Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DeViL - Detect Virtual Machine in Linux by Sreelakshmi

345 views

Published on

DeViL - Detect Virtual Machine in Linux by Sreelakshmi

Published in: Software
  • Be the first to comment

DeViL - Detect Virtual Machine in Linux by Sreelakshmi

  1. 1. DeViL Detect Virtual Machine in Linux
  2. 2. @srlkhmi ● Sreelakshmi Panangatt ● Member of Team bi0s ● Graduated from Vrije University and Amrita Vishwa Vidyapeetham. ● Focusing on Reverse engineering.
  3. 3. Outline ● Introduction ● VM- Detection Techniques ● DeViL ● Demo
  4. 4. Introduction ● Malware implements anti-analysis techniques for self defence ● Anti-analysis techniques = Make analysis harder ● Anti-analysis techniques ○ Anti-VM detection ○ Anti-Debugger ○ Obfuscation
  5. 5. Virtualization ● Creation of virtual version of resources like Storage, OS ● Examples: VMware, VirtualBox, KVM, QEMU ● Benefits in Malware Analysis ○ Researchers can intrepidly execute potential malware samples without having their systems affected. ○ If a malware destabilizes the OS, analyst just needs to load in a fresh image on a VM. ○ Reduce the time and cost ○ Increase the productivity
  6. 6. Anti-VM Techniques ● To evade the analysis in VM`s ● Types ○ File based detection ○ Time based detection ○ Instruction based detection
  7. 7. Presence of VM ● /usr/bin - standard directory contains most of the executable files ● Searching for the files that start with ”vmw” or ”VirtualBox” provides information regarding the presence of VMware and Virtualbox.
  8. 8. /usr/bin
  9. 9. Information Collection from Files ● Linux stores information in file. ● Reads from the file and compare with specific values to detect VM.
  10. 10. Some Interesting Files. ● /proc/cpuinfo ● /proc/scsi/scsi ● /sys/class/net/eth0/address ● /sys/class/dmi/id/bios_vendor ● /sys/class/dmi/id/product_name ● /sys/class/dmi/id/sys_vendor ● /proc/sys/kernel/ostype ● /sys/class/dmi/id/sys_vendor ● /sys/class/dmi/id/bios_vendor ● /sys/class/dmi/id/board_vendor ● /proc/modules
  11. 11. /proc/cpuinfo
  12. 12. /proc/scsi/scsi
  13. 13. /sys/class/dmi/id/bios_vendor
  14. 14. /sys/class/dmi/id/product_name
  15. 15. /proc/modules
  16. 16. Known MAC Address ● VMWare ○ 00:05:69 ○ 00:0C:29 ○ 00:1C:14 ○ 00:50:56 ● VirtualBox ○ 08:00:27
  17. 17. CPUID Instruction ● Hypervisor bit ○ CPUID instruction with EAX=0x01 ○ 31st bit in ECX ● Virtualization vendor string ○ EAX=40000000 ○ Strings in EBX, ECX and EDX
  18. 18. Hypervisor port - IN Instruction ● Specific for VMware. ● Performs an IN operation to port 0x5658 (the VMware hypervisor port). ○ eax = 0x564D5868 (VMware hypervisor magic value) ○ ebx = 0xFFFFFFFF (UINT_MAX) ○ ecx = 10 (Getversion command identifier) ○ edx = 0x5658 (hypervisor port number) ● Value of register ebx to 0x564D5868 (the VMware hypervisor magic value).
  19. 19. VMEXIT through CPUID Instruction ● Timing based ● Measures time takes to run instruction CPUID. ● Context switch from guest caller to hypervisor causes VMEXIT. ● Summary - Execution on VM`s will take more time!
  20. 20. DeViL ● Demonstration tool ● Determines how the current configuration expose itself to malware ● Supports only Linux ● Tested in Ubuntu 16.04
  21. 21. DEMO
  22. 22. DeViL @srlkhmi

×