Sunday, 28 January 2007

Analyzing malware inside Parallels

The nifty thing about using Parallels for analyzing malware code is that I haven't seen yet any sample that can detect that you are using Parallels. It is clear that it is only a matter of time, but it is something interesting. For example, when using the SIDT instruction, they always look for Vmware. Vmware usually returns '0xFFxxxxxx' when asking for its IDTR address, and just by comparing the first byte you can already know if you are inside Matrix or not.

But in Parallels, it returns the same address as in a real Windows host. I switched to Parallels a couple of months ago and it is a total surprise, since I was talking to some colleagues and showing them a well known malware that detects Vmware, and voila! it ran properly without realizing that it was running in a virtual machine. For the curious, the returned address is '0x8003f400'

No comments: