3 min read Malware_Analysis

Anti-Virtual Machine Techniques

turned on monitoring screen

What is Anti-VM technique?

Anti-VM techniques are most commonly found in malware that is widely deployed, such as bots, scareware, and spyware.

Malware authors sometimes use anti-VM techniques to prevent attempts of analysis. With these techniques, the malware attempts to detect whether it is being run inside a virtual machine.

VMware Artifacts

Because VMware uses virtual network interface card (NIC) to create MAC address for the VM, using first three bytes of a MAC address (ex. 00:0C:29) the malware author can also detect VMware.

Malware use these artifacts present in the filesystem, registry and process listing (VMwareService.exe, VMwareTray.exe and VMwareUser.exe) to detect VMware.

The VMware environment leaves many artifcats on the system, especially when "VMware Tools" is installed.

Bypassing the VMware Artifact Searching

Secondly, VMware leaves many artifacts in memory as a result of virtualization process. Malware author can search through physical memory for the string VMware to detect the instance.

The malware that searches for VMware artifacts can be stopped by identifying the check in code and by patching it.

Vulnerable Instructions

Since these instructions can be invoked at any time by user-mode code without being trapped and properly virtualized by VMware, they can be used to detect VM presence.

Only three sensitive instructions "sidt", "sgdt", "sldt" read location of these tables and store respective register into memory location.

x86 stores all memory access information such as segments, base address, type, length, access rights in global descriptor table (GDT) or local descriptor table (IDT). The information is stores in IDTR, GDT and LDTR internal registers.

Some instructions in x86 access hardware-based information but don't generate interrupts. These include "sidt", "sgdt", "sldt", "cpuid" among others.

The virtual machine monitor program monitors virtualization execution. It runs on host operating system to present the guest operating system with a virtual platform. Due to weaknesses the malware author can detect the virtualization.

Using the Red Pill Anti-VM Technique

"Red Pill succeeds only on a single-processor machine"

Since VM monitor is not notified when the vm runs the sidt instruction, the IDTR for the vm is returned. The Red Pill tests for this discrepancy to detect the usage of VMware.

Red Pill is an anti-VM technique that executes "sidt" instruction to grab the value of the IDTR register.

Using the No Pill technique

  • Unlike Red Pill, No Pill relies on the fact that the LDT structure is assigned to a processor, not an operating system and because Windows does not normally use the LDT structure but VMware supports for it, the table will differ predictably.
  • The LDT location on the host machine will be zero, and on the virtual machine, it will be nonzero.
  • A simple check for zero against the result of the sldt instruction can show the virtualization presence.
  • The sldt method can be subverted in VMware by disabling acceleration.
The "sgdt" and "sldt" instruction technique for VMware detection is commonly known as No Pill.

Querying the I/O Communication Port

This detection can be overcome by NOP-out the instruction or patch the conditional jump to all the code to run without comparing the VMXh.

The technique works by querying VMware magic number '0x564D5868 (VMXh)', value '0xA' means "get VMware version type" or '0x14' means "get the memory size". (However, the most common is "0xA" because it determines the VMware version)

The VMware virtual I/O ports can be queried and compared with a magic number to identify the use of VMware.

This technique is frequently encountered in worms, and bots.

It is most popular anti-VMware technique currently in use and works by querying the I/O communication port.

Using the str instruction

Malware authors can use the "str" instruction to detect the presence of vm, since the return value differs from vm vs native system. (This technique does not work on multi-processor hardware).

The str instruction retrieves the segment selector from task register, which points to the task state segment (TSS) of the currently executing task.

Anti-VM x86 Instructions

Common instructions used by malware to employ anti-VM techniques are as follows:
  1. sidt
  2. sgdt
  3. sldt
  4. smsw
  5. str
  6. in (with the second operand set to VX)
  7. cpuid

Tools to detect the anti-VM detections

  • ScoopyNG
  • IDAPython

Way to stop VMware detection

By placing the all the options to "True" in the virtual machines ".vmx" file.