Re: (pacsec bonus) Re: VMWare Detection?

[Gerry Eisenhaur <GEisenhaur () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Depending on the level of analysis you are doing, you should be able to
work around a piece of code detecting VMware sessions pretty easily. You
could NOP out the section, jmp over it, change the information returned,
etc. If it calls a IsVMwarePresent that returns TRUE if its running in a
vmware session, just make it return FALSE.

/gerry


Croad Christopher D Contr AFRL/IFOSS wrote:

|  A little off the honeypot topic, but wouldn't the bigger problem with
| VMWare detection be to those of us doing Malware analysis?  I almost
| exclusively use a laptop system with multiple VMWare Guests running to
| analyze a suspect piece of Malware.  I have found some workarounds to
VMWare
| detections (i.e the code looks for VMWare tools, so delete it...it
looks for
| Mac Addresses, so change them), but I don't know how to address the
| detection given in this thread.
|
| Is my nice, compact, portable (not to mention powerhouse) analysis
| laptop/lab about to be replaced by desks full of actual computers to do
| analysis? Ugh!
|
| Chris


- --
+------------------------------------------------------+
| Gerry Eisenhaur                 |           |        |
| Cisco Security Agent           |||         |||       |
| Boxborough, Massachusetts    .|||||.     .|||||.     |
| PGP Key: 0xC13E8AFC       .:|||||||||:.:|||||||||:.  |
| 978-936-0465               C i s c o S y s t e m s   |
+------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBng20RY7FIcE+ivwRAsm5AJ93jCQ7ce+eH43S2ENBInrQ4/MhPACg4r1v
KWEjfcLDx+4B18sLEqgigQU=
=NsoW
-----END PGP SIGNATURE-----