Malware with the capability to detect the presence of malware analysis tools such as Virtual Machines (VMs), Sandboxes and Debuggers are called Split Personality malware or Analysis Aware malware. VMDetectGuard is a tool that aims at preventing this category of malware from detecting the presence of the analysis environment (virtual machine). The malware sample if run using this tool, shows its original behavior, as it is unable to detect the virtual machine presence.
The tool masks the detection of Virtual PC, VMWare and Virtual Box. The “Native Machine” button runs the malware sample without any instrumentating the sample. In all the other cases the sample is instrumented using a tool by intel “Pin Tool”. This tool allows insertion of new instructions, changing the return values of instructions etc.
Eg: Running the tool VmDetect in VirtualPC environment.
When the tool is run using VMDetectGuard.
When running in VirtualPC, if the user clicks on the other buttons like “VirtualBox as a Native Machine” and “VMWare as a Native Machine”.
Similarly, this tool can be run in VirtualBox and VMWare also. After execution of the binary the user can provide feedback.
The user can also change the feedback mode that he wishes to provide feedback in.
The Log files are created in %appdata%\VMDetectGuard. The current release of VMDetectGuard supports only Windows. The Linux version will be released soon.