A fistful of red-pills

Malicious programs are nowadays analyzed mostly dynamically using special virtual execution environments such as virtual machines and CPU emulators. The main weakness of dynamic analysis through such kind of execution envioronments, is that malware could detect that they are executed in “strange” environments and consequently mutate their behavior to impede the analysis. A red-pill is a program, or procedure, capable of identifying if it is executed in a physical CPU or in an virtual exectuion environment. Obviously, such a procedure can be used by malware for detecting if there is a risk of dynamic analysis.

We have developed a fully automatic technique to discover new red-pills for detecting CPU emulators. The idea on which our technique is based on is to compare the behaviour of the physical CPU with the behavior of the CPU emulator, to identify the situations in which the CPU emulator behaves differently. The technique is described in detail in the paper A fistful of red-pills: How to automatically generate procedures to detect CPU emulators.

For obvious reasons we are not publicly releasing the red-pills we have discovered. Nevertheless, the followings are few examples of our red-pills for detecting QEMU:

Note that these programs were generated automatically; thus, they might contain redundant, unoptimized, cryptic and useless code.

To test the aforementioned pills compile them with GCC and run them on the physical CPU and in QEMU (the whole system emulator and the process emulator should produce the same exact result, without KQEMU acceleration). For example: 

$ gcc qemu-pill-2826.c -o qemu-pill-2826
$ sudo ./qemu-pill-2826
Hello PHYSICAL CPU!
$ sudo qemu-i386 ./qemu-pill-2826
Hello EMULATOR!
Root privileges are required because latest versions of GNU/Linux do not allow unprivileged users to map data at page zero via MAP_FIXED.

Last updated: Sat Jan 30 23:35:20 2010 (GMT)