Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) Using Sensitive Instructions to Detect VMWare
(U) Because not all instructions can be virtualized, VMWare uses what is known as binary
translation for these ‘problematic’ instruction. Binary translation traps the problematic
instructions, and essentially changes context to handle the instruction on the host processor,
returning the result and resuming the virtualization. Naturally, this causes a significant
performance hit and timing methods can be used to determine if the target is running in
VMWare.
(U) Some instructions return different results if run in VMWare as compared to running on
native hardware. These instructions can be used to determine if a VMWare machine is present.
(U) The Red Pill Anti-VM Technique
(U) The Red Pill anti-VM technique uses the sidt instruction to get the value of the IDTR
register. The VM has to relocate the guest IDTR to avoid conflict with the host’s IDTR. Because
the VM is not notified when the VM runs the sidt instruction, the IDTR for the VM is returned.
The fifth byte of the IDTR returned contains the start of the base memory address. VMWare
returns 0xFF in the fifth byte. The Red Pill tests for this discrepancy to detect VMWare. It should
be noted that this technique only works reliably on single processor machines (VMWare default
is single processor).
(U) The No Pill Anti-VM Technique
(U) The No Pill anti-VM technique uses the sgdt and sldt and relies on the fact the Local
Descriptor Table (LDT) structure is assigned to a processor, not the OS. Because Windows does
not use the LDT structure but VMWare provides support for it the table will vary in predictable
ways. The location of LDT on the host machine will be zero while the location of the LDT of a
VMWare guest machine will be a non-zero value. A simple check for a non-zero return from
either sgdt or sldt will indicate the OS is a VM image.
(U) Checking the I/O Communications Port
(U) VMWare uses a virtual I/O port with a specific ‘magic number’ for communications between
the host machine and the guest machine. The port can be queried and compared with the magic
number to identify VMWare. The magic number, in hex is 0x564D5868, converts to ASCII
“VMXh”.
Raytheon Blackbird Technologies, Inc.
20
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED