VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

VMware has you

29a [7]
February 2004

[Back to index] [Comments]

When avers catch your virus, they analyze it. In case of complex networking creature, they must learn how it spreads. How it infects computers via network. How it infects files. There exists some programs to emulate virtual OS'es on the single machine. This is the best solution when you need to study some virus without risk to fuckup your own system. So, there appears a question: how to find out if our virus is running under virtual OS.

One of such programs is VMware. It has own "backdoor" port, to communicate between internal (emulated) and exernal (emulating) code. There are some functions, which allows you (under emulation) to enable/disable different virtual devices, send internal messages, and do other things. Here is how these functions are called (you should use exception handling for this code):

        mov     ecx, 0Ah        ; CX=function# (0Ah=get_version)
        mov     eax, 'VMXh'     ; EAX=magic
        mov     dx, 'VX'        ; DX=magic
        in      eax, dx         ; specially processed io cmd
                                ; output: EAX/EBX/ECX = data
        cmp     ebx, 'VMXh'     ; also eax/ecx modified (maybe vmw/os ver?)
        je      under_VMware

VMware registry keys are

	HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
	HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual

VMware executables directory is

	C:\Program Files\VMware -- both real and virtual

There can be many different methods to detect if you're under virtual OS, such as incorrectly emulated ports, predetermined hardware info, special drivers and other things.

About actions to be performed under virtual OS, well, it depends on your wicked souls -- from fucking up everything, which will result in minor time loss, to perverting virus strategy, which may result in misunderstanding your code and make emulation useless.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka