HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 375,
"next": null,
"previous": "https://unprotect.it/api/techniques/?format=api&page=7",
"results": [
{
"id": 34,
"key": "checking-hard-drive-size",
"unprotect_id": "U1312, B0009.015",
"name": "Checking Hard Drive Size",
"description": "Many user machines have hard drives that are larger than 80GB. A malware program can detect whether it is running in a virtual environment by checking the size of the hard drive. If the size is less than 80GB, it is likely that the program is running in a sandbox or virtual environment.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:16:57Z",
"tags": "user machines, hard drives, size, 80GB, malware, virtual environment, sandbox",
"modification_date": "2023-10-04T10:42:21.219000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 33,
"key": "checking-memory-size",
"unprotect_id": "U1313, B0009.014",
"name": "Checking Memory Size",
"description": "Most modern user machines have at least 4GB of memory. Malware programs can detect whether they are running in a sandbox environment by checking the available memory size. If the available memory size is less than 4GB, it is likely that the program is running in a sandbox.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:16:13Z",
"tags": "memory, malware, sandbox, available memory size.",
"modification_date": "2023-10-04T10:42:09.947000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 32,
"key": "checking-installed-software",
"unprotect_id": "U1314",
"name": "Checking Installed Software",
"description": "By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox. \r\n\r\nThis inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis but are less common in regular user environments.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.theguardian.com/technology/blog/2011/nov/08/sandboxing-malware-failure\r\nhttps://evasions.checkpoint.com/techniques/human-like-behavior.html",
"creation_date": "2019-03-11T08:15:36Z",
"tags": "installed software, sandbox",
"modification_date": "2024-01-16T04:21:02.068000Z",
"category": [
1
],
"rules": [
153
],
"attachments": [],
"featured_api": [
315,
321,
328
],
"contributors": [
33
]
},
{
"id": 31,
"key": "checking-screen-resolution",
"unprotect_id": "U1315,B0007.006",
"name": "Checking Screen Resolution",
"description": "Sandbox environments typically do not function as standard user workspaces; as a result, they often maintain a minimum screen resolution of 800x600 or even lower. In practice, users seldom work with such limited screen dimensions. Malware may leverage this information, detecting the screen resolution to ascertain whether it is operating on a genuine user machine or within a sandbox environment.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.botconf.eu/2015/sandbox-detection-for-the-masses-leak-abuse-test/",
"creation_date": "2019-03-11T08:14:42Z",
"tags": "sandbox environments, standard user workspaces, screen resolution, 800x600, malware detection, user machine",
"modification_date": "2023-10-04T10:44:00.339000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
183
],
"contributors": []
},
{
"id": 30,
"key": "checking-recent-office-files",
"unprotect_id": "U1316,B0007.003",
"name": "Checking Recent Office Files",
"description": "Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.zscaler.com/blogs/research/malicious-documents-leveraging-new-anti-vm-anti-sandbox-techniques",
"creation_date": "2019-03-11T08:14:05Z",
"tags": "",
"modification_date": "2023-10-04T10:42:09.710000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 29,
"key": "checking-mouse-activity",
"unprotect_id": "U1317,B0007.003",
"name": "Checking Mouse Activity",
"description": "Some Sandbox doesn't have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-11T08:13:32Z",
"tags": "",
"modification_date": "2023-10-04T10:37:44.543000Z",
"category": [
1
],
"rules": [
22
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 28,
"key": "stalling-code",
"unprotect_id": "U1318,B0003.003",
"name": "Stalling Code",
"description": "This technique is used for delaying execution of the real malicious code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.sans.org/reading-room/whitepapers/malicious/sleeping-sandbox-35797",
"creation_date": "2019-03-11T08:12:32Z",
"tags": "",
"modification_date": "2023-10-04T10:42:14.290000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 26,
"key": "onset-delay",
"unprotect_id": "U1320",
"name": "Onset Delay",
"description": "Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.\r\n\r\nThe purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis systems give up on a sample, incorrectly assuming that the program is non-functional, or does not execute any action of interest.",
"windows": "",
"linux": "",
"macos": "",
"resources": "http://www.syssec-project.eu/m/page-media/3/hasten-ccs11.pdf\nhttps://blog.sonicwall.com/2018/02/6-ways-malware-evades-detection/",
"creation_date": "2019-03-11T08:11:04Z",
"tags": "",
"modification_date": "2023-10-04T10:42:38.381000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 25,
"key": "vpcext",
"unprotect_id": "U1321,B0009.038",
"name": "VPCEXT",
"description": "The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/\nhttps://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html\nhttps://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual",
"creation_date": "2019-03-11T08:10:11Z",
"tags": "",
"modification_date": "2023-10-04T10:42:40.076000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 24,
"key": "vmcpuid",
"unprotect_id": "U1322,B0009.037",
"name": "VMCPUID",
"description": "The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.\r\n\r\nThis instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine. \r\n\r\nBy using VMCPUID, malware can adapt its behavior based on the context in which it is running, thus adding an additional layer of complexity to its detection and mitigation. Essentially, it serves as a telltale indicator, aiding malware in identifying virtualization-based security measures or sandboxing environments",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/",
"creation_date": "2019-03-11T08:09:24Z",
"tags": "VMCPUID, instruction, malware, detection, virtual environment, x86 architecture",
"modification_date": "2023-10-04T10:42:06.356000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 22,
"key": "in",
"unprotect_id": "U1323,B0009.035",
"name": "IN",
"description": "The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception. \r\n\r\nHowever, some virtual machine monitors, such as VMWare, use a special port called the VX port as an interface between the virtual machine monitor (VMM) and the virtual machine. If a malware executes the IN instruction in user mode on a VMWare virtual machine, it will not generate an exception, since the VX port allows the instruction to be executed without triggering an exception. This behavior can be used by the malware to detect the presence of a VMWare virtual machine.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:07:40Z",
"tags": "Machine code instruction,\r\nInput port,\r\nVirtual machine monitor (VMM),\r\nVirtual machine,\r\nVMWare,\r\nVX port,",
"modification_date": "2023-10-04T10:42:31.362000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 21,
"key": "cpuid",
"unprotect_id": "U1324,B0009.034",
"name": "CPUID",
"description": "The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.\r\n\r\nYou can use the CPUID instruction to retrieve various pieces of information about the CPU, such as the brand of the CPU, the operating system, or the presence of a hypervisor. This is done by specifying the \"leaf\" information you want to retrieve (such as 0 for the brand of the CPU) in the EAX register, and then executing the instruction. The result will be returned in the EBX, EDX, and ECX registers as a string.\r\n\r\nFor example, when you request leaf information 0, you may see the brand of the CPU or the virtualization technology in use. Some common strings that you may see include \"KVMKVMKVM\" for KVM, \"Microsoft Hv\" for Hyper-V, \"VMwareVMware\" for VMware, and \"GenuineIntel\" for an Intel CPU.\r\n\r\nThe information returned by the CPUID instruction can vary depending on the platform and the specific CPU model.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm\nhttps://github.com/a0rtega/pafish",
"creation_date": "2019-03-11T08:06:29Z",
"tags": "CPUID, instruction, CPU level, bytecode 0FA2, running CPU, Pentium, brand of the CPU, Hypervisor, leaf information, EAX register, EBX, EDX, ECX, virtualisation, plateforms, KVM, Microsoft Hv, Hyper V, VMware, GenuineIntel",
"modification_date": "2023-10-04T10:43:32.768000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 20,
"key": "str",
"unprotect_id": "U1325,B0009.033",
"name": "STR",
"description": "Stores the segment selector from the Task Register (TR).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:05:47Z",
"tags": "",
"modification_date": "2023-10-04T10:42:01.226000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 19,
"key": "smsw",
"unprotect_id": "U1326,B0009.032",
"name": "SMSW",
"description": "Stores the machine status word into the destination operand.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://sites.google.com/site/bletchleypark2/malware-analysis/malware-technique/anti-vm",
"creation_date": "2019-03-11T08:05:02Z",
"tags": "",
"modification_date": "2023-10-04T10:42:02.944000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 18,
"key": "sldt-no-pill",
"unprotect_id": "U1327,B0009.031",
"name": "SLDT, No Pill",
"description": "The No Pill technique is a method used by malware to determine whether it is running on a physical machine or a virtual machine. This technique relies on the fact that the Local Descriptor Table (LDT) is assigned to a processor, rather than to an operating system. On a physical machine, the location of the LDT will be zero, whereas on a virtual machine, the location of the LDT will be non-zero. \r\n\r\nBy checking the location of the LDT, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly. For example, the malware may choose to remain dormant on a virtual machine in order to avoid detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://blog.talosintelligence.com/2009/10/how-does-malware-know-difference.html",
"creation_date": "2019-03-11T08:04:03Z",
"tags": "Physical machine,\r\nVirtual machine,\r\nLocal Descriptor Table (LDT),\r\nProcessor,\r\nOperating system,",
"modification_date": "2023-10-04T10:44:37.533000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 17,
"key": "sidt-red-pill",
"unprotect_id": "U1328,B0009.030",
"name": "SIDT, Red Pill",
"description": "Red Pill is a technique used by malware to determine whether it is running on a physical machine or a virtual machine. The Red Pill technique involves executing the SIDT instruction, which retrieves the value of the Interrupt Descriptor Table Register (IDTR) and stores it in a memory location. \r\n\r\nOn a physical machine, the IDTR will contain the address of the Interrupt Descriptor Table (IDT), which is a data structure used by the operating system to manage interrupts. However, on a virtual machine, the IDTR will contain the address of the IDT for the virtual machine, which is different from the IDT for the host machine. \r\n\r\nBy comparing the IDTR on a physical and a virtual machine, malware can determine whether it is running on a physical or a virtual machine. This information can be used by the malware to adjust its behavior accordingly.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://litigationconferences.com/wp-content/uploads/2017/05/Introduction-to-Evasive-Techniques-v1.0.pdf",
"creation_date": "2019-03-11T08:03:01Z",
"tags": "Anti-VM technique,\r\nSIDT instruction,\r\nIDTR register,\r\nIDT,\r\nInterrupts,\r\nVirtual machine,\r\nInterrupt Descriptor Table (IDT),",
"modification_date": "2023-10-04T10:44:01.802000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 15,
"key": "checking-pipe",
"unprotect_id": "U1329",
"name": "Checking Pipe",
"description": "Cuckoo is a malware analysis system that uses a named pipe, called \\\\.\\pipe\\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running). \r\n\r\nA malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \\\\.\\pipe\\cuckoo named pipe. If the named pipe exists, it indicates that the malware is running on a virtual machine being monitored by Cuckoo. This information can be used by the malware to adjust its behavior in order to evade detection or to avoid performing certain actions.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T08:01:31Z",
"tags": "Sandbox,\r\nCuckoo,\r\nHost system,\r\nGuest system,\r\nCommunication,\r\nNamed pipe,\r\nVirtual environment,",
"modification_date": "2023-10-04T10:42:28.443000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 14,
"key": "detecting-hooked-function",
"unprotect_id": "U1330",
"name": "Detecting Hooked Function",
"description": "To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T08:00:27Z",
"tags": "",
"modification_date": "2023-10-04T10:42:07.527000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 13,
"key": "checking-specific-folder-name",
"unprotect_id": "U1331",
"name": "Checking Specific Folder Name",
"description": "Specific directories, such as \"C:\\Cuckoo\", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it identifies such markers, thus skirting the sandbox and avoiding detection.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:59:28Z",
"tags": "Special path, Cuckoo, Guest system, Malware, Sandbox evasion",
"modification_date": "2023-10-04T10:42:06.572000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 12,
"key": "detecting-virtual-environment-artefacts",
"unprotect_id": "U1332",
"name": "Detecting Virtual Environment Artefacts",
"description": "Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key `HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0` with the value of `Identifier` and the data of `QEMU` or `HARDWARE\\\\Description\\\\System` with a value of `SystemBiosVersion` and data of `QEMU`.\r\n\r\nThe VirtualBox Guest addition leaves many artifacts in the registry. A search for `VBOX` in the registry might find some keys.\r\n\r\nThe VMware installation directory `C:\\\\Program Files\\\\VMware\\\\VMware Tools` may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.\r\n\r\nVMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:58:47Z",
"tags": "",
"modification_date": "2023-10-04T10:43:32.985000Z",
"category": [
1
],
"rules": [
17,
19,
32,
53
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 11,
"key": "detecting-virtual-environment-files",
"unprotect_id": "U1333",
"name": "Detecting Virtual Environment Files",
"description": "Some files are created by Virtualbox and VMware on the system. \r\n\r\nMalware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.\r\n\r\nMalware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.\r\n\r\n### Some Files Example\r\nBelow is a list of files that can be detected on virtual machines:\r\n\r\n- \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\"",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
"creation_date": "2019-03-11T07:58:16Z",
"tags": "",
"modification_date": "2023-10-04T10:44:52.297000Z",
"category": [
1
],
"rules": [
31,
41
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 10,
"key": "detecting-virtual-environment-process",
"unprotect_id": "U1334,B0009.004",
"name": "Detecting Virtual Environment Process",
"description": "Process related to Virtualbox can be detected by malware by query the process list.\r\n\r\nThe VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
"creation_date": "2019-03-11T07:57:29Z",
"tags": "",
"modification_date": "2023-10-04T10:43:08.365000Z",
"category": [
1
],
"rules": [
17
],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 8,
"key": "detecting-mac-address",
"unprotect_id": "U1335,B0009.028",
"name": "Detecting Mac Address",
"description": "Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.\r\n\r\n* The usual mac address used by Virtualbox starts with the following number: 08:00:27.\r\n* The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.\r\n\r\nMalware can use this simple trick to detect if it is running in a virtual environment and decide to not run properly.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/",
"creation_date": "2019-03-11T07:56:04Z",
"tags": "",
"modification_date": "2023-10-04T10:42:05.695000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 7,
"key": "querying-the-io-communication-port",
"unprotect_id": "U1336,B0009.025",
"name": "Querying the I/O Communication Port",
"description": "VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.aldeid.com/wiki/VMXh-Magic-Value",
"creation_date": "2019-03-11T07:55:13Z",
"tags": "",
"modification_date": "2023-10-04T10:42:03.259000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
},
{
"id": 6,
"key": "detecting-active-services",
"unprotect_id": "U1337",
"name": "Detecting Active Services",
"description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2019-03-11T07:54:25Z",
"tags": "",
"modification_date": "2023-10-04T10:37:28.470000Z",
"category": [
1
],
"rules": [],
"attachments": [],
"featured_api": [
321
],
"contributors": []
}
]
}
