SIDT, Red Pill
Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest’s IDTR to avoid conflict with the host’s IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.
rule: meta: name: execute anti-VM instructions namespace: anti-analysis/anti-vm/vm-detection author: email@example.com scope: basic block att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029] examples: - Practical Malware Analysis Lab 17-03.exe_:0x401A80 features: - or: - mnemonic: sdit - mnemonic: sgdt - mnemonic: sldt - mnemonic: smsw - mnemonic: str - mnemonic: in - mnemonic: cpuid - mnemonic: vpcext