnderVM = false;
	__asm {
		xor eax, eax
		inc    eax
		cpuid
		bt     ecx, 0x1f
		jc     UnderVM
		NotUnderVM :
		jmp     NopInstr
			UnderVM :
		mov    IsUnderVM, 0x1
			NopInstr :
			nop
	}
	
	if (IsUnderVM == 1) {
		cout << "Running Under VMWare";
	}
	else if (IsUnderVM == 0) {
		cout << "Running Under Physical";
	}
	return 0;
}

Usually the malware author will not execute their bad codes when they found the above facts, So that they will either sleep or directly exit their process.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s