How to detect VMware system-vulnerability warning-the black bar safety net

ID MYHACK58:62200820280
Type myhack58
Reporter 佚名
Modified 2008-09-05T00:00:00


by ayaREI

When the AVer caught your virus, they usually are going to analyze it. They need to understand how the virus in a complex network environment to spread. This time a lot of people will choose in such as VMware and some virtual machines under execution of the virus to observe viral behavior. The Vxer that naturally does not want this to happen, then how can we detect the virus by running system is not VMware?

Here are a few ways to determine this problem:

  1. Use the VMware Backdoor. VMware system the presence of the back door, for the virtual system and the real system of interaction. This is some of the functions that you can execute in the program in order to judge. Of course, it is best that you also have to add exception handling. mov ecx, 0Ah ; CX=function# (0Ah=get_version) mov eax, 'VMXh' ; EAX=magic mov dx, 'VX' ; DX=magic in eax, dx ; specially processed io cmd ; output: EAX/EBX/ECX = data cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?) je under_VMware

  2. Registry key value In a real system, the VMware registration HKLM\Software\VMware, Inc.\ VMware for Windows NT, while in the virtual system, VMware registration HKLM\Software\VMWare, Inc.\ VMware Tools\, and it is also a good determination method.

  3. Program path In the real or virtual system is: C:\Program Files\VMware.

  4. Other methods You can determine the system hardware information, etc., these in VMware will be different things we determined that the VMware tools.