Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Playing with Viruses on windows

from [Pete Simpson] Network Security [Permanent Link]
Subject: RE: Playing with Viruses on windows
Date: Thu, 12 Aug 2004 16:12:24 +0100 

Nick FitzGerald wrote:


And, of course, dynamic black-box analysis that such a setup as this 
affords can be insufficient.  What if the program you are trying to 
analyse detects it is running under VMWare and simply exits, 
or runs a 
"harmless" (or otherwise different) code branch than it runs when not 
in a VM??  



From 29A zine #7


                               VMware has you
                               --------------

     When  avers  catch  your  virus,  they  analyze it. In case of complex
 networking  creature,  they  must  learn  how  it  spreads. How it infects
 computers via network. How it infects files. There exists some programs to
 emulate  virtual  OS'es  on  the single machine. This is the best solution
 when  you need to study some virus without risk to f**kup your own system.
 So,  there  appears  a  question:  how to find out if our virus is running
 under virtual OS.

     One  of  such  programs  is  VMware.  It  has  own "backdoor" port, to
 communicate  between  internal  (emulated)  and  exernal (emulating) code.
 There   are   some  functions,  which  allows  you  (under  emulation)  to
 enable/disable  different  virtual devices, send internal messages, and do
 other  things.  Here  is  how  these  functions are called (you should use
 exception handling for this code):

        mov     ecx, 0Ah    ; CX=function# (0Ah=get_version)
        mov     eax, 'VMXh' ; EAX=magic
        mov     dx, 'VX'    ; DX=magic
        in      eax, dx     ; specially processed io cmd
        ; output: EAX/EBX/ECX = data
        cmp     ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?)
        je      under_VMware

  VMware registry keys are

    HKLM\Software\VMware, Inc.\VMware for Windows NT     -- real
    HKLM\Software\VMWare, Inc.\VMware Tools\             -- virtual

  VMware executables directory is

    C:\Program Files\VMware     -- both real and virtual

     There  can be many different methods to detect if you're under virtual
 OS,  such  as  incorrectly  emulated  ports,  predetermined hardware info,
 special drivers and other things.

     About  actions  to  be performed under virtual OS, well, it depends on
 your  wicked  souls  --  from  f**king up everything, which will result in
 minor  time  loss,  to  perverting  virus  strategy,  which  may result in
 misunderstanding your code and make emulation useless.

                                   * * * 

rgds
Pete Simpson 
ThreatLab Manager
CLEARSWIFT
The MIMEsweeper Company

---------------------------------------------------------------------------------------------------------------
Clearswift monitors, controls and protects all its messaging traffic in 
compliance with its corporate email policy using Clearswift products. 
Find out more about Clearswift, its solutions and services at 
www.clearswift.com.
***********************************************************************************
This communication is confidential and may contain privileged 
information intended solely for the named addressee(s). It may not 
be used or disclosed except for the purpose for which it has been 
sent. If you are not the intended recipient, you must not copy, 
distribute or take any action in reliance on it. Unless expressly stated, 
opinions in this message are those of the individual sender and not of 
Clearswift. If you have received this communication in error, please 
notify Clearswift by emailing support@clearswift.com quoting the 
sender and delete the message and any attached documents. Clearswift accepts no 
liability or responsibility for any onward transmission or use of emails and 
attachments having left the Clearswift domain.
This footnote confirms that this email message has been swept by 
MIMEsweeper for Content Security threats, including computer viruses.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Scanning webpages for viruses and other malicious content, Jeff Falgout
Next by Date:  Virus Scanning Web pages, Brian Erdelyi
Previous by Thread:  Re: Playing with Viruses on windows, cyclone dude
Next by Thread:  Re[2]: Playing with Viruses on windows, Matthew Leeds
Indexes:  [Date] [Thread] [Top] [All Lists]