This document contains short overview of existing and exploited by WinNT malicious software (malware) methods (AntiVM) that help malware detect execution in the controlled environment such as virtual machine (VM) or/and sandbox. However, this is not complete R&D of each malware with AntiVM, we will focus only on most popular and often seen methods. Unlike other articles, we will show other methods that detect presence of the software VM. We assume readers are familiar with Windows NT based malware, Windows NT core components, x86 architecture and programming languages.PDF in attach.
With best regards to my colleague rinn
(808 KiB) Downloaded 304 times
Ring0 - the source of inspiration