
IN
An attempt to run such instructions in user-mode will generate an exception. VMWare uses IN instruction in a special port (VX) as an interface between VMM. So, such operation will not generate an exception if executed in user-mode inside a VMWare virtual machine.
Detection Rules
rule:
meta:
name: execute anti-VM instructions
namespace: anti-analysis/anti-vm/vm-detection
author: moritz.raabe@fireeye.com
scope: basic block
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]
examples:
- Practical Malware Analysis Lab 17-03.exe_:0x401A80
features:
- or:
- mnemonic: sdit
- mnemonic: sgdt
- mnemonic: sldt
- mnemonic: smsw
- mnemonic: str
- mnemonic: in
- mnemonic: cpuid
- mnemonic: vpcext