Tuesday, January 8, 2019

Reverse engineering evasion techniques with CSharp

I wrote some proof-of-concept code for detecting virtual machine and/or debugger environment. The code is available at GitHub. The code is not a complete collection of the all evasion techniques, just a few simple things to detect VM and/or debugger.

Here is how the application looks in the hosting OS i.e. Windows 10:
It has a false positive result in "Detect VM". The reason for this can be seen in the process list where it finds "vmware-authd" process. All the other indicators are however "negative".

Here is the same thing done in the Oracle VirtualBox environment with Windows 7:
Again it detects VM by process name(s). But now there are other indicators too: small system drive (under 128 GB), no BIOS serial number and finally WMI returns "VirtualBox" as system model. This is definitely a virtual machine.

Finally VMware player with Windows  8.1:
Once again it detects VM by process name(s). Other indicators are: small system drive and WMI returns "VMware Virtual Platform" as system model. These are also strong indicators for VM.

If you like to try the source code there is one point you may have to take into account. I got the following error message in VS2017:
There are many reasons why you could get this "Unable to copy file..." and "Could not find file..." error message. In this case it was F-Secure SAFE that detected object code as malicious and thus deleted the file. The workaround, if you get the same error, is to whitelist the source code folder in your AV product.








No comments: