An automatic anti-anti-VMware technique applicable for multi-stage packed malware

The VMware Workstation virtualisation software is widely used by antivirus researchers for malware analysis. However, a large amount of current generation malware employs various anti-VMware techniques in order to resist analysis. To make things worse, these anti-VMware techniques are applied not only in the payload itself, but also in the runtime packer that is used to disguise the malicious code. Fortunately, at the present time, there is not a wide variety of anti-VMware methods in use, so the assembly code which describes the operation is quite characteristic. The issue therefore becomes exactly at what stage of the execution should one look for such code, since the actual anti-VMware code is normally heavily obfuscated. Sometimes it may only be decrypted shortly before it is executed. This paper¹ shows that judicious automated control of a debugger can successfully be used to slither around anti-VMware detections even in sophisticated packers, such as Themida.