SLDT, No Pill Sandbox Evasion

The No Pill technique is a method used by malware to determine whether it is running on a physical machine or a virtual machine. This technique relies on the fact that the Local Descriptor Table (LDT) is assigned to a processor, rather than to an operating system. On a physical machine, the location of the LDT will be zero, whereas …

Detecting Virtual Environment Artefacts Sandbox Evasion

Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\\Description\\System with a value of SystemBiosVersion and data of QEMU.

The VirtualBox Guest addition leaves many …

CPUID Sandbox Evasion

The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.

You can use the CPUID instruction to retrieve various pieces of information …

RDTSC Anti-Debugging

The Read-Time-Stamp-Counter (RDTSC) instruction can be used by malware to determine how quicky the processor executes the program's instructions. It returns the count of the number of ticks since the last system reboot as a 64-bit value placed into EDX:EAX.

It will execute RDTSC twice and then calculate the difference between low order values and check it with …

RDTSCP Sandbox Evasion

Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen).

This instruction can be used to calculate the …

Thermal Zone Temperature Sandbox Evasion

The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: "25.05 C: 77.09 F: 298.2K". But for a fully virtualized environment, the return is "MSAcpi_ThermalZoneTemperature not supported" because this feature is not supported on virtualized processors.

Interestingly, this method is not valid. Not all …

Virtualization/Sandbox Evasion: System Checks Defense Evasion [Mitre]

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …

bochs CPU oversights evasion Sandbox Evasion

bochs has multiple oversights in its CPU emulation, which allows us to detect if we're running in a bochs emulator:

bochs may have invalid CPU brands that don't exist.

For AMD CPUs, the "p" in "processor" should be in capital, which bochs doesn't implement.
AMD CPUs have easter eggs for their K7 and K8 CPUs ("IT'S …

Search Evasion Techniques

Search Result