VMWare discrepency – another (small) means of VMWare detection.

[update: changed title to get better google seaches. OK. I suck ;-)]

I installed Vista in a VMWare image so I could test and debug my emulator against real malware from http://www.offensivecomputing.net.  I haven’t been overy successful, but while unpacking one of the Netsky variants packed with telock which uses hardware breakpoints, I came across a bug in VMWare.

I haven’t spent too much time analyzing the bug, but it seems to be the following is occuring..

If you set an execution hardware breakpoint on an address and single step onto that instruction, it immediately should raise an exception before completing the instruction (Intel specs say the exception occurs before execution of the instruction).  What happens in VMWare, is that the exception isn’t raised at this point.  It is only raised when a subsequent single step operation occurs.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s