Virtual Machine Detection Technology Analysis
Author: riusksk (quange)
Home: http://riusksk.blogbus.com
Preface
In today's information security field, especially in malware analysis, virtual machine technology is often used to improve the security of the virus analysis process and the constraints on hardware resources, therefore, it is widely used in the field of malware. The so-called Virtual Machine (VM) is a complete computer system simulated by software that has the complete hardware system function and runs in a completely isolated environment. Through Virtual machine software (such as VMware, Virtual PC, and VirtualBox), you can simulate one or more Virtual computers on one physical computer. These Virtual machines work exactly like real computers, for example, you can install the operating system, install applications, and access network resources. To improve the concealment of malicious programs and damage the success rate of real hosts, attackers add Virtual Machine detection code to malicious programs to determine the running environment of the program. When a program is found to be in a Virtual Machine (especially a honeypot system), it may change the operation behavior or interrupt the execution, which makes it more difficult for anti-virus personnel to analyze malicious software behavior. This article mainly analyzes the Windows XP SP3 System in VMware, a virtual environment based on Intel CPU, and lists several common Virtual Machine detection methods.
Method 1: Execute privileged commands to detect virtual machines
Vmware provides a communication mechanism between the real host and the virtual machine. It uses the "IN" command to read data from a specific port for communication between the two machines. However, because the IN command is a privileged command, when this command is executed on a real machine in protected mode, an exception of the type "EXCEPTION_PRIV_INSTRUCTION" will be triggered unless permitted, and no exception will occur in the virtual machine, when the specified feature number is 0A (obtain the VMware version), it returns its version number "VMXH" in EBX. When the feature number is 0x14, it can be used to obtain the VMware memory size, if the value is greater than 0, the instance is in the VM. VMDetect uses the previous method to detect the existence of VMware. Its detection code is analyzed as follows:
Code:
Bool IsInsideVMWare () {bool rc = true; _ try {_ asm {push edx push ecx push ebx mov eax, VMXh mov ebx, 0 // set ebx to another value of the non-Phantom 'vmxh' mov ecx, 10 // specify the function number for obtaining the VMWare version, when it is 0x14, it is used to obtain the VMware memory size mov edx, VX // port number in eax, dx // read the VMware version to eax from the port dx // if the above function is 0x14, you can determine whether the value of eax is greater than 0, if it is in the Virtual Machine cmp ebx, VMXh // determine whether ebx contains the VMware version 'vmxh ', if yes, in the VM, setz [rc] // set the return value pop ebx pop ecx pop edx }}__ handle T (EXCEPTION_EXECUTE_HANDLER) // if not in VMware, this exception is triggered {rc = false;} return rc ;}
Test results:
1.jpg: 2Kx is required for downloading this attachment, which is automatically deducted from the download process.
Figure 1
1. VMDetect successfully detected the existence of VMWare.
Method 2: Use IDT base address to detect virtual machines
The IDT base address is a common method for detecting Virtual machines and is applicable to both VMware and Virtual PCs. The Interrupt Descriptor Table IDT (Interrupt Descriptor Table) is used to find the software function used to process the Interrupt. It is a data consisting of 256 Items, and each one of them is a function. To read the IDT base address, we need to use the SIDT command to read IDTR (the Interrupt Descriptor Table register for the IDT base address in the memory). The SIDT command stores IDTR content in the following format:
Code:
Typedef struct {WORD IDTLimit; // the size of idt word LowIDTbase; // The low address of idt word HiIDTbase; // The High address of IDT} IDTINFO;
There is only one IDTR, but there are two other operating systems, namely the Virtual Machine System and the real host system. To prevent conflicts, the VMM (Virtual Machine monitor) must change the IDT address in the Virtual Machine and use the difference between executing the sidt command in the real host and virtual machine environment to detect whether the virtual machine exists. The famous redpill uses this principle to detect VMware. The Redpill author found on VMware that the IDT address on the Virtual machine system is usually located at 0 xFFXXXXXX, while the Virtual PC is usually located at 0xE8XXXXXX, while the real host is located at 0x80xxxxxx, as shown in figure 2. Redpill only checks whether the first byte returned after executing the SIDT command is greater than 0xD0. If yes, it indicates that it is in the virtual machine; otherwise, it is in the real host. The source code of Redpill is very concise. The source code analysis is as follows:
Code:
# Include <stdio. h> int main () {unsigned char m [2 + 4], rpill [] = "x0fx01x0dx00x00x00x00xc3"; // equivalent to SIDT [adrr], here, addr is used to save the IDT address * (unsigned *) & rpill [3]) = (unsigned) m; // set addr in sidt [addr] to m address (void (*) () & rpill) (); // execute the SIDT command, and save the read IDT address in the array m printf ("idt base: % # x", * (unsigned *) & m [2]); // since the first two bytes are the IDT size, from m [2], the IDT address is if (m [5]> 0xd0) printf ("Inside Matrix! ", M [5]); // when the IDT base address is greater than 0xd0xxxxxx, it indicates that the program is in VMware else printf (" Not in Matrix. "); return 0 ;}
Test result 2:
2.jpg: 2Kx is required for downloading this attachment, which is automatically deducted from the download process.
Figure 2
This IDT detection method has a defect because the IDT value is a constant only for a running processor, however, when it is in a multi-CPU status, it may be affected because each CPU has its own IDT, which naturally results in a problem. To solve this problem, members of the Offensive Computing organization put forward two methods, one of which is to use Redpill to repeatedly execute tasks on the system, this constructs a Statistical Chart of the IDT value changes of the current system, but this increases the CPU burden. Another method is to restrict the thread to a single processor by using the windows API function SetThreadAffinityMask, when this test is executed, the thread execution environment can only be accurately restricted to the local processor, but it may not work if the thread is restricted to the VM processor, because the VM is scheduled to be on each processor.