Image for post
Image for post

Mapping potential usage of Virtual Machine Environment (VME) detection

To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare. If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.

A common approach to analyse potentially malicious software is dynamic analysis. The binary is executed in an analysis environment, usually a Virtual Machine (VM), and its behaviour in the system is inspected.

Many Virtual Machine Environent (VME) are easily detectable:

  • File System
  • Services
  • Hardware Information
  • Registry Keys
  • Specific processor instructions and Capabilities

A really nice way is to use python to map potential functions that make use of certain instructions that allow or make it possible to identify whether they are in a VME. The following python script will scan the assembly code in IDA-Pro and highlight instructions corresponding to potential Anti VM techniques:

These instructions above can be used to identify VME, example: According to Intel CPU Instruction documentation, for IMUL instruction only carry flag (CF) and overflow flag (OF) get affected after execution and status of all other flags are undefined. These undefined flag values change (set or reset) according to the execution environment. In a real machine these undefined flags do not get affected, but in case of virtual machine these flag values change, see below:

Image for post
Image for post
Snap after IMUL instruction execution in Normal system
Image for post
Image for post
Snap before IMUL instruction execution in VM
Image for post
Image for post
Snap after IMUL instruction execution in VM

Malware exploits this behavior to detect the virtual environment. Although the most common is CPUID:

Image for post
Image for post
Result in IDA Pro

A program can use the CPUID to determine processor type and whether features such as MMX/SSE are implemented. A way to identify an virtual environment is calling the cpuid instruction when eax equal to 0x40000000 The CPUID instruction will returns process identification and feature information to EBX, ECX, EDX. The information received to these registers in a virtual environment is used to identify a vendor. Se a example below writed by SWaNk

Remember that this script only helps to identify potential functions to identify VME, there can be several false positives during use. The ideal is to check according to your need or use it as a form of review.

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store