Detecting and Mitigating VMware Tools: Anti-Virtualization Techniques and Malware Identification

Anti-VM Techniques for Virtual Machines: Incorporating VMware Tools

(1) If VMware Tools is installed, use CreateToolhelp32Snapshot and Process32Next to scan the process list to check for VMwareService.exe, VMwareTray.exe, and VMwareUser.exe.(2) Check whether the network card address starts with 00:0C:29 or examine other hardware versions.(3) Probe memory traces and search for strings containing VMware.(4) Red Pill anti-VM technology -> the vulnerable instruction sidt, it is ineffective on multi-core processors due to varying idtr return values.(5) No Pill technique -> vulnerable instruction sldt; the LDTR value on the host system is 0, whereas in a virtual machine it is not.(6) Monitor queried I/O communication ports, observe in instruction when the second operand is VX.(7) Check str instruction, as the return value differs between host and virtual machines. The str instruction is used to retrieve segment selectors from the task register.

Measures:(1) Patch code, use nop or modify conditional jumps.(2) Uninstall VMware Tools.(3) Modify VMware settings.(4) Use multi-core processors.

VMware Tools: PE File Structure

PNTHeader = ImageBase + DosHeader->e_lfanewDOS HeaderIMAGE_DOS_HEADERPE File HeaderIMAGE_NT_HEADERSIMAGE_FILE_HEADERIMAGE_OPTIONAL_HEADER32Section Table        IMAGE_SECTION_HEADER        ……Sections        .text.data        ……Debug Information        ……

How to Determine if a File is an EXE or DLL?

In the IMAGE_FILE_HEADER, the file attribute field for a standard EXE file is usually 010fh, while for a DLL file, it is 0210h.

Note: Once a disk file is loaded into memory, the data structure layout on the disk and in memory are consistent.

Virtual Address (VA) = Base Address (ImageBase) + Relative Virtual Address (RVA)

Preventing Disassembly with VMware Tools

• Disassembly countermeasures exploit the disassembler’s false assumptions and limitations. Disassemblers make certain assumptions in advance to display assembly code clearly. If those assumptions fail, malicious code authors can deceive analysts.
• Linear disassembly and code flow-oriented disassembly.
• Linear disassembly uses the size of already disassembled instructions to determine the next byte to disassemble, ignoring control instructions of code flow and unable to differentiate between code and data.
• When encountering the e8 instruction, it parses the next four bytes as data (a local call instruction is 5 bytes). Modification: turn the following bytes into instructions.
• How to distinguish disassembly: Jump to an invalid instruction, jump instructions to the same target, conditional jump instructions, invalid disassembly instructions, abuse of return pointers retn -> disassembly countermeasures: place a rogue byte after the conditional jump instruction, starting disassembly from this byte, preventing true instructions further from being disassembled since the inserted byte is the machine code of a multibyte instruction.

Anti-Debugging with VMware Tools

• Use Windows API to detect if being debugged: IsDebuggerPresent -> queries the IsDebugged flag in the Process Environment Block (PEB).CheckRemoteDebuggerPresent is similar, also querying the IsDebugged flag in the PEB.NtQueryInformationProcess: The second parameter indicates the type of process information to extract, set to ProcessDebugPort.OutputDebugString: Use SetLastError to set an error code, if debugging, the error code doesn’t change.
• Manually detect data structures: BeingDebugged and ProcessHeap (location of the first allocated heap) in PEB.Windbg uses disable debugging stacks to start processes.Processes started in debug mode and normal mode create heaps differently, compare offsets at 0x68 and 0x70 in PEB structure.
• System trace detection: Check if Aedebug registry key value has been modified, check memory traces, view the current process list, find debuggers through FindWindow.
• Int scan -> use hardware breakpoints for counteraction.Executing code checksum verification: traverse internal instructions and compare with a preset value.Clock detection: when debugging, the process runs significantly slower, the debugger handles exceptions very slowly, rdtsc, GetTickCount, QueryPerformanceCounter.
• TLS callback, run malicious programs before the entry point specified in the PE header.In IDA, press Ctrl+E to see all entry points of the application, the combination key shows the binary entry point.
• Using exceptions.
• Insert interrupts.
• Exploit debugger vulnerabilities, such as OllydDbg1.1 formatting vulnerabilities.

“Machine Code: VMware Tools”

jmp: E9call: E8pop: 58retn: C3int 3: CCrdtsc: 0F31 returns the number of clock ticks since the system reboot

Breakpoint Principle: VMware Tools

• When the program is closed, Ollydbg will automatically save the breakpoint locations of the current application in its install directory *.udd file.
• Int 3 breakpoint: Replaces the instruction at the breakpoint with CC, causing an exception. The debugger catches this exception and stops at the breakpoint, then restores the instruction at the breakpoint to the original instruction.
• Hardware breakpoint: Uses four debug registers (DR0, DR1, DR2, DR3) to set addresses, uses DR7 to set status. “Run to cursor” (F4) also uses the principle of debug registers, equivalent to a one-time hardware breakpoint.
• Memory breakpoint: Sets the specified address as inaccessible/unwritable, causing an exception when accessed/written. Ollydbg intercepts the exception and compares if the exception address is the breakpoint address. If so, it interrupts. This slows down performance and can only achieve one memory breakpoint.
• Message breakpoint
• Conditional breakpoint
• Conditional record breakpoint

Function Calling

• cdecl: Right to left, caller cleans up the stack, printf.
• stdcall: Right to left, callee cleans up the stack.
• fastcall: Right to left, uses edx and ecx registers.

Tools

PEID, Ollydbg, IDA, winhex, PEview, PE ExplorerProcess explorer to view processes, Resource Hacker to view resource sectionsPromon, dependency walker to check dynamic link functionsImmunity Debugger using python scripts for encodingSnort for writing network signature codesWindbgVolatility: Extract injected dll programs, search for hidden processesSoftice

Shortcuts

ida: Cross-reference: Ctrl+Xollydbg: Step into: F7Step over: F8Return to code section: Ctrl+F9 or Alt+F9Set breakpoint: F2Run to cursor: F4Run: F9View memory: Alt+MView breakpoint: Alt+B

How Do You Conduct Virus Analysis?

To identify whether a sample is a virus, it is determined by behavior. Most viruses exhibit the following behaviors:(1) Copy own file to system directories, such as system, system32, windows directories, etc.(2) Release *.DLL files to the system directories.(3) Use names similar to system file names, like svch0st.exe, winlogin.exe, etc.(4) Inject into system processes like svchost.exe, explorer.exe, iexplore.exe, etc.(5) Create services with the execution path as virus files, mostly used for autostart.(6) Set virus file as hidden attribute.(7) Set keyboard hook or mouse hook to monitor normal user’s actions.(8) Replace system files.(9) Infect executable files.(10) Set registry key values, for autostart or hidden.(11) Connect to a remote address to download and execute malicious files.(12) Open local port to accept control from remote.(13) Change virus file extensions like cc3, jpg, tmp, etc.(14) Create very hidden paths to release virus files.(15) Modify the HOST file.(16) Release driver .sys files to tamper with the system IDT table, etc.

Have You Conducted Virus Analysis, Briefly Describe the Process

(1) Setup a virtual machine.(2) Use strings to check for suspicious strings.(3) Use PEview to check if the code entry point shows signs of infection.(4) Use PEid to check for packing.(5) Turn on process monitoring software, monitor files, registry, process, setup network environment, use Wireshark to capture packets.(6) Run the program to observe behavior and judge if it is a malicious program.(7) Use the debugger for dynamic debugging, use IDA for static analysis, write auxiliary scripts for analysis.(8) Analyze logs and traffic generated, forensics and research.(9) Extract signature codes and compare with existing sample libraries.(10) Documentation.(11) Backup relevant files.

Privilege Escalation

SeDebugPrivilege, OpenProcessToken, LookupPrivilegeValuesA

Keylogger

Use GetAsyncKeyState to record which key is pressed, use GetForegroundWindow to check the focused window, polling.

Have You Unpacked Shells, Which Ones, What is the Principle of Shelling and Unpacking? Have You Heard of VMP Shell?

Packing combines data sections, code sections, resource sections using compression algorithms, virtualization.Unpacking stub:(1) Unpack the original program into memory.(2) Parse all imported functions of the original executable file.(3) Transfer the executable program to the original program entry point (OEP).

Repair Import Table: Import Reconstructor (ImpRec), just input the base address and OEP offset value.

Do You Understand Hook Technology, Briefly Explain the Principle

• IAT Hook: Modifies Import Address Table.
• Inline Hook: Modifies code of API functions in imported DLLs, must wait until DLL is loaded to execute.
• SSDT hook: ntoskrnl.exe module address is within a certain range, if not, it indicates SSDT has been hooked.

Are You Familiar with C++ Programs?

• In a virtual function, which function is called is determined at runtime.
• The greatest advantage of C++ polymorphism is that it allows different functional objects to share a common interface.
• C++ supports method overload through name mangling, including parameter info in name information.
• Each class using virtual functions has its own vtable, every virtual function in the class has an entry in the vtable.
• Vtable accesses according to offset, marked with sub_####, switch offset table marked with loc_####, subclass vtable is larger than the superclass.

Are You Familiar with 64-bit Programs?

• Difference between x64 and x86: All addresses and pointers are 64-bit, increased number of general purpose registers, increased address bits, x86 can’t address relative to a register offset, needs absolute addresses.
• Windows initially supported Itanium, which is incompatible with x86 architecture. AMD introduced AMD64 64-bit architecture, compatible with x86. Intel adopted AMD64 and called its implementation EM64T, now known as x64 or x86-64.
• x86 instructions are not position-independent; x64 instructions store data addresses as offsets relative to the current instruction pointer.
• x64 calling convention is closest to fastcall, first 4 parameters are passed using RCX, RDX, R8, R9 registers, additional ones are stored on the stack.
• x64 never changes stack size in the middle of a function.
• x64 can provide additional clues based on certain features, for instance, ecx is definitely not a pointer since pointers are 64-bit.

Are You Familiar with Injection?

• Process Injection: VirtualAllocEx is used to allocate memory in another process, WriteProcessMemory is used to write data into the address space allocated by VirtualAllocEx, allocate space, insert code.
• DLL Injection: Forces a remote process to load a malicious DLL program, first find the target process, use openProcess to get the target process handle, use CreateRemoteThread to create a new thread in the remote process.
• Direct Injection: Typically involves two allocations of space, code insertion, one for writing data, one for writing code.
• Process Replacement: DLL injection could cause process crashes, process replacement’s key is creating in a suspended state, loaded into memory, resume the main thread, start executing. Call SetThreadContext to point to malicious code, call ResumeThread to initialize and execute the malicious program.