GET /api/techniques/25/
Content-Type: application/json
Vary: Accept

    "name": "VPCEXT",
    "category": [
    "description": "The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.",
    "resources": "\r\n\r\n",
    "tags": "",
    "snippets": [
            "language": "",
            "author": "",
            "technique": "",
            "description": "",
            "plain_code": "/*\r\n-----------------------------------------------------------------------------\r\n  * Created by * lallous <> *\r\n  * All rights reserved.\r\n  *\r\n  * Redistribution and use in source and binary forms, with or without\r\n  * modification, are permitted provided that the following conditions\r\n  * are met:\r\n  * 1. Redistributions of source code must retain the above copyright\r\n  *    notice, this list of conditions and the following disclaimer.\r\n  *\r\n  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''\r\nAND\r\n  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\r\n  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\r\nPURPOSE\r\n  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE\r\nLIABLE\r\n  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\r\nCONSEQUENTIAL\r\n  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE\r\nGOODS\r\n  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\r\n  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\r\nSTRICT\r\n  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY\r\nWAY\r\n  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY\r\nOF\r\n  * SUCH DAMAGE.\r\n  *\r\n-----------------------------------------------------------------------------\r\n*/\r\n\r\n// IsInsideVPC's exception filter\r\nDWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep)\r\n{\r\n   PCONTEXT ctx = ep->ContextRecord;\r\n\r\n   ctx->Ebx = -1; // Not running VPC\r\n   ctx->Eip += 4; // skip past the \"call VPC\" opcodes\r\n   return EXCEPTION_CONTINUE_EXECUTION;\r\n   // we can safely resume execution since we skipped faulty instruction\r\n}\r\n\r\n// high level language friendly version of IsInsideVPC()\r\nbool IsInsideVPC()\r\n{\r\n   bool rc = false;\r\n\r\n   __try\r\n   {\r\n     _asm push ebx\r\n     _asm mov  ebx, 0 // Flag\r\n     _asm mov  eax, 1 // VPC function number\r\n\r\n     // call VPC\r\n     _asm __emit 0Fh\r\n     _asm __emit 3Fh\r\n     _asm __emit 07h\r\n     _asm __emit 0Bh\r\n\r\n     _asm test ebx, ebx\r\n     _asm setz [rc]\r\n     _asm pop ebx\r\n   }\r\n   // The except block shouldn't get triggered if VPC is running!!\r\n   __except(IsInsideVPC_exceptionFilter(GetExceptionInformation()))\r\n   {\r\n   }\r\n\r\n   return rc;\r\n}"
    "detection_rules": [
            "type": "",
            "name": "vm_instruction",
            "rule": "rule:\r\n  meta:\r\n    name: execute anti-VM instructions\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author:\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]\r\n    examples:\r\n      - Practical Malware Analysis Lab 17-03.exe_:0x401A80\r\n  features:\r\n    - or:\r\n      - mnemonic: sdit\r\n      - mnemonic: sgdt\r\n      - mnemonic: sldt\r\n      - mnemonic: smsw\r\n      - mnemonic: str\r\n      - mnemonic: in\r\n      - mnemonic: cpuid\r\n      - mnemonic: vpcext"