Ether: Malware Analysis via Hardware Virtualization Extensions
QEMU 디텍션 방법으로 다음과 같은것이 있다는것을 알았다.
참고로 REP prefix 는 다음 명령을 ecx 번 반복하는 x86 명령.
To demonstrate, we created a synthetic QEMU
detection method that relies on improper emulation. Our
detector uses the multi REP prefix detection method outlined
in [26]. The detection relies on placing 15 REP prefixes be-
fore a single-byte instruction. This configuration makes the
total instruction length 16 bytes – illegal on x86 where the
maximum instruction length is 15 bytes. On real hardware,
an illegal instruction exception is generated by the CPU.
QEMU does not generate such an exception. Even though
public release of this detection occurred in late 2006, the
issue has remained unresolved and the method still reliably
detects QEMU.
int sehhandler( EXCEPTION_RECORD* exception_record,
void *established_frame, struct CONTEXT *context_recorcd,
void *dispatcher_context)
{
printf("Not QEMU!\n");
exit(0);
}
int _tmain(int argc, char ∗argv[])
{
UINT handler = (UINT)sehhandler;
printf("Attempting detection\n");
_asm{
mov eax, handler;
push eax;
xor ebx, ebx;
push fs:[ebx];
mov fs:[ebx], esp;
rep rep rep rep rep rep rep rep rep rep rep rep rep rep rep nop;
mov eax, esp;
mov fs:[ebx], eax;
add esp, 8;
}
printf("QEMU Detected!\n");
return EXIT_SUCCESS;
}
'Programming' 카테고리의 다른 글
| OpenSSL Server Example (0) | 2013.02.05 |
|---|---|
| linux/windows SSL client example (0) | 2013.02.04 |
| Anti Debugging with POP SS (0) | 2013.01.28 |
| x86 linux idt hooking (0) | 2013.01.24 |
| gcc inline assembly (0) | 2013.01.24 |
