Defeating malware's Anti-VM techniques (CPUID-Based Instructions) [report]

Mohammad Sina Karvandi
2021 Zenodo  
You should by now be aware of everything, cause the topic's title clearly describes the contents of this post. As you know, almost all of the modern malware programs use some bunch of packers or protectors and using such tools cause malware to be weaponized with Anti-VM techniques which makes it impossible for reverse-engineers and analyzer to detect what's happening inside the malware (or sometimes they implement their own methods to detect the VM presence). Reverse-engineers always prefer to
more » ... s always prefer to run the malware inside a Virtual Machine environment to avoid their computer to be affected by malware programs and this gives them lots of features like creating a snapshot from malware's (VM) previous state. In the rest of the post, I'm gonna show you some of the popular methods that use CPUID instruction in order to detect whether they're running on a virtual machine or not.
doi:10.5281/zenodo.4440698 fatcat:ei4a4zbnfvfb3pzxgu5cxdfani