Skip to content

Anti Anti Analysis

Jump to bottom
t-tani edited this page Oct 28, 2019 · 1 revision

Sample VM settings for Anti-Anti-Analysis

CPU brand strings

VMWare

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file

Intel Core i5

cpuid.80000002.0.eax = "0110:0101:0111:0100:0110:1110:0100:1001"
cpuid.80000002.0.ebx = "0010:1001:0101:0010:0010:1000:0110:1100"
cpuid.80000002.0.ecx = "0111:0010:0110:1111:0100:0011:0010:0000"
cpuid.80000002.0.edx = "0100:1101:0101:0100:0010:1000:0110:0101"
cpuid.80000003.0.eax = "0011:0101:0110:1001:0010:0000:0010:1001"
cpuid.80000003.0.ebx = "0011:0101:0101:1001:0011:0111:0010:1101"
cpuid.80000003.0.ecx = "0101:0000:0100:0011:0010:0000:0011:0100"
cpuid.80000003.0.edx = "0010:0000:0100:0000:0010:0000:0101:0101"
cpuid.80000004.0.eax = "0011:0000:0011:0010:0010:1110:0011:0001"
cpuid.80000004.0.ebx = "0000:0000:0111:1010:0100:1000:0100:0111"
cpuid.80000004.0.ecx = "0000:0000:0000:0000:0000:0000:0000:0000"
cpuid.80000004.0.edx = "0000:0000:0000:0000:0000:0000:0000:0000"

Intel XEON (not reccomended)

cpuid.80000002.0.eax = "0110:0101:0111:0100:0110:1110:0100:1001"
cpuid.80000002.0.ebx = "0010:1001:0101:0010:0010:1000:0110:1100"
cpuid.80000002.0.ecx = "0110:1111:0110:0101:0101:1000:0010:0000"
cpuid.80000002.0.edx = "0010:1001:0101:0010:0010:1000:0110:1110"
cpuid.80000003.0.eax = "0101:0101:0101:0000:0100:0011:0010:0000"
cpuid.80000003.0.ebx = "0010:0000:0010:0000:0010:0000:0010:0000"
cpuid.80000003.0.ecx = "0010:0000:0010:0000:0010:0000:0010:0000"
cpuid.80000003.0.edx = "0101:1000:0010:0000:0010:0000:0010:0000"
cpuid.80000004.0.eax = "0010:0101:0011:0111:0011:0110:0011:0101"
cpuid.80000004.0.ebx = "0010:0000:0100:0000:0010:0000:0010:0000"
cpuid.80000004.0.ecx = "0011:0111:0011:0000:0010:1110:0011:0011"
cpuid.80000004.0.edx = "0000:0000:0111:1010:0100:1000:0100:0111"

VirtualBox

TBU

CPU Virtualization features

This instruction is executed with EAX=1 as input; the return value describes the processor's features. The 31st bit of ECX on a physical machine will be equal to 0. On a guest VM, it will equal to 1.

VMWare

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
cpuid.1.ecx = "0---:----:----:----:----:----:----:----"

VirtualBox

TBU

Hypervisor environments

Hide the hypervisor environments and enable MCE(Machine Check Exception) to avoid the hypervisor detection.

mce.enable = "TRUE"
hypervisor.cpuid.v0 = "FALSE"

Hypervisor vendor detection

Hypervisor brand by calling CPUID with EAX=40000000 as input, the malware will get, as the return value, the virtualization vendor string in EAX, ECX, EDX.

For example:

  • Microsoft: “Microsoft HV”
  • VMware: “VMwareVMware”

VMWare

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
cpuid.40000000.0.eax = "0000:0000:0000:0000:0000:0000:0000:0000"

VirtualBox

TBU

Streaming SIMD Extensions 3 (SSE3)

VMWare

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
monitor_control.enable_fullcpuid = "TURE"

VirtualBox

TBU

MAC address

Following MAC addresses are detected as VMWare.

00:05:69:xx:xx:xx // VMWare, Inc.
00:0c:29:xx:xx:xx // VMWare, Inc.
00:1C:14:xx:xx:xx // VMWare, Inc.
00:50:56:xx:xx:xx // VMWare, Inc.

VMWare

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
ethernet0.address = "00:11:56:35:57:58"

VirtualBox

TBU

SCSI device name

Strings such as "vmware", "vbox", "qemu" and, "VirtualHD" are used for detection.

VMWare

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
scsi0:0.productID = "Toshiba SSD"
scsi0:0.vendorID = "Toshiba"

VirtualBox

TBU

VMware tools backdoor channel

VMware tools' backdoor channel is used for virtualization detection.

VMware

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
monitor_control.restrict_backdoor = "TRUE"

VMware monitoring functions

VMware

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"

BIOS information

VMware

  • Step 1. Shutdown the VM
  • Step 2. Confirm your permission
  • Step 3. Back up the .vmx file
  • Step 4. Insert following settings into .vmx file
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"

VirtualBox

TBU

Manual

  1. Home
  2. How to Install
  3. How to add Volatility Plugin into Cuckoo
  4. How to Use
  5. Sample Reports
  6. Anti-Anti-Analysis

マニュアル(日本語)

  1. ホーム
  2. インストール
  3. CuckooへのVolatilityプラグインの追加方法
  4. 使用方法
  5. サンプルレポート
  6. 解析妨害回避
Clone this wiki locally