Hi dear friends

i am so sorry bothering you again. i have 4 question if possible.

1. how some malwares detect virtual machines ?
2. difference between packing and obfuscating ?
3. does obfuscation affect and encrypt header of PEs ?
4. how some malwares detect debuggers with breakpoints ?


Really Really thank you.
in advanced , thank you for your kindness.

1. There are plenty of possibilities. You could for example simply look for the VM's helper programs in the process list (eg VMware Tools). You can also look at the virtual hardware, e.g. the names and serial numbers of the virtual harddrive, NIC etc. VMware also provides an IO port used for communication between the guest and host OS's, which can also be detected by malware. There are several posts about this topic in the Blogs subforum here on Woodmann.

2. Packing is about compressing and wrapping the entire input program (optionally with encryption and antidebug techniques), usually this is done by a third party software. Examples of packers: ASProtect, Armadillo, SecuROM etc. Obfuscating consists of mangling or hiding information so that it's harder to find or understand. Examples: removing/replacing function and variable names in .NET programs, changing the order of instructions in a program, inserting junk instructions that do nothing but make analysis harder, etc.

3. Affect, possibly (for example the section names could be cleared). Encrypt, no - because then Windows would no longer be able to load the .exe at all.

4. Placing a software breakpoint consists of overwriting the target instruction with an "int 3" instruction, which is a single 0xCC byte. Placing a hardware breakpoint consists of placing values in the debug registers. Both can be easily detected, and hardware breakpoints can even be silently cleared by the malware without you noticing. However, there are OllyDbg plugins that hide your hardware breakpoints and also protect them from being cleared (eg Olly Advanced).

Dear arc

thank you for your good information. it is very helpful for me.
but i can't find any good reference for them except question number 1 :

How Detect virtual machines :
www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf ("http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf")

do you have any good paper or references for other three question.
thank you.

Of interest

Win32 Portable Executable Packing Uncovered

http://securitylabs.websense.com/content/Assets/HistoryofPackingTechnology.pdf

Dear Kayaker

That's a very wonderful paper , thanks a lot.