Sreelakshmi Panangatt graduated from Vrije University and Amrita Vishwa Vidyapeetham. She focuses on reverse engineering. Her tool DeViL (Detect Virtual Machine in Linux) demonstrates techniques malware uses to detect virtual machines. It determines how the current Linux configuration exposes itself. DeViL checks files, CPU instructions, network settings and timing to detect signs the system is running in a VM like VMWare or VirtualBox rather than physical hardware. It aims to help analysts understand how malware detects analysis environments.
2. @srlkhmi
● Sreelakshmi Panangatt
● Member of Team bi0s
● Graduated from Vrije University and Amrita Vishwa Vidyapeetham.
● Focusing on Reverse engineering.
5. Virtualization
● Creation of virtual version of resources like Storage, OS
● Examples: VMware, VirtualBox, KVM, QEMU
● Benefits in Malware Analysis
○ Researchers can intrepidly execute potential malware samples without having their
systems affected.
○ If a malware destabilizes the OS, analyst just needs to load in a fresh image on a VM.
○ Reduce the time and cost
○ Increase the productivity
6. Anti-VM Techniques
● To evade the analysis in VM`s
● Types
○ File based detection
○ Time based detection
○ Instruction based detection
7. Presence of VM
● /usr/bin - standard directory contains most of the executable files
● Searching for the files that start with ”vmw” or ”VirtualBox” provides
information regarding the presence of VMware and Virtualbox.
16. Known MAC Address
● VMWare
○ 00:05:69
○ 00:0C:29
○ 00:1C:14
○ 00:50:56
● VirtualBox
○ 08:00:27
17. CPUID Instruction
● Hypervisor bit
○ CPUID instruction with EAX=0x01
○ 31st bit in ECX
● Virtualization vendor string
○ EAX=40000000
○ Strings in EBX, ECX and EDX
18. Hypervisor port - IN Instruction
● Specific for VMware.
● Performs an IN operation to port 0x5658 (the VMware hypervisor port).
○ eax = 0x564D5868 (VMware hypervisor magic value)
○ ebx = 0xFFFFFFFF (UINT_MAX)
○ ecx = 10 (Getversion command identifier)
○ edx = 0x5658 (hypervisor port number)
● Value of register ebx to 0x564D5868 (the VMware hypervisor magic
value).
19. VMEXIT through CPUID Instruction
● Timing based
● Measures time takes to run instruction CPUID.
● Context switch from guest caller to hypervisor causes VMEXIT.
● Summary - Execution on VM`s will take more time!
20. DeViL
● Demonstration tool
● Determines how the current configuration expose itself to malware
● Supports only Linux
● Tested in Ubuntu 16.04
VMware implements an I/O port that programs can query to detect if software is running in a VMware hypervisor. This hypervisor port behaves differently depending on magic values in certain registers and modifies some registers as a side effect. VMware hypervisor is detected by performing an IN operation to port 0x5658 (the VMware hypervisor port).
Doing a IN on port 0x5658 with
eax = 0x564D5868 (VMware hypervisor magic value)
ebx = 0xFFFFFFFF (UINT_MAX)
ecx = 10 (Getversion command identifier)
edx = 0x5658 (hypervisor port number)
On VMware, this operation modifies the value of register ebx to 0x564D5868 (the VMware hypervisor magic value).