Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) This technique relies on the x86 instruction in, which copies data from the I/O port specified
by the source operand to a memory address specified by the destination operand. VMWare
monitors the use of the in operator and captures the I/O destination for the communication port
0x5668 (VX). Therefore, the second operand needs to be loaded with VX in order to check for
VMWare, which only happens when EAX holds the magic number 0x564D5868. ECX mustg
contain a value corresponding to the action you want to perform on the port. The value 0xA
means, “get the VMWare version type”, and 0x14 means, “get the memory size.” Either can be
used to detect VMWare.
Timing-based VM Detection
(U) As mentioned earlier, virtualization environments cannot emulate every instruction. Some
instructions are trapped in the kernel, the virtualization environment is halted, the instruction is
handled by the host processor and the result passed back to the emulation environment and the
emulation environment is restarted. Naturally, all this causes quite a performance hit and that
degradation of performance can be measured via timestamps.
(U) One of the problematic instructions is CPUID. The timing-based VM detection technique
involves taking a timestamp, looping a large number of sequential CPUID calls (> 4000), taking
another timestamp and calculating the difference. If running in an emulation environment, the
time difference will be orders of magnitude greater than the time difference when running on a
native host system.
(U) Resources
www.symantec.com/connect/articles/windows-anti-debug-reference
Andrew Honig and Michael Sikorski, Practical Malware Analysis, No Starch Press 2012
http://www.aldeid.com/wiki/PEB-Process-Environment-Block/BeingDebugged
https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf
https://www.exploit-db.com/docs/34591.pdf
Raytheon Blackbird Technologies, Inc.
21
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh