Virtual Machine Detection Using OS Status Changes

Presented at ToorCamp 2014, July 10, 2014, 2:30 p.m. (20 minutes)

Our talk is about how to detect virtual machine with OS status changes, which happens in virtual machine environment. The purpose of the detection is to evade those defense methods that are based on virtual machines.

Virtual machines and virtualization technology play a critical role in virtual appliances to enable dynamic and parallel sample analysis. Methods for detecting virtual machines and sandboxes have been previously discussed but mostly from obvious virtual machine features including specific files, processes, VM communication protocol etc. The talk focuses on OS status changes happened in virtual machines with application level code.

The talk will cover the techniques that detect different virtual machines such as VirtualBox, VMware, and XEN.

Presenters:

• Xiaoning Li
  Xiaoning Li is a security researcher for a Fortune 50 company. For the past 10 years, his work has been focusing on vulnerability research, new exploit development, malware analysis, and reverse engineering.

Similar Presentations:

• Black Hat Asia 2014 / Comprehensive Virtual Appliance Detection
• DeepSec 2020 „The Masquerade“ / Exploiting Interfaces of Secure Encrypted Virtual Machines
• Black Hat Europe 2016 / When Virtualization Encounters AFL: A Portable Virtual Device Fuzzing Framework with AFL