VIrtual Machine Detection Techniques

This post will cover techniques that can be used to detect virtualized environment.
Sample Analyzed -
hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/

1.VMWare Backdoor
This techniques uses special I/O port to send command and get output.

VMware Command Execution code









In above image VMWare I/O port is 'VX' (5658h). Command number 0x0A (get vmware version).
VMware version is return in register EAX as shown below.





More About VM Backdoor Port https://sites.google.com/site/chitchatvmback/backdoor

2.VPCEXT
VPCEXT instruction is used to detect presence of Virtual PC.






If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected.

3.DMIDECODE Utility
dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a human-readable format.
About dmidecode http://gnuwin32.sourceforge.net/packages/dmidecode.htm

Check if dmidecode utility is present on system.If yes then start dmidecode without any parameters









Read output of dmidecode command.





Search below pattern in output of dmidecode command using Perl regular expression.
pattern to search











Instructions to check above pattern in dmidecode output.


















4.DEEP FREEZE
It protects endpoints by Freezing a snapshot of a computer’s desired configuration and settings defined by the IT Admin. With an instant reboot, any unwelcome or unwanted changes are removed from the system, restoring it to its pristine Frozen state.
About Deep Freeze http://www.faronics.com/products/deep-freeze

Detect Deep Freeze service "DFServ" is running or not using OpenServiceW windows API.If Deep Freeze is installed a valid handle will be return and al register will be set to 1 which mean Deep Freeze Detected.















Deep Freeze service running on system.















5.REGISTRY ENTRIES,DRIVER FILES
Detect registry entries related to QEMU,VirtualBox,VMWARE.

a.QEMU
Read below registry entries value and convert value to uppercase and find string "QEMU".
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
HARDWARE\Description\System\SystemBiosVersion

b.VIRTUAL BOX
Read below registry entries value and convert value to uppercase and find string "VBOX".
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
HARDWARE\Description\System\SystemBiosVersion

Read below registry entry value and convert value to uppercase and find string "VIRTUALBOX".
HARDWARE\Description\System\VideoBiosVersion

Check below registry key exists.
SOFTWARE\Oracle\VirtualBox Guest Additions

Check below driver file exists.
WINDOWS\system32\drivers\VBoxMouse.sys

c.VMWARE
Read below registry entries value and convert value to uppercase and find string "VMWARE".
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier

Check below registry key exists.
SOFTWARE\VMware, Inc.\VMware Tools

Check below driver files exist.
WINDOWS\system32\drivers\vmhgfs.sys
WINDOWS\system32\drivers\vmmouse.sys

Comments

Popular posts from this blog

Debugging MBR : IDA Pro and Bochs Emulator

DoublePulsar Backdoor

Analyzing ATM Malwares

Google CTF 2017 : Android RE Challenge

Samsung CTF : Chicken or Egg Reversing Challenge

FireEye FLARE CTF 2017 : APK Challenge 8

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow

Word Document : Anti Analysis Tricks