Re: how to disable vm exit on cpuid 0x00 ?

* Pafish (Paranoid fish) *

Some anti(debugger/VM/sandbox) tricks

used by malware for the general public.

[*] Windows version: 6.1 build 7601

[*] CPU: GenuineIntel

    CPU brand: Intel(R) Core(TM)2 Quad  CPU  Q9300  @ 2.50GHz

[-] Debuggers detection

[*] Using IsDebuggerPresent() ... OK

[-] CPU information based detections

[*] Checking the difference between CPU timestamp counters (rdtsc) ... OK

[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex

it ... traced!

[*] Checking hypervisor bit in cpuid feature bits ... OK

[*] Checking cpuid hypervisor vendor for known VM vendors ... OK

[-] Generic sandbox detection

[*] Using mouse activity ... traced!

[*] Checking username ... OK

[*] Checking file path ... OK

[*] Checking common sample names in drives root ... OK

[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK

[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK

[*] Checking if Sleep() is patched using GetTickCount() ... OK

[*] Checking if NumberOfProcessors is < 2 via raw access ... OK

[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK

[*] Checking if pysical memory is < 1Gb ... OK

[*] Checking operating system uptime using GetTickCount() ... traced!

[*] Checking if operating system IsNativeVhdBoot() ... OK

[-] Hooks detection

[*] Checking function ShellExecuteExW method 1 ... OK

[*] Checking function CreateProcessA method 1 ... OK

[-] Sandboxie detection

[*] Using GetModuleHandle(sbiedll.dll) ... OK

[-] Wine detection

[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK

[*] Reg key (HKCU\SOFTWARE\Wine) ... OK

[-] VirtualBox detection

[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK

[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK

[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK

[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK

[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK

[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK

[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK

[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK

[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK

[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK

[*] Additional system files ... OK

[*] Looking for a MAC address starting with 08:00:27 ... OK

[*] Looking for pseudo devices ... OK

[*] Looking for VBoxTray windows ... OK

[*] Looking for VBox network share ... OK

[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK

[*] Looking for VBox devices using WMI ... OK

[-] VMware detection

[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK

[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK

[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK

[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK

[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5

0:56 ... OK

[*] Looking for network adapter name ... OK

[*] Looking for pseudo devices ... OK

[*] Looking for VMware serial number ... OK

[-] Qemu detection

[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK

[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK

[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

[-] Bochs detection

[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK

[*] cpuid AMD wrong value for processor name ... OK

[*] cpuid Intel wrong value for processor name ... OK

[-] Cuckoo detection

[*] Looking in the TLS for the hooks information structure ... OK

[-] Feel free to RE me, check log file for more information.--