PiDicators: An Efficient Artifact to Detect Various VMs

摘要

Most malwares use evasion technologies to prevent themselves from being analyzed by sandbox systems. For example, they would hide their maliciousness if the presence of Virtual Machine (VM) is detected. A popular idea of detecting VM is to utilize the difference in instruction semantics between virtual environment and physical environment. Semantic detection has been widely studied, but existing works either have limited detection range (e.g. detect VMs on specific hyper-visor) or cost too much time. And most methods are not available for various kinds of VMs while introducing acceptable performance overhead. In this paper, we proposed FindPiDicators, a new approach to select a few indicators (e.g. registers) and cases (instruction execution) through complete experiments and statistical analysis. Using FindPiDicators, we obtain PiDicators, a lightweight artifact that consists of some test cases and indicators. We use PiDicators to detect the presence of VM and it offers several benefits. 1) It could accurately detect VM without the influence of operating system, hardware environment and hypervisor. 2) PiDicators does not rely on API calls, thus it is transparent and hard to resist. 3) The detection based on PiDicators is time-efficient, for only 31 cases are considered and four registers' values are required for each case.