Merge branch 'lecture' of https://github.com/jimmy-zx/kvmdemo into HEAD

change format

README.md

@@ -202,16 +202,19 @@ The problem: dynamic analysis of malware is typically automated and done from vi
 So we need to understand how:
 
 1. malware author detect when malware is running in a virtual environment
-2. to harden the security system to reduce the odds of evasion
-3. to identify anti-VM behavior in order to improve detection
+2. to identify anti-VM behavior in order to improve detection
+3. to harden the security system to reduce the odds of evasion
+
 
 ## How malware identify VMs
 
 VM is designed to mimic the hardware.
 
 But artifacts remain which indicate a virtual machine and not a physical one: specific files, processes, registry keys, services, network device adapters
 
-Malware authors code the malware to detect vm configuration files, executables, registry entries or other indicators in order to manipulate their original execution flow -> this behavior is referred to as "Anti-Sandbox", "Anti-VM", "VM Evasion"
+Malware authors code the malware to detect vm configuration files, executables, registry entries or other indicators in order to manipulate their original execution flow
+
+ tools: Pafish, virt-what
 
 ## Checking CPU instructions
 
@@ -220,7 +223,7 @@ e.g. The 31st bit of `ECX` on a physical machine will be equal to 0; on a guest
 2. Hypervisor brand: by calling `CPUID` with `EAX=40000000` as input 1; Malware will return the virtualization vendor string in `EAX`, `ECX`, `EDX`
 e.g. Microsoft: "Microsoft HV"; VMware: "VMwareVMware"
 3. MMX: an Intel instruction set designed for faster processing of graphical applications. These are usually not supported in VMs so their absence may indicate that the malware is running in a VM
-4. `IN`: in VMWare (KVM?) communication with the host is done through a specific I/O port (lab); useful for detecting a VMware environment
+4. `IN`: in VMWare communication with the host is done through a specific I/O port; useful for detecting a VMware environment
 e.g. `in eax, #port         'Read input from that port'`
 
 ## Checking other paravirtualization devices
@@ -238,16 +241,37 @@ e.g. `in eax, #port         'Read input from that port'`
 - Making use of the relative time overhead, VM environment can be detected.
 - ![handling sensitive instructions](assets/s3.png)
 
+## Example: `rdtsc`
+`rdtsc` is an instruction that reads the current value of the processor's time-stamp counter (tsc) into the `edx:eax` registers. Assembly:
+![Alt text | 500](assets/image-1.png)
+
+In Pafish, one way it detects the virtual environment is by looking at the instruction `rdtsc`
+![Alt text | 500](assets/image.png)
+
+
+
 
-## Anti VM detection (IPR)
+## Anti VM detection
 
-CPUID Spoofer, Pafish, al-khaser (bypass vm detection by changing some fields).
+bypass vm detection by changing some fields.
 
 Example:
 - Starting a Windows 11 vm (maybe should change to Windows 10 later for better illustration)
 
 - Run vm detection (Pafish): ![before modification](assets/detection-before.PNG)
 
+## Before Modification:
+
+![before](assets/sspic4.PNG)
+
+## Before Modification:
+
+![before](assets/sspic5.PNG)
+
+## Anti VM detection - delete registry entry
+
+![delete](assets/sspic3.PNG)
+
 ## Anti VM detection - Patch
 
 - Shut down vm, go to physical machine, modify `.vmx` file (vmware):
@@ -269,11 +293,11 @@ ethernet1.address = "00:31:34:37:A6:F9"
 
 ## Anti VM detection - Patched (1)
 
-![after modification](assets/detection-after-1.PNG)
+![after modification](assets/sspic1.PNG)
 
 ## Anti VM detection - Patched (2)
 
-![after modification](assets/detection-after-2.PNG)
+![after modification](assets/sspic2.PNG)
 
 
 # VM escape