shows how Red Pill might be used by malware.

.

shows the str instruction at 0x401224 in malware known as SNG.exe. This loads the TSS into the 4 bytes: var_1 through var_4, as labeled by IDA Pro. Two comparisons are made at 0x40125A and 0x401262 to determine if VMware is detected.

. This script looks for the instructions, highlights any in red, and prints the total number of anti-VM instructions found in IDA’s output window.

shows a partial result of running this script against SNG.exe with one location (str at 0x401224) highlighted by the bar. Examining the highlighted code in IDA Pro will allow you to quickly see if the instruction found is involved in an anti-VM technique. Further investigation shows that the str instruction is being used to detect VMware.

) is a free VMware detection tool that implements seven different checks for a virtual machine, as follows:

• The first three checks look for the sidt, sgdt, and sldt (Red Pill and No Pill) instructions.

• The fourth check looks for str.

• The fifth and sixth use the backdoor I/O port 0xa and 0x14 options, respectively.

• The seventh check relies on a bug in older VMware versions running in emulation mode.

For a disassembled version of ScoopyNG’s fourth check, see .

Назад: VMware Artifacts

Дальше: Tweaking Settings

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: