Malware with the capability to detect the presence of malware analysis tools such as Virtual Machines (VMs), Sandboxes and Debuggers are called Split Personality malware or Analysis Aware malware.  VMDetectGuard is a tool that aims at preventing this category of malware from detecting the presence of the analysis environment (virtual machine). The malware sample if run using this tool, shows its original behavior, as it is unable to detect the virtual machine presence.

VMDetectGuard UI

The tool masks the detection of Virtual PC, VMWare and Virtual Box. The “Native Machine” button runs the malware sample without any instrumentating the sample. In all the other cases the sample is instrumented using a tool by intel “Pin Tool”. This tool allows insertion of new instructions, changing the return values of instructions etc.

Eg: Running the tool VmDetect in VirtualPC environment.

Running VMDetect in VirtualPC

When the tool is run using VMDetectGuard.

When running in VirtualPC, if the user clicks on the other buttons like “VirtualBox as a Native Machine” and “VMWare as a Native Machine”.

 

Similarly, this tool can be run in VirtualBox and VMWare also. After execution of the binary the user can provide feedback.

Feedback

The user can also change the feedback mode that he wishes to provide feedback in.

Feedback Settings

The Log files are created in %appdata%\VMDetectGuard. The current release of VMDetectGuard supports only Windows. The Linux version will be released soon.

To download the application click here. Feedback is welcome and can be posted in our forum.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <p>



This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 47921 items have been purified.