GET /api/techniques/17/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 17,
"key": "sidt-red-pill",
"unprotect_id": "U1328,B0009.030",
"name": "SIDT, Red Pill",
"description": "Red Pill is a technique used by malware to determine whether it is running on a physical machine or a virtual machine. The Red Pill technique involves executing the SIDT instruction, which retrieves the value of the Interrupt Descriptor Table Register (IDTR) and stores it in a memory location. \r\n\r\nOn a physical machine, the IDTR will contain the address of the Interrupt Descriptor Table (IDT), which is a data structure used by the operating system to manage interrupts. However, on a virtual machine, the IDTR will contain the address of the IDT for the virtual machine, which is different from the IDT for the host machine. \r\n\r\nBy comparing the IDTR on a physical and a virtual machine, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly.",
"resources": "https://litigationconferences.com/wp-content/uploads/2017/05/Introduction-to-Evasive-Techniques-v1.0.pdf",
"creation_date": "2019-03-11T08:03:01Z",
"tags": "Anti-VM technique,\r\nSIDT instruction,\r\nIDTR register,\r\nIDT,\r\nInterrupts,\r\nVirtual machine,\r\nInterrupt Descriptor Table (IDT),",
"modification_date": "2023-10-04T10:44:01.802000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
