Last active
November 1, 2018 01:02
-
-
Save dumpmycode/37a8f861769a62794d1689f3daf83e68 to your computer and use it in GitHub Desktop.
VMAwareMalware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Ways that a malware can check for virtual environment | |
| • Checking the MAC address of the virtual network adaptor to try and reveal the virtual machine vendor. | |
| • Checking the BIOS brand and version to reveal the virtual machine vendor. | |
| • Checking certain registry keys that are unique to virtual machines. | |
| Often, the virtual machines leave traces in different registry keys. | |
| For example the existence of • “HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__” reveals the presence of VirtualBox. | |
| • Checking if helper tools, such as VMware tools, are installed. | |
| • Checking for the presence of certain process and service names. | |
| • Checking for the presence of specific files, like drivers specific to virtualization. | |
| • Checking for communication ports for guest-to-host communication. | |
| • Executing special assembler code and comparing the results. | |
| Some commands are not implemented or can behave differently than on physical computers. | |
| Other commands take longer to execute and can show a timing difference. | |
| • Checking the location of system structures, such as the interrupt descriptor table (IDT). | |
| Virtual systems typically store the IDT at a higher register than a physical computer does. | |
| • Checking for static OS licenses. | |
| • Checking dmesg or dmidecode log for entries from virtual devices. | |
| Precautions before debugging malware: | |
| - Do it in VM with no network (host only), create clean snapshot. | |
| - Hash files and compare afterwards making sure there is no change. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment