PinVMShield: A Pintool for avoiding Windows-based VMs-sandbox detection techniques

PinVMShield is a tool to fool (malware) binaries and avoid VMs-sandbox common detection techniques. It uses dynamic binary instrumentation (DBI) techniques to perform the tricks. Namely, it has been developed with the Pin DBI framework.

Get PinVMShield tool and source from BitBucket site

If you are interested in citing this set, please use the following (BiBTeX format):

@article{RRA-LATAM-16,
author = {Ricardo J. Rodr\'{i}guez and I\~{n}aki Rodr\'{i}guez-Gast\'{o}n and Javier Alonso},
title = {{Towards the Detection of Isolation-Aware Malware}},
journal = {IEEE Latin America Transactions (Revista IEEE America Latina)},
year = {2016},
volume = {14},
number = {2},
pages = {1024--1036},
month = feb, abstract = {Malware analysis tools have evolved in the last years providing tightly controlled sandbox and virtualised environments where malware is analysed minimising potential harmful consequences. Unfortunately, malware has advanced in parallel, being currently able to recognise when is running in sandbox or virtual environments and then, behaving as a non-harmful application or even not executing at all. This kind of malware is usually called analysis-aware malware. In this paper, we propose a tool to detect the evasion techniques used by analysis-aware malware within sandbox or virtualised environments. Our tool uses Dynamic Binary Instrumentation to maintain the binary functionality while executing arbitrary code. We evaluate the tool under a set of well-known analysis-aware malware showing its current effectiveness. Finally, we discuss limitations of our proposal and future directions.},
doi = {10.1109/TLA.2016.7437254},
issn = {1548-0992},
keywords = {Instruments;Malware;Proposals;Silicon compounds;Software;Virtual environments;analysis-aware malware;binary analysis;dynamic binary instrumentation},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RRA-LATAM-16.pdf}
}

Supplementary files

  • PinVMShield
    • version 1.0 (January 2014, MD5 d5fb48ba13470a355f56bd3ce50d5c9a)
    • version 1.1 (May 2014, MD5 49801d166afded4d8abd33457ae69d2c)
  • Pafish (version 0.25, MD5 e39bd31bd5612489a31123109fd3de02)
  • Malware samples used for experimentation (password protected, contact me for getting the password). It contains the following MD5s:
    • 0b8b2c0926630c69a6c75bba67b24a3e
    • 106a1be7d04cab37b21af1a8d9c743d9
    • 14d294fbfef36c063b96fcfb0d849d46
    • 2c1a7509b389858310ffbc72ee64d501
    • 36e5fdcdbe0bcdc59ea001b162bfb97d
    • 4fafaec2a6ed080fc5d8e28657d59e10
    • 687a06131feb8ba95ba5a27ef2450e1d
    • 6d721c5980e1fc26ef92b3f0746681c5
    • 7b9ef183ea33387c8dbc3997f70cc5fa
    • 7ce6cd9837e1a7837c2b491c21ff5b69
    • 8863d38db188796e32c822dcc42a82ae
    • bb42fce5d9cb73561ec4e3c343c10d52
    • bdcd4ff82d6894156b945c96ac45b9ec
    • c1a66699820fdeb7242e884e6d2f8bcb
    • ce5c86fb4c44a7655ed6caaf42a688b3
    • d062d420e2ac73b0211afe30063807fa
    • dab012115fa267d95c1145a1eb41d38d
    • dabec78d489f1e783fb23d6e726bd1a4
    • e6ea45deca7e9dd9afeb276ec1d4509c
    • ef0458e196fbd1b4cc1613ba2ca3c43b
    • f01cdf6e5052aeb5c6510bd8f8d88636
    • f085395253a40ce8ca077228c2322010

If you have any question or inquiry regarding PinVMShield, you detect any bug, or you want to propose new functionalities (or collaborate in this research, of course!), please feel free to contact me anytime by email!

Comments are closed.