Log in

View Full Version : Tips for thwarting VM detection


Kayaker
October 27th, 2009, 11:32
A few interesting suggestions for dealing with VMware-aware malware, including editing of VMware.vmx.

For example, to thwart the commonly used SIDT or VMXh magic word checks:

monitor_control.disable_directexec = "TRUE" will usually thwart descriptor table registers checks. This setting will make VMware interpret each assembly instruction instead of executing them directly on the processor. Therefore a the result of a sidt instruction will not be an address in the 0xffXXXXXX range as one would get without this setting.

isolation.tools.getVersion.disable = "TRUE" will thwart the backdoor I/O check.

Those are the only two modifications that are "explained", but the complete list, for future reference:

isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"


How does malware know the difference between the virtual world and the real world?

http://vrt-sourcefire.blogspot.com/2009/10/how-does-malware-know-difference.html

Kayaker

cyndy_li
October 31st, 2009, 04:11
thanks for your help ,I benefit from your tips

Nukacola
November 4th, 2009, 06:52
http://www.trapkit.de/research/vmm/scoopyng/index.html

Nukacola