Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Anti-VM

From aldeid
Jump to navigation Jump to search

Description

Many Virtual Machine Environent (VME) are easily detectable:

  • file system
  • services (e.g. VMtools)
  • hardware (e.g. mac address)
  • registry keys

Read this document for more information: http://handlers.sans.edu/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

Highlight Anti-VM in IDA Pro

The following python script will scan the assembly code in IDA-Pro and highlight instructions corresponding to Anti-VM techniques.

"""
Source: Practical Malware Analysis
"""
from idautils import *
from idc import *

heads = Heads(SegStart(ScreenEA()), SegEnd(ScreenEA()))
antiVM = []
for i in heads:
    if (GetMnem(i) == "sidt" \
        or GetMnem(i) == "sgdt" \
        or GetMnem(i) == "sldt" \
        or GetMnem(i) == "smsw" \
        or GetMnem(i) == "str" \
        or GetMnem(i) == "in" \
        or GetMnem(i) == "cpuid"):
        antiVM.append(i)
print "Number of potential Anti-VM instructions: %d" % (len(antiVM))
for i in antiVM:
    SetColor(i, CIC_ITEM, 0x0000ff)
    Message("Anti-VM: %08x\n" % i)

Below is the result of the script once executed:

Tweak VMware settings

Warning
The settings below are only to help mitigate detection. They will seriously impact performances of the virtual machine and are hence not recommended as permanent settings.

You can tweak VMware settings (edit the *.vmx file) to help mitigate the detection. Add the following lines:

These settings are used by VMware backdoor commands so that VMware Tools running in the guest cannot get information about the host:

isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"

The directexec parameter causes user-mode code to be emulated, instead of being run directly on the CPU, thus thwarting certain anti-VM techniques:

monitor_control.disable_directexec = "TRUE"

You can also add these settings:

monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"