As described in the references by Liston and Skoudis, there
are several techniques used.
Tool Method
redPill Stored Interrupt Descriptor Table (SIDT) command retrieves the Interrupt
Descriptor Table (IDT) address and analyzes the address to determine
whether VMware is used.
Scoopy Builds on SIDT/IDT trick of redPill by checking the Global Descriptor Table
(GDT) and the Local Descriptor Table (LDT) address to verify the results of
redPill.
Doo Included with Scoopy tool, checks for clues in registry keys, drivers, and other
differences between the VMware hardware and real hardware.
Jerry Some of the normal x86 instruction set is overridden by VMware and slight
differences can be detected by checking the expected result of normal
instruction with the actual result.
VmDetect VirtualPC introduces instructions to the x86 instruction set. VMware uses
existing instructions that are privileged. VmDetect uses techniques to see if
either of these situations exists. This is the most effective method and is
shown next.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
506
Figure 20-1 The Walleye web interface of the new roo
Chapter 20: Collecting Malware and Initial Analysis
507
PART V As Liston and Skoudis briefed in a SANS webcast and later published, there are some
undocumented features in VMware that are quite effective at eliminating the most commonly
used signatures of a virtual environment.
Pages:
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884