Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional anti-vm rules #108

Open
CalebFenton opened this issue Jul 19, 2018 · 0 comments
Open

Add additional anti-vm rules #108

CalebFenton opened this issue Jul 19, 2018 · 0 comments
Labels
enhancement

Comments

@CalebFenton
Copy link
Member

This will require a little research to see if the techniques work in Android and if they're used anywhere.

First, the vmstat command seems to be a command on the android emulator. Checking for its existence or running it would be a give-away that you're in a VM.

Second, checking /proc/uptime may indicate if a device was just recently booted, which is common in VM analysis environments.

Third, a native code approach which is called "red pill" and may work in Android:
https://web.archive.org/web/20110708204609/http://www.invisiblethings.org/papers/redpill.html

int swallow_redpill () {
  unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
  *((unsigned*)&rpill[3]) = (unsigned)m;
  ((void(*)())&rpill)();
  return (m[5]>0xd0) ? 1 : 0;
}
@CalebFenton CalebFenton removed their assignment Dec 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CalebFenton @enovella