CPU Power Usage – Sandbox Evasive Technique

Hi Folks,

I’m not usually in this kind of paper, but this time, I am exceptionally writing a really short one about something related to some VM evasive PoC.

There is always some tricks to detect if you are running on a virtual machine or not. Most of them are stupid, but it’s enough accurate to just lose some minds when you have to harden your sandbox.

The idea here, there are some sensors to check the current CPU Power Usage. When you see as below, it returns this kind of values, when you are running a program normally.

RealMachine.png

But in a sandbox, it will return 0.

AntiVM

Source: >>> Crappy ugly content <<<

#HappyHunting

Résultat de recherche d'images pour "Umaru chan gif"

Photo by Shawn Stutzman from Pexels

 

 

 

One response to “CPU Power Usage – Sandbox Evasive Technique”

  1. ToastMangler Avatar
    ToastMangler

    Interesting how a few years ago VM detection was as simple as detecting reg keys and file paths (which could be mitigated). Three to four years ago they were looking for VMs by the number of cores. Now it’s just pushing the limitations by seeing what data you can’t obtain from the hardware (temps, power, etc.). Fascinating evolution of evasion techniques.

    Here’s another great article related to this:

    https://www.andreafortuna.org/dfir/malware-analysis/malware-vm-detection-techniques-evolving-an-analysis-of-gravityrat/

    Reply

Leave a Reply

Discover more from Fumi's Box

Subscribe now to keep reading and get access to the full archive.

Continue reading