
SIDT, Red Pill
Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest’s IDTR to avoid conflict with the host’s IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.
Detection Rules
rule:
meta:
name: execute anti-VM instructions
namespace: anti-analysis/anti-vm/vm-detection
author: moritz.raabe@fireeye.com
scope: basic block
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]
examples:
- Practical Malware Analysis Lab 17-03.exe_:0x401A80
features:
- or:
- mnemonic: sdit
- mnemonic: sgdt
- mnemonic: sldt
- mnemonic: smsw
- mnemonic: str
- mnemonic: in
- mnemonic: cpuid
- mnemonic: vpcext