Kayaker
October 27th, 2009, 11:32
A few interesting suggestions for dealing with VMware-aware malware, including editing of VMware.vmx.
For example, to thwart the commonly used SIDT or VMXh magic word checks:
monitor_control.disable_directexec = "TRUE" will usually thwart descriptor table registers checks. This setting will make VMware interpret each assembly instruction instead of executing them directly on the processor. Therefore a the result of a sidt instruction will not be an address in the 0xffXXXXXX range as one would get without this setting.
isolation.tools.getVersion.disable = "TRUE" will thwart the backdoor I/O check.
Those are the only two modifications that are "explained", but the complete list, for future reference:
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
How does malware know the difference between the virtual world and the real world?
http://vrt-sourcefire.blogspot.com/2009/10/how-does-malware-know-difference.html
Kayaker
For example, to thwart the commonly used SIDT or VMXh magic word checks:
monitor_control.disable_directexec = "TRUE" will usually thwart descriptor table registers checks. This setting will make VMware interpret each assembly instruction instead of executing them directly on the processor. Therefore a the result of a sidt instruction will not be an address in the 0xffXXXXXX range as one would get without this setting.
isolation.tools.getVersion.disable = "TRUE" will thwart the backdoor I/O check.
Those are the only two modifications that are "explained", but the complete list, for future reference:
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
How does malware know the difference between the virtual world and the real world?
http://vrt-sourcefire.blogspot.com/2009/10/how-does-malware-know-difference.html
Kayaker