California State University Los Angeles Anti Virtual Machine Techniques Discussion In one page, discuss some of the anti-virtual machine techniques can be

California State University Los Angeles Anti Virtual Machine Techniques Discussion In one page, discuss some of the anti-virtual machine techniques can be used by malware authors to exploit virtual machine appliances besides VMware. Your discussion can also include experimental or proof-on-concept techniques. IT-777
Malware Analysis
Anti-Virtual Machine Techniques
• Introduction
• VMware Artifacts
• Bypassing VMware Artifact Searching
• Vulnerable instructions
• Virtual machines (VM) are widely used for malware analysis
• Malware authors adopt anti-malware techniques to impede analysis
• Malware is designed in such a way that:
• It detects whether it is being executed from a VM
• It changes its behavior or does not even run at all
• Examples of malware that employs anti vm techniques
• Scareware
• Spyware
• Bots
VMware Artifacts
• VMware is popular VM which leaves many artifacts on a system
where it’s installed
• These artifacts can be traced from:
• OS filesystem
• Registry of windows
• Process listings
VMware Artifacts
• Processes that execute when a
standard VMware image is installed
• VMwareService.exe
• VMwareTray.exe
• VMwareUser.exe
VMware Artifacts
• VMwareService.exe runs the VMware Tools Service as a child
of services.exe.
• You can use the netstat command search the registry for services
installed on a machine
VMware Artifacts
• The installation folder and registry may also contain artifacts
• Searching the registry can reveal keys with information about
adaptors, virtual mouse and virtual hard drives
VMware Artifacts
• VMs have their own virtual network interface cards (NIC) which
enables them to connect to the network
• VMware also creates a MAC address for the VM
• Depending on the configuration, the network adaptor identifies usage of
• The first 3 bytes of a MAC address are specific to the vendor
• MAC addresses starting with 00:0C:29 are associated with VMware
• VMware MAC addresses change from version to version
• A malware author can check the VM’s MAC address for VMware values
VMware Artifacts
• Malware can detect VMware by other hardware like the motherboard
• Malware checking versions of hardware may be trying to detect
• Look for the code that checks MAC addresses or hardware versions
• Patch the code to avoid that checking
• You can also uninstall VMware tools to prevent artifact checking
Bypassing VMware Artifact Searching
• 2-step process for defeating malware
that searches for VMware artifacts:
• Step 1 – identify the check
• Step 2 – patch it
• Example
• We run strings against the malware
• Findings reveal that the binary contains
the string “VMwareTray.exe”
Bypassing VMware Artifact Searching
• Example (ctd)
• Further analysis reveals it is scanning for
processes with functions like
• CreateToolhelp32Snapshot, Process32Next etc
• strncmp at ? is comparing the
VMwareTray.exe string
• It’s a result of converting
processentry32.szExeFile to ASCII to determine
if the process name is in the process listing
• If VMwareTray.exe is discovered in the
process listing, the program will
immediately terminate as at 0x4010c2
Bypassing VMware Artifact Searching
• Example (ctd)
• How to avoid this detection
• Patch the binary while debugging to prevent
the jump at 0x4010a5
• Use a hex editor to modify the VMwareTray.exe
string to read XXXareTray.exe to prevent the
comparison fail
• Uninstall VMware Tools so that
VMwareTray.exe will no longer run.
Checking memory for artifacts
• VMware leaves many artifacts in memory arising from the
virtualization process
• Some artifacts are critical processor structures which leave traceable
• One technique commonly used to detect memory artifacts is a search
through physical memory for the string VMware
Vulnerable instructions
• VM monitor program monitors VM’s execution
• In kernel mode
• VMware uses binary translation for emulation
• Some privileged instructions in kernel mode are interpreted and emulated (they don’t
execute from the physical processor)
• In user mode
• the code runs directly on the processor
• nearly every instruction that interacts with hardware is either privileged or generates a
kernel trap or interrupt
• VMware catches all the interrupts and processes them hence the VM thinks it is a
regular machine
• VM monitor program has vulnerabilities that can be exploited by
malware to detect virtualization
Vulnerable instructions
• Instructions in x86 which access hardware-based information but
don’t generate interrupts include:
• sidt, sgdt, sldt, cpuid
• VMware virtualizes these instructions by performing binary
translation on every instruction (not just kernel-mode instructions)
• This presents in a huge performance overhead
• VMware solves the performance issue allowing certain instructions to execute
without being properly virtualized
• This means the results from such instructions will differ when run on native hardware
Vulnerable instructions
• With lack of full translation, the processor uses certain key structures
and tables
• These are loaded at different offsets as a side effect of this lack of full
• Interrupt Descriptor Table(IDT)
• This data structure is internal to the CPU
• It’s used by the operating system to determine the correct response to
interrupts and exceptions
Vulnerable instructions
• Under x86, all memory accesses pass through either the global
descriptor table (GDT) or the local descriptor table (LDT)
• These tables contain segment descriptors that provide access details for each
segment, including the base address, type, length, access rights, etc
• IDT (IDTR), GDT (GDTR), and LDT (LDTR) are the internal registers that contain
the address and size of these respective tables
• 3 sensitive instructions: sidt, sgdt, and sldt read the location of these
tables, and all store the respective register into a memory location
• The 3 instructions can be invoked at any time by user-mode without being
trapped and properly virtualized by VMware
Using Red Pill Anti-VM Technique
• Red Pill is an anti-VM technique that executes the sidt instruction to
grab the value of the IDTR register
• The virtual machine monitor must relocate the guest’s IDTR to avoid
conflict with the host’s IDTR
• The virtual machine monitor is not notified when the virtual machine runs the
sidt instruction hence the IDTR for the virtual machine is returned
• The Red Pill tests for this discrepancy to detect the usage of VMware
Using Red Pill Anti-VM Technique
• The malware issues the sidt instruction at ? to
store the contents of IDTR into the memory location
pointed to by EAX
• The IDTR is 6 bytes, and the fifth byte offset contains
the start of the base memory address.
• The fifth byte is compared to 0xFF, the VMware signature
Using Red Pill Anti-VM Technique
• Red Pill succeeds only on a single-processor
• It can’t work consistently against multicore
processors because each processor (guest or host)
has an IDT assigned to it.
• This means that the result of the sidt instruction can
vary, and the signature used by Red Pill can be
• This technique is thwarted by using a multicore
processor machine or simply NOP-out the sidt
Using the No Pill Technique
• The sgdt and sldt instruction technique for VMware detection is
commonly known as No Pill
• Unlike Red Pill, No Pill relies on the fact that the LDT structure is not
assigned to the operating system but a processor
• Windows does not use the LDT structure, but VMware provides virtual
support for it
• the table will differ predictably:
• the LDT location on the host machine will be zero, while on the VM, it will be nonzero.
• The sldt method is subverted in VMware by disabling acceleration
• No Pill solves this acceleration issue by using the smsw instruction
• Undocumented high-order bits returned by the smsw instruction are inspected
Querying the I/O Communication Port
• VMware uses virtual I/O ports for communication between VMs and
host OS
• supports functionality like copy and paste between the two systems
• The port can be queried and compared with a magic number to
identify the use of Vmware
• The success of this technique depends on the x86 in instruction that copies
data from the I/O port specified by the source operand to a memory location
specified by the destination operand
• This problem is overcome by NOPing-out the in instruction or
patching the conditional jump to allow it regardless of the outcome
ofthe compariso
Using the str instruction
• The str instruction retrieves the segment selector from the task
register that points to the task state segment (TSS) of a currently
executing task.
• Malware authors can use the str instruction to detect a VM
• However the str instruction values differ between VM versus a native system
• This technique does not work on multiprocessor hardware
Using ScoopyNG
• ScoopyNG ( is a free VMware detection tool
• It implements several checks for a virtual machine:
• It has checks for the sidt, sgdt, and sldt (Red Pill and No Pill) instructions
• It also looks for str instruction
• It also uses use the backdoor I/O port 0xa and0x14 options
References Page
• Chapters 17 – Sikorski, M., & Honig, A. (2012). Practical malware
analysis: the hands-on guide to dissecting malicious software. no
starch press.

Purchase answer to see full

Don't use plagiarized sources. Get Your Custom Essay on
California State University Los Angeles Anti Virtual Machine Techniques Discussion In one page, discuss some of the anti-virtual machine techniques can be
For $10/Page 0nly
Order Essay

Calculate the price of your paper

Total price:$26

Need a better grade?
We've got you covered.

Order your paper