Hi Folks,

I'm not usually in this kind of paper, but this time, I am exceptionally writing a really short one about something related to some VM evasive PoC.

There is always some tricks to detect if you are running on a virtual machine or not. Most of them are stupid, but it's enough accurate to just lose some minds when you have to harden your sandbox.

The idea here, there are some sensors to check the current CPU Power Usage. When you see as below, it returns this kind of values, when you are running a program normally.

RealMachine.png

But in a sandbox, it will return 0.

AntiVM

Source: >>> Crappy ugly content <<<

#HappyHunting

Résultat de recherche d'images pour "Umaru chan gif"

Photo by Shawn Stutzman from Pexels

 

 

 

Last modified: March 14, 2019

Author

Comments

ToastMangler 

Interesting how a few years ago VM detection was as simple as detecting reg keys and file paths (which could be mitigated). Three to four years ago they were looking for VMs by the number of cores. Now it’s just pushing the limitations by seeing what data you can’t obtain from the hardware (temps, power, etc.). Fascinating evolution of evasion techniques.

Here’s another great article related to this:

https://www.andreafortuna.org/dfir/malware-analysis/malware-vm-detection-techniques-evolving-an-analysis-of-gravityrat/

Leave a Reply