Skip to content

Instantly share code, notes, and snippets.

@dumpmycode
Last active November 1, 2018 01:02
Show Gist options
  • Select an option

  • Save dumpmycode/37a8f861769a62794d1689f3daf83e68 to your computer and use it in GitHub Desktop.

Select an option

Save dumpmycode/37a8f861769a62794d1689f3daf83e68 to your computer and use it in GitHub Desktop.
VMAwareMalware
Ways that a malware can check for virtual environment
• Checking the MAC address of the virtual network adaptor to try and reveal the virtual machine vendor.
• Checking the BIOS brand and version to reveal the virtual machine vendor.
• Checking certain registry keys that are unique to virtual machines.
Often, the virtual machines leave traces in different registry keys.
For example the existence of • “HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__” reveals the presence of VirtualBox.
• Checking if helper tools, such as VMware tools, are installed.
• Checking for the presence of certain process and service names.
• Checking for the presence of specific files, like drivers specific to virtualization.
• Checking for communication ports for guest-to-host communication.
• Executing special assembler code and comparing the results.
Some commands are not implemented or can behave differently than on physical computers.
Other commands take longer to execute and can show a timing difference.
• Checking the location of system structures, such as the interrupt descriptor table (IDT).
Virtual systems typically store the IDT at a higher register than a physical computer does.
• Checking for static OS licenses.
• Checking dmesg or dmidecode log for entries from virtual devices.
Precautions before debugging malware:
- Do it in VM with no network (host only), create clean snapshot.
- Hash files and compare afterwards making sure there is no change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment