Author Topic: Anti-VM z dílny autorů Lockyho  (Read 484 times)


  • Trial Member
  • **
  • Posts: 60
Anti-VM z dílny autorů Lockyho
« on: July 31, 2016, 02:09:15 AM »

   This is the Locky anti-VM code from 21 June 2016 (sample SHA1 25f8f920f946887e0fa86ea46842f8e3f4506f53)
   Some VM products may behave significantly differently to a real system
   with regards to timing of code execution.
   GetProcessHeap() may take significantly longer in a VM than a real env.
   Virtualised TSCs can also be problematic.
   Multiple processor cores assigned to a VM may also worsen this problem.

BOOL passVMCheck()
   unsigned __int64 tsc1;
   unsigned __int64 tsc2;
   unsigned __int64 tsc3;
   int i = 0;
    // Try this 10 times in case of small fluctuations
   for (i = 0; i < 10; i++)
      tsc1 = __rdtsc();
      // Waste some cycles - should be faster than CloseHandle on bare metal
      tsc2 = __rdtsc();
      // Waste some cycles - slightly longer than GetProcessHeap() on bare metal
      tsc3 = __rdtsc();
      // Did it take at least 10 times more CPU cycles to perform CloseHandle than it took to perform GetProcessHeap()?
      if ( ( LODWORD(tsc3) - LODWORD(tsc2) ) / ( LODWORD(tsc2) - LODWORD(tsc1) ) >= 10)
         return TRUE;
    // We consistently saw a small ratio of difference between GetProcessHeap and CloseHandle execution times
    // so we're probably in a VM!
   return FALSE;

Kockatá hlava

  • Junior Member
  • ***
  • Posts: 126
  • n00b
Re: Anti-VM z dílny autorů Lockyho
« Reply #1 on: August 01, 2016, 08:03:09 AM »
I s nativnim RDTSC je problem, ze nekdy vraci podivny nebo nepredvidatelny hodnoty. Nejspis je to kvuli hyperthreadingu a multicore, uz si presne nevzpominam. Pokud ale malware vi, ze nekdy muze chybne detekovat host jako VM, tak to nemusi delat problemy.


„Bůh stvořil člověka, když ho přestaly bavit opice. Na další pokusy už pak neměl nervy.“ Mark Twain