📄 29a-7.011
字号:
VMware has you
--------------
When avers catch your virus, they analyze it. In case of complex
networking creature, they must learn how it spreads. How it infects
computers via network. How it infects files. There exists some programs to
emulate virtual OS'es on the single machine. This is the best solution
when you need to study some virus without risk to fuckup your own system.
So, there appears a question: how to find out if our virus is running
under virtual OS.
One of such programs is VMware. It has own "backdoor" port, to
communicate between internal (emulated) and exernal (emulating) code.
There are some functions, which allows you (under emulation) to
enable/disable different virtual devices, send internal messages, and do
other things. Here is how these functions are called (you should use
exception handling for this code):
mov ecx, 0Ah ; CX=function# (0Ah=get_version)
mov eax, 'VMXh' ; EAX=magic
mov dx, 'VX' ; DX=magic
in eax, dx ; specially processed io cmd
; output: EAX/EBX/ECX = data
cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?)
je under_VMware
VMware registry keys are
HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual
VMware executables directory is
C:\Program Files\VMware -- both real and virtual
There can be many different methods to detect if you're under virtual
OS, such as incorrectly emulated ports, predetermined hardware info,
special drivers and other things.
About actions to be performed under virtual OS, well, it depends on
your wicked souls -- from fucking up everything, which will result in
minor time loss, to perverting virus strategy, which may result in
misunderstanding your code and make emulation useless.
* * *
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -