IN

An attempt to run such instructions in user-mode will generate an exception. VMWare uses IN instruction in a special port (VX) as an interface between VMM. So, such operation will not generate an exception if executed in user-mode inside a VMWare virtual machine.

U1323

Detection Rules

rule:
  meta:
    name: execute anti-VM instructions
    namespace: anti-analysis/anti-vm/vm-detection
    author: moritz.raabe@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]
    examples:
      - Practical Malware Analysis Lab 17-03.exe_:0x401A80
  features:
    - or:
      - mnemonic: sdit
      - mnemonic: sgdt
      - mnemonic: sldt
      - mnemonic: smsw
      - mnemonic: str
      - mnemonic: in
      - mnemonic: cpuid
      - mnemonic: vpcext

Additional Resources

Subscribe to our Newsletter and don't miss important updates