 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Depending on the level of analysis you are doing, you should be able to work around a piece of code detecting VMware sessions pretty easily. You could NOP out the section, jmp over it, change the information returned, etc. If it calls a IsVMwarePresent that returns TRUE if its running in a vmware session, just make it return FALSE. /gerry Croad Christopher D Contr AFRL/IFOSS wrote: | A little off the honeypot topic, but wouldn't the bigger problem with | VMWare detection be to those of us doing Malware analysis? I almost | exclusively use a laptop system with multiple VMWare Guests running to | analyze a suspect piece of Malware. I have found some workarounds to VMWare | detections (i.e the code looks for VMWare tools, so delete it...it looks for | Mac Addresses, so change them), but I don't know how to address the | detection given in this thread. | | Is my nice, compact, portable (not to mention powerhouse) analysis | laptop/lab about to be replaced by desks full of actual computers to do | analysis? Ugh! | | Chris - -- +------------------------------------------------------+ | Gerry Eisenhaur | | | | Cisco Security Agent ||| ||| | | Boxborough, Massachusetts .|||||. .|||||. | | PGP Key: 0xC13E8AFC .:|||||||||:.:|||||||||:. | | 978-936-0465 C i s c o S y s t e m s | +------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBng20RY7FIcE+ivwRAsm5AJ93jCQ7ce+eH43S2ENBInrQ4/MhPACg4r1v KWEjfcLDx+4B18sLEqgigQU= =NsoW -----END PGP SIGNATURE-----
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.