Possibly Related Threads…

Vittlesical · Jun 13, 2024, 10:31 PM

I've implemented a method to check if my malware is running in a virtual machine (VM). This helps in detecting if the malware is being analyzed, as most analysts use sandboxing or VM environments to observe malware behavior.

1 - What is Anti-VM ?
Anti-VM (anti-virtual machine) techniques are methods employed by software, particularly malware, to detect the presence of a virtualized environment and alter its behavior accordingly.

2 - Method used in my code ?

CPUID Instruction:

Malware can use the
cpuid which is an instruction used to check for known VM-specific vendor strings (e.g., "VMwareVMware", "VBoxVBoxVBox", "Microsoft Hv", "TCGTCGTCGTCG").

photo:

[Image: Screenshot-from-2024-06-13-17-56-46.png]

the source code is right here:

Hidden Content

You must register or login to view this content.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.

mcch · Jun 13, 2024, 10:33 PM

cool, ima use this shit for my stealer

Vittlesical · Jun 13, 2024, 10:37 PM

(Jun 13, 2024, 10:33 PM)interesting Wrote: cool, ima use this shit for my stealer

if you upload it to virustotal youre gay

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.

xzin0vich · Jun 13, 2024, 11:06 PM

Also for some VM the Mac adresse is like 050 smth

Vittlesical · (This post was last modified: Jun 14, 2024, 12:01 AM by Vittlesical.)

(Jun 13, 2024, 11:06 PM)xzin0vich Wrote: Also for some VM the Mac adresse is like 050 smth

the implementation works on "VMwareVMware", "VBoxVBoxVBox", "Microsoft Hv(Microsoft Hypervisor)", "TCGTCGTCGTCG(qemu)"
i've never tried Mac tbh.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.

stevenPeter · Jun 14, 2024, 04:37 PM

Thanks for the technique.

saul-notbadman · Jun 14, 2024, 09:59 PM

I heard about a neet method used in anti-cheats that relies on cpu execution timing. Have you used this before?
This method is undefeatable too allegedly.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scamming

Vittlesical · Jun 14, 2024, 10:33 PM

(Jun 14, 2024, 09:59 PM)saul-notbadman Wrote: I heard about a neet method used in anti-cheats that relies on cpu execution timing. Have you used this before?
This method is undefeatable too allegedly.

i've heard of it but never tried it and its called Timing-based anti-cheat detection and it has bunch of techniques one of them called BaseLine Timing Profiles, which basically the system establishes a baseline of normal execution times for various operations and processes in the game.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.

Kyrie · Jun 15, 2024, 12:58 AM

(Jun 14, 2024, 10:33 PM)SilentMastermind Wrote:
i've heard of it but never tried it

Better that way, it's unreliable since it's usually implemented using TSC along cpuid or such, which can lead to different result depending on the hypervisor, leaf, CPU or even vmcs configuration.

Zarif · Jun 16, 2024, 03:53 AM

Thanks very much

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Sektor7 - Malware Development Advanced - Vol.1	Sh4d0w1X	425	43,484	5 hours ago Last Post: xdlol199485
	[Go] Using the recycle bin for stealthy persistence (Beginner tutorial)	CreateThread	17	1,039	Yesterday, 11:13 PM Last Post: learn1
	[Sektor7] Full Recent Course	Spearr	31	826	Yesterday, 11:11 PM Last Post: learn1
	[ LIST ] 5 FREE STEALERS WITH PROS/CONS	elix	388	15,220	Yesterday, 10:49 PM Last Post: learn1
	Xordium stealer for Pulsar v2.4.5	nullvex	26	1,088	Yesterday, 08:14 PM Last Post: Misanotnessa