A forum for reverse engineering, OS internals and malware analysis 

VM environment detection

Forum for analysis and discussion about malware.

VM environment detection

 #24539  by black_chance
 Sat Dec 06, 2014 6:50 am
hello my friends :)
In the analysis of malware in virtual environments is one of the problems of the environment by malware is detected.
What approach for the virtual machine is not detected there by malware?
thank you for hellping my friends :D :D

Re: Using a VMM/hypervisor to monitor guest OS execution?

 #24540  by EP_X0FF
 Sat Dec 06, 2014 1:46 pm
black_chance wrote:hello my friends :)
In the analysis of malware in virtual environments is one of the problems of the environment by malware is detected.
What approach for the virtual machine is not detected there by malware?
thank you for hellping my friends :D :D
If you are analysing malware yourself, then you better know what they detect and how this can be solved. If not, change your bussiness model.

Re: Using a VMM/hypervisor to monitor guest OS execution?

 #24542  by black_chance
 Sun Dec 07, 2014 6:38 am
I know it that they how to detect virtual machines for analysis But I want to know what ways have the ability to identify the machines..؟
I am an amateur analyst and new ways for me to have fun and experience. :)
Please understand me up to date ways to identify virtual machines by malware guidance :D :D

Re: Using a VMM/hypervisor to monitor guest OS execution?

 #24545  by EP_X0FF
 Sun Dec 07, 2014 10:20 am
black_chance wrote:I know it that they how to detect virtual machines for analysis But I want to know what ways have the ability to identify the machines..؟
I am an amateur analyst and new ways for me to have fun and experience. :)
Please understand me up to date ways to identify virtual machines by malware guidance :D :D
Take malware and reverse. VM detect found? Develop countermeasures. You cant? Then this scope obviously not for you.

Re: VM environment detection

 #24546  by one
 Mon Dec 08, 2014 5:37 am
you just should analysis it,because there is many way that the malware can detect the vm envirment!

Re: Using a VMM/hypervisor to monitor guest OS execution?

 #24648  by Patrick
 Thu Dec 18, 2014 7:53 am
black_chance wrote:I know it that they how to detect virtual machines for analysis But I want to know what ways have the ability to identify the machines..؟
I am an amateur analyst and new ways for me to have fun and experience. :)
Please understand me up to date ways to identify virtual machines by malware guidance :D :D
Unfortunately, we can't just 'teach you'. There's a reason we have journalists with zero kernel analysis or development skills making ill-informed articles because they are unaware and don't do their research, and on the other hand a reason we have detailed (and hopefully correct) whitepapers from vendors, or even threads here on kernelmode. If you take your time and do your research with a will to learn, you will learn. We can however point you in the right direction for you to start learning, and that's to read about anti-debugging & anti-vm.

A good place to start would probably be Joanna Rutkowska's Red Pill, I guess? http://repo.hackerzvoice.net/depot_ouah ... 0Pill.html

Look also for popular malware that makes use of anti-vm. For example, Andromeda - http://www.kernelmode.info/forum/viewto ... =andromeda

See also Phase, a relatively new copy/paste Poweliks fileless trojan - http://www.kernelmode.info/forum/viewto ... =16&t=3628
 Return to “Malware”