Mapping potential usage of Virtual Machine Environment (VME) detection

To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare. If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.

A common approach to analyse potentially malicious software is dynamic analysis. The binary is executed in an analysis environment, usually a Virtual Machine (VM), and its behaviour in the system is inspected.

Many Virtual Machine Environent (VME) are easily detectable:

  • File System
  • Services
  • Hardware Information
  • Registry Keys
  • Specific processor instructions and Capabilities

A really nice way is to use python to map potential functions that make use of certain instructions that allow or make it possible to identify whether they are in a VME. The following python script will scan the assembly code in IDA-Pro and highlight instructions corresponding to potential Anti VM techniques:

"""
Source: Practical Malware Analysis
"""

from idautils import *
from idc import *

heads = Heads(SegStart(ScreenEA()), SegEnd(ScreenEA()))
antiVM = []
for i in heads:
if (GetMnem(i) == "sidt" \
or GetMnem(i) == "sgdt" \
or GetMnem(i) == "sldt" \
or GetMnem(i) == "smsw" \
or GetMnem(i) == "str" \
or GetMnem(i) == "in" \
or GetMnem(i) == "icebp" \
or GetMnem(i) == "imul" \
or GetMnem(i) == "cpuid"):
antiVM.append(i)
print "Number of potential Anti-VM instructions: %d" % (len(antiVM))
for i in antiVM:
SetColor(i, CIC_ITEM, 0x0000ff)
Message("Anti-VM: %08x\n" % i)

These instructions above can be used to identify VME, example: According to Intel CPU Instruction documentation, for IMUL instruction only carry flag (CF) and overflow flag (OF) get affected after execution and status of all other flags are undefined. These undefined flag values change (set or reset) according to the execution environment. In a real machine these undefined flags do not get affected, but in case of virtual machine these flag values change, see below:

Snap after IMUL instruction execution in Normal system
Snap before IMUL instruction execution in VM
Snap after IMUL instruction execution in VM

Malware exploits this behavior to detect the virtual environment. Although the most common is CPUID:

Result in IDA Pro

A program can use the CPUID to determine processor type and whether features such as MMX/SSE are implemented. A way to identify an virtual environment is calling the cpuid instruction when eax equal to 0x40000000 The CPUID instruction will returns process identification and feature information to EBX, ECX, EDX. The information received to these registers in a virtual environment is used to identify a vendor. Se a example below writed by SWaNk

;FreeBSD HV     0x40000000     bhyve bhyve
;Hyper-V 0x40000000 Microsoft Hv
;KVM 0x40000000 KVMKVMKVM
;Parallels 0x40000000 prl hyperv
;VirtualBox 0x40000000 VBoxVBoxVBox
;VirtualPC 0x40000000 Microsoft Hv
;VMWare 0x40000000 VMwareVMware
;Xen 0x40000000 XenVMMXenVMM
format PE GUI 4.0
entry start
include 'win32ax.inc';%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.text' code readable executable
start:mov eax, 0x40000000
cpuid
cmp ecx, 0x4D566572 ;MVer
jne NotVMWare
cmp edx, 0x65726177 ;eraw
jne NotVMWare
jmp isVMWare
NotVMWare:
invoke MessageBox, NULL, szSussa, szTitulo, MB_OK
jmp _exit
isVMWare:
invoke MessageBox, NULL, szDebug, szTitulo, MB_OK
jmp _exit
_exit:
invoke ExitProcess, 0
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.data' code readable writeable
szTitulo db "Anti-rev by SWaNk",0
szSussa db "Sussa, ninguem olhando...",0
szDebug db "Cilada bino...",0
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
section '.idata' import data readable writeable
library kernel32,'kernel32.dll',\
user32,'user32.dll',\
shell32,'shell32.dll'
include '%fasm%\INCLUDE\api\kernel32.inc'
include '%fasm%\INCLUDE\api\user32.inc'
include '%fasm%\INCLUDE\api\shell32.inc'

Remember that this script only helps to identify potential functions to identify VME, there can be several false positives during use. The ideal is to check according to your need or use it as a form of review.

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store