You are browsing the archive for Tips & Tricks.

Protecting VMWare from CPUID hypervisor detection

August 25, 2014 in Malware Analysis, Tips & Tricks

One of the less-known anti-sandbox detection tricks relies on the instruction CPUID that is executed with EAX=1 as an input parameter. When executed the values returned by general purpose registers describe the various Processor Info and Feature Bits. Some malware samples analyse the bit 31th of the value returned in the register ECX; the bit is equal to zero on the real CPU/hypervisor and 1 on the guest VM.

You can test this trick by running the following program.

When executed on a real CPU it should give you the following output:

cpuid_novm

 

On the guest OS it should (not surprisingly) show the following output:

cpuid_vm

Depending on your hardware set up and the way your Virtual Platform is executing code you may get different results (modification of virtualization and dynamic translation settings may affect the results).

Bypassing this trick on the code level (e.g. during debugging session or via patching) is not easy as you need to find a sequence of code that is responsible for the detection first. And if the code is metamorphic that won’t be easy (CPUID is just 2 bytes long i.e. 0F A2 and the input values may be initiated using random sequence of code).

It turns out VMWare (tested on 10.0.3) supports a mechanism that allows to modify the CPUID instruction results. All you have to do is add the following line to your .vmx file:

cpuid.1.ecx="0---:----:----:----:----:----:----:----"

It instructs the VMWare to mask the 31st bit of ECX when the CPUID instruction is executed. As such, running the same program on the re-configured VM will give you the output as seen on the first screenshot i.e. CPUID returns value observed on the real CPU; malware running on such re-configured VM will get fooled and the sandbox detection can be bypassed.

Note: I am not an expert in VMWare configuration – any modification you do to your VM is on your own risk. If you break anything it’s your own fault :)

I encourage you to explore VMWare forums before doing any modification to your setup. Also, remember that you need to fully restart the VM (and the guest system) for the change to take place (it won’t work for a restart from a snapshot).

RCE: List of 64-bit tools

May 21, 2014 in Malware Analysis, Tips & Tricks

Update  (June, 4th, 2014): Added Hex-Rays Decompiler  x64

64-bits platform is becoming a standard and reverse engineering of the PE32+ files is now a daily bread to many malware analysts. Tools that are designed to make things easier are luckily out there and new ones keep popping up all over the place. Unfortunately, many of the tools are not mature enough yet and often crash or do some funny stuff, but this is developing really fast and hopefully the RCE arsenal will expand soon.

Here is a short list of the tools I came across and use most of them in my research and analysis of PE32+ files. If you know any other useful tools, I’d be grateful if you let me know. Thanks!

Docs

Bypassing signature checks/disabling PageGuard

PE Viewer/Editors supporting PE32+

Disassembler

Decompiler

Debugger (they are also disassemblers)

Ollydbg 64 is still not ready, but there are a couple of tools that can be useful even if not that user-friendly:

Process / Memory Viewer

Process dumpers

Hook Detector

API Monitor

 Hiding Processes

Thanks to Ange and Nanu Jogi for fixes and suggestions.