Mapping potential usage of Virtual Machine Environment (VME) detection
To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare. If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.
A common approach to analyse potentially malicious software is dynamic analysis. The binary is executed in an analysis environment, usually a Virtual Machine (VM), and its behaviour in the system is inspected.
Many Virtual Machine Environent (VME) are easily detectable:
- File System
- Services
- Hardware Information
- Registry Keys
- Specific processor instructions and Capabilities
A really nice way is to use python to map potential functions that make use of certain instructions that allow or make it possible to identify whether they are in a VME. The following python script will scan the assembly code in IDA-Pro and highlight instructions corresponding to potential Anti VM techniques:
"""
Source: Practical Malware Analysis
"""
from idautils import *
from idc import *
heads = Heads(SegStart(ScreenEA()), SegEnd(ScreenEA()))
antiVM = []
for i in heads:
if (GetMnem(i) == "sidt" \
or GetMnem(i) == "sgdt" \
or GetMnem(i) == "sldt" \
or GetMnem(i) == "smsw" \
or GetMnem(i) == "str" \
or GetMnem(i) == "in" \
or GetMnem(i) == "icebp" \
or GetMnem(i) == "imul" \
or GetMnem(i) == "cpuid"):
antiVM.append(i)
print "Number of potential Anti-VM instructions: %d" % (len(antiVM))
for i in antiVM:
SetColor(i, CIC_ITEM, 0x0000ff)
Message("Anti-VM: %08x\n" % i)
These instructions above can be used to identify VME, example: According to Intel CPU Instruction documentation, for IMUL instruction only carry flag (CF) and overflow flag (OF) get affected after execution and status of all other flags are undefined. These undefined flag values change (set or reset) according to the execution environment. In a real machine these undefined flags do not get affected, but in case of virtual machine these flag values change, see below:
Malware exploits this behavior to detect the virtual environment. Although the most common is CPUID:
A program can use the CPUID to determine processor type and whether features such as MMX/SSE are implemented. A way to identify an virtual environment is calling the cpuid instruction when eax equal to 0x40000000 The CPUID instruction will returns process identification and feature information to EBX, ECX, EDX. The information received to these registers in a virtual environment is used to identify a vendor. Se a example below writed by SWaNk
;FreeBSD HV 0x40000000 bhyve bhyve
;Hyper-V 0x40000000 Microsoft Hv
;KVM 0x40000000 KVMKVMKVM
;Parallels 0x40000000 prl hyperv
;VirtualBox 0x40000000 VBoxVBoxVBox
;VirtualPC 0x40000000 Microsoft Hv
;VMWare 0x40000000 VMwareVMware
;Xen 0x40000000 XenVMMXenVMMformat PE GUI 4.0
entry startinclude 'win32ax.inc';%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.text' code readable executablestart:mov eax, 0x40000000
cpuid
cmp ecx, 0x4D566572 ;MVer
jne NotVMWare
cmp edx, 0x65726177 ;eraw
jne NotVMWare
jmp isVMWareNotVMWare:
invoke MessageBox, NULL, szSussa, szTitulo, MB_OK
jmp _exitisVMWare:
invoke MessageBox, NULL, szDebug, szTitulo, MB_OK
jmp _exit_exit:
invoke ExitProcess, 0;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.data' code readable writeableszTitulo db "Anti-rev by SWaNk",0
szSussa db "Sussa, ninguem olhando...",0
szDebug db "Cilada bino...",0;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.idata' import data readable writeablelibrary kernel32,'kernel32.dll',\
user32,'user32.dll',\
shell32,'shell32.dll'include '%fasm%\INCLUDE\api\kernel32.inc'
include '%fasm%\INCLUDE\api\user32.inc'
include '%fasm%\INCLUDE\api\shell32.inc'
Remember that this script only helps to identify potential functions to identify VME, there can be several false positives during use. The ideal is to check according to your need or use it as a form of review.