A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22277  by EP_X0FF
 Sat Feb 22, 2014 4:19 pm
This document contains short overview of existing and exploited by WinNT malicious software (malware) methods (AntiVM) that help malware detect execution in the controlled environment such as virtual machine (VM) or/and sandbox. However, this is not complete R&D of each malware with AntiVM, we will focus only on most popular and often seen methods. Unlike other articles, we will show other methods that detect presence of the software VM. We assume readers are familiar with Windows NT based malware, Windows NT core components, x86 architecture and programming languages.
PDF in attach.

With best regards to my colleague rinn
no pass
(808 KiB) Downloaded 304 times
 #22318  by AaLl86
 Thu Feb 27, 2014 11:13 pm
Very nice paper. Just read about initial pages and I really appreciate it.
Thanks for sharing

 #22322  by forty-six
 Fri Feb 28, 2014 2:38 pm
So many downloads and such little gratitude shown.

Lately it seems like there is more VM detection in the samples I have analyzed. Not sure if this is perception or reality. Valuable document and good read. Thanks for sharing.
 #22323  by myodyne
 Fri Feb 28, 2014 2:50 pm
Thank you very much..

Great information.
 #22454  by DerW_234
 Fri Mar 14, 2014 4:49 pm
Thanks, this should be interesting!
I heard in a presentation a while ago, that malware uses less Anti-VM nowadays (because many servers run on virtual machines), but "consumer" malware will probably increase their VM evasion efforts nevertheless, so it's good to stay ahead or at least know what's possible :).
 #25476  by EP_X0FF
 Wed Mar 18, 2015 8:16 am
VMDE source adapted to 2015 and posted on github https://github.com/hfiref0x/VMDE. Do not consider it as fully functional vm detector, as it was a part of our with rinn work later used to develop VBox andtidetection patch.
 #25477  by t4L
 Wed Mar 18, 2015 8:39 pm
Nice work EP_X0FF :)

Next thing we'll see is HF kids and such will copy-n-paste your code into their buggy mw. :lol:
 #25478  by EP_X0FF
 Wed Mar 18, 2015 9:09 pm
Why not. At least finally some % of "their" code will be properly written. But as I said before vmde is just a side work of vbox anti-detection patch we planned from middle of 2013.
 #31560  by richarduu
 Sat May 05, 2018 7:49 am
And also thank you so much for all the sharing including analysis result and samples!
I am new to malware research, and find this forum to be the haven of malware research because of people like you!
Thank you @EP_X0FF!