QEMU Detection

Ether: Malware Analysis via Hardware Virtualization Extensions

QEMU 디텍션 방법으로 다음과 같은것이 있다는것을 알았다.

참고로 REP prefix 는 다음 명령을 ecx 번 반복하는 x86 명령.

To demonstrate, we created a synthetic QEMU

detection method that relies on improper emulation. Our

detector uses the multi REP prefix detection method outlined

in [26]. The detection relies on placing 15 REP prefixes be-

fore a single-byte instruction. This configuration makes the

total instruction length 16 bytes – illegal on x86 where the

maximum instruction length is 15 bytes. On real hardware,

an illegal instruction exception is generated by the CPU.

QEMU does not generate such an exception. Even though

public release of this detection occurred in late 2006, the

issue has remained unresolved and the method still reliably

detects QEMU.

int sehhandler( EXCEPTION_RECORD* exception_record, 
	void *established_frame, struct CONTEXT *context_recorcd, 
	void *dispatcher_context)
{
	printf("Not QEMU!\n");
	exit(0);
}
int _tmain(int argc, char ∗argv[])
{
	UINT handler = (UINT)sehhandler;
	printf("Attempting detection\n");
	_asm{
		mov eax, handler;
		push eax;
		xor ebx, ebx;
		push fs:[ebx];
		mov fs:[ebx], esp;

		rep rep rep rep rep rep rep rep rep rep rep rep rep rep rep nop;

		mov eax, esp;
		mov fs:[ebx], eax;
		add esp, 8;

	}

	printf("QEMU Detected!\n");
	return EXIT_SUCCESS;
}