CN103020525A - Anti-detecting method and device of virtual machine system - Google Patents

Abstract

The invention discloses an anti-detecting method and an anti-detecting device of a virtual machine system. The method comprises the following steps that feature information with a different value in a current virtual machine system from the operating environment of a real system is obtained; the value of the feature information in the current virtual machine system is modified into the same value in the operating environment of the real system; and when a request that the feature information in the current virtual machine system is inquired is received, the modified value is returned, so that the inquired result in the virtual machine system is the same as that in the operating environment of the real system. Through the anti-detecting method, the anti-detecting purpose of a virtual machine can be achieved, so that the virtual machine can effectively support malicious program analysis.

Description

Translated fromChinese

虚拟机系统的反检测方法和装置Anti-detection method and device for virtual machine system

技术领域technical field

本发明涉及计算机安全技术领域，具体涉及虚拟机系统的反检测方法、和装置。The invention relates to the technical field of computer security, in particular to an anti-detection method and device for a virtual machine system.

背景技术Background technique

随着计算机技术的发展和计算机应用的普及，计算机应用逐渐渗透到人们生产生活的各个领域，在很大程度上提高了生产效率，以及为人们生活的方方面面带来了非常多的便利。然而伴随着计算机设备被广泛地使用，计算机恶意程序也出现了前所未有的快速发展趋势，每天都会有数量众多的计算机恶意程序被编写出来，并通过网络，移动存储等方式进行传播，由于大部分计算机恶意程序都具有一定的传染性和破坏性，受到计算机恶意程序感染的计算机设备轻则正常的运行受到不同程度影响，重则甚至会导致计算机系统崩溃，或者机密数据资料泄漏，导致重大的经济损失。With the development of computer technology and the popularization of computer applications, computer applications have gradually penetrated into various fields of people's production and life, which has greatly improved production efficiency and brought a lot of convenience to all aspects of people's lives. However, with the widespread use of computer equipment, computer malicious programs have also experienced an unprecedented rapid development trend. Every day, a large number of computer malicious programs are written and spread through the network, mobile storage, etc., because most computers Malicious programs are contagious and destructive to a certain extent. The normal operation of computer equipment infected by computer malicious programs will be affected to varying degrees, and it will even cause the computer system to crash or leak confidential data, resulting in major economic losses. .

计算机恶意程序给用户带来的巨大损失的同时，用户防治恶意程序的意识也在不断提高，为了达到防治计算机恶意程序的目的，首先的一个前提是需要对计算机恶意程序有相对深入的了解，包括对各种计算机恶意程序进行分析以获知其特征，例如通过对恶意程序的文件信息，恶意程序运行时产生的文件或数据，以及恶意程序对计算机系统进行的操作行为等等进行分析来获取恶意程序的特征，而且为了获得更准确的分析结果，对每一例恶意程序进行分析时往往需要搭建全新的计算机软硬件环境。但在很多时候这种分析恶意程序的实验是具有未知程度的破坏性的，如果搭建的真实计算机软硬件环境来进行这种实验性的分析，势必会浪费很大的人力物力，而且在计算机恶意程序数量巨大且高速增长的今天，这种分析方式甚至是难以实现的，此时，虚拟的运行环境成为了进行恶意程序实验性分析更好的选择。While computer malicious programs bring huge losses to users, users’ awareness of preventing and controlling malicious programs is also increasing. In order to achieve the purpose of preventing and controlling computer malicious programs, the first prerequisite is to have a relatively deep understanding of computer malicious programs, including Analyze various computer malicious programs to obtain their characteristics, for example, obtain malicious programs by analyzing the file information of malicious programs, the files or data generated when the malicious programs run, and the operation behavior of the malicious programs on the computer system, etc. characteristics, and in order to obtain more accurate analysis results, it is often necessary to build a new computer hardware and software environment when analyzing each malicious program. However, in many cases, this kind of experiment of analyzing malicious programs is destructive to an unknown degree. If a real computer software and hardware environment is built to conduct this kind of experimental analysis, it will inevitably waste a lot of manpower and material resources, and the computer malicious Today, with the huge number of programs and the rapid growth, this kind of analysis method is even difficult to realize. At this time, the virtual operating environment has become a better choice for experimental analysis of malicious programs.

虚拟的运行环境是指利用真实计算机软硬件设备模拟的具有完整硬件系统功能的、运行在一个完全隔离环境中的完整计算机系统，由于虚拟的运行环境具有可重用性高，还原迅速等特点，使得虚拟的运行环境成为进行上述实验性分析恶意程序工作的很好的选择。但是随着病毒编写者对虚拟的运行环境的重视和研究，出现了针对虚拟运行环境进行检测进而在虚拟的运行环境中隐藏自身特征的新型恶意程序，从而避免被计算机安全软件发现。但是，从计算机安全软件的角度而言，这无疑是对安全检测工作带来了障碍。The virtual operating environment refers to a complete computer system that uses real computer software and hardware equipment to simulate a complete hardware system function and runs in a completely isolated environment. Due to the high reusability and rapid restoration of the virtual operating environment, it makes The virtual operating environment becomes a good choice for the above-mentioned experimental analysis of malicious programs. However, as virus writers pay more attention to and research on the virtual operating environment, new types of malicious programs that detect the virtual operating environment and hide their own characteristics in the virtual operating environment have emerged, so as to avoid being discovered by computer security software. However, from the perspective of computer security software, this undoubtedly brings obstacles to the security detection work.

发明内容Contents of the invention

鉴于上述问题，提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的虚拟机系统的反检测方法和装置。In view of the above problems, the present invention is proposed to provide an anti-detection method and device for a virtual machine system that overcomes the above problems or at least partially solves the above problems.

依据本发明的一个方面，提供了一种虚拟机系统的反检测方法，包括：According to one aspect of the present invention, an anti-detection method of a virtual machine system is provided, including:

获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；Obtain feature information with values different from those in the real system operating environment in the current virtual machine system;

将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；Modifying the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment;

当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。When a request for querying feature information in the current virtual machine system is received, the modified value is returned, so that the query result in the virtual machine system is the same as the query result in the real system operating environment.

可选的，所述特征信息包括以下特征信息中的一种或任意几种的组合：Optionally, the feature information includes one or any combination of the following feature information:

虚拟系统与真实系统之间的通讯指令返回值；The return value of the communication command between the virtual system and the real system;

虚拟系统中的注册表配置信息；Registry configuration information in the virtual system;

虚拟系统中的代表性文件；Representative files in the virtual system;

虚拟系统中的进程信息；Process information in the virtual system;

特定程序在虚拟系统与真实系统中的运行时间差值；The difference between the running time of a specific program in the virtual system and the real system;

虚拟系统中的网络设备控制MAC地址信息；Network devices in the virtual system control MAC address information;

虚拟系统中的网卡信息；Network card information in the virtual system;

虚拟系统中的系统设备信息。System device information in the virtual system.

可选的，所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：Optionally, modifying the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:

在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；Modifying the return value of the communication command between the virtual system and the real system in the real system operating environment;

在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。In the virtual machine system, one or more values of registry configuration information, representative files, process information, running time difference, network card information, and system device information in the virtual system are modified.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；Optionally, the return value of the communication command between the virtual system and the real system includes: the return value of the backdoor IN command;

所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:

将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。Modifying the return value of the IN instruction in the virtual machine system to a specific type of exception information.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；Optionally, the return value of the communication command between the virtual system and the real system includes: a terminal descriptor table IDT base address;

所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:

将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。Modify the value of the first byte of the IDT base address in the virtual machine system to be less than 0xD0.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；Optionally, the return value of the communication instruction between the virtual system and the real system includes: the base address of the local descriptor table LDT and the base address of the global descriptor table GDT;

所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:

将所述虚拟机系统中LDT基址修改为0x0000；Modify the LDT base address in the virtual machine system to 0x0000;

将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。Modify the first byte of the GDT base address in the virtual machine system to be non-0xFF.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；Optionally, the return value of the communication command between the virtual system and the real system includes: the return value of the STR command;

所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:

将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。Modify the first two bytes of the return value of the STR instruction in the virtual machine system to be non-0x0040.

可选的，如果所述特征信息为虚拟系统中的注册表配置信息，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：Optionally, if the characteristic information is registry configuration information in the virtual system, then modifying the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment includes:

将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with preset character strings that have nothing to do with the virtual machine; wherein the registry configuration information includes registry entries and/or keys value.

可选的，如果所述特征信息为虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：Optionally, if the characteristic information is a representative file, process information, network card information or system device information in the virtual system, then modifying the value of the characteristic information in the current virtual machine system to run with the real system The same values in the environment include:

将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。Deleting or modifying the keywords related to the virtual machine included in the value of the representative file path, process information, network card information or system device information to a character string not related to the virtual machine.

可选的，如果所述特征信息为虚拟系统中的MAC地址，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：Optionally, if the characteristic information is a MAC address in the virtual system, modifying the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment includes:

将所述虚拟机系统中的MAC地址的前缀修改为非00-05-69，并且非00-0C-29，并且非00-50-56。Modify the prefix of the MAC address in the virtual machine system to be not 00-05-69, not 00-0C-29, and not 00-50-56.

可选的，如果所述特征信息为特定程序在虚拟系统与真实系统中的运行时间差值，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：Optionally, if the feature information is the difference between the running time of a specific program in the virtual system and the real system, then modifying the value of the feature information in the current virtual machine system to be the same as that in the real system running environment The values for include:

将在虚拟机系统中运行某检测程序时返回的时间值的取值修改为预置的固定值，所述固定值根据检测程序在真实系统中运行时所耗费的时间来确定。The value of the time value returned when a certain detection program is run in the virtual machine system is modified to a preset fixed value, and the fixed value is determined according to the time spent when the detection program runs in a real system.

根据本发明的另一方面，提供了一种虚拟机系统的反检测装置，包括：According to another aspect of the present invention, an anti-detection device for a virtual machine system is provided, including:

特征信息获取单元，用于获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；A feature information acquisition unit, configured to acquire feature information in the current virtual machine system that has values different from those in the real system operating environment;

特征信息修改单元，用于将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；A characteristic information modifying unit, configured to modify the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment;

特征信息返回单元，用于当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。The characteristic information returning unit is used to return the modified value when receiving a request for querying the characteristic information in the current virtual machine system, so that the query result in the virtual machine system is the same as the query result in the real system operating environment .

可选的，所述特征信息包括以下特征信息中的一种或任意几种的组合：Optionally, the feature information includes one or any combination of the following feature information:

虚拟系统与真实系统之间的通讯指令返回值；The return value of the communication command between the virtual system and the real system;

虚拟系统中的注册表配置信息；Registry configuration information in the virtual system;

虚拟系统中的代表性文件；Representative files in the virtual system;

虚拟系统中的进程信息；Process information in the virtual system;

特定程序在虚拟系统与真实系统中的运行时间差值；The difference between the running time of a specific program in the virtual system and the real system;

虚拟系统中的网络设备控制MAC地址信息；Network devices in the virtual system control MAC address information;

虚拟系统中的网卡信息；Network card information in the virtual system;

虚拟系统中的系统设备信息。System device information in the virtual system.

可选的，所述特征信息修改单元包括：Optionally, the feature information modifying unit includes:

第一修改子单元，用于在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；The first modification subunit is used to modify the return value of the communication command between the virtual system and the real system in the real system operating environment;

第二修改子单元，用于在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。The second modification subunit is used to modify one or more of the registry configuration information, representative files, process information, running time difference, network card information, and system device information in the virtual system in the virtual machine system The value of the species is modified.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；Optionally, the return value of the communication command between the virtual system and the real system includes: the return value of the backdoor IN command;

所述特征信息修改单元具体用于：The characteristic information modifying unit is specifically used for:

将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。Modifying the return value of the IN instruction in the virtual machine system to a specific type of exception information.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；Optionally, the return value of the communication command between the virtual system and the real system includes: a terminal descriptor table IDT base address;

所述特征信息修改单元具体用于：The characteristic information modifying unit is specifically used for:

将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。Modify the value of the first byte of the IDT base address in the virtual machine system to be less than 0xD0.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；Optionally, the return value of the communication instruction between the virtual system and the real system includes: the base address of the local descriptor table LDT and the base address of the global descriptor table GDT;

所述特征信息修改单元具体用于：The characteristic information modifying unit is specifically used for:

将所述虚拟机系统中LDT基址修改为0x0000；Modify the LDT base address in the virtual machine system to 0x0000;

将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。Modify the first byte of the GDT base address in the virtual machine system to be non-0xFF.

可选的，所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；Optionally, the return value of the communication command between the virtual system and the real system includes: the return value of the STR command;

所述特征信息修改单元具体用于：The characteristic information modifying unit is specifically used for:

将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。Modify the first two bytes of the return value of the STR instruction in the virtual machine system to be non-0x0040.

可选的，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的注册表配置信息，则所述特征信息修改单元具体用于：Optionally, if the distinguishing characteristic information in the current virtual machine system that is different from the operating environment of the real system is registry configuration information in the virtual system, the characteristic information modifying unit is specifically configured to:

将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with preset character strings that have nothing to do with the virtual machine; wherein the registry configuration information includes registry entries and/or keys value.

可选的，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述特征信息修改单元具体用于：Optionally, if the distinguishing feature information in the current virtual machine system that is different from the operating environment of the real system is a representative file, process information, network card information, or system device information in a virtual system in a virtual system, then the feature information Modification units are used specifically for:

将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。Deleting or modifying the keywords related to the virtual machine included in the value of the representative file path, process information, network card information or system device information to a character string not related to the virtual machine.

可选的，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的MAC地址，则所述特征信息修改单元具体用于：Optionally, if the distinguishing feature information in the current virtual machine system that is different from the operating environment of the real system is a MAC address in the virtual system, the feature information modifying unit is specifically configured to:

将所述虚拟机系统中的MAC地址的前缀修改为非00-05-69，并且非00-0C-29，并且非00-50-56。Modify the prefix of the MAC address in the virtual machine system to be not 00-05-69, not 00-0C-29, and not 00-50-56.

可选的，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为特定程序在虚拟系统与真实系统中的运行时间差值，则所述特征信息修改单元具体用于：Optionally, if the distinguishing feature information in the current virtual machine system that is different from the operating environment of the real system is the difference in running time of a specific program in the virtual system and the real system, the feature information modifying unit is specifically configured to:

将在虚拟机系统中运行某检测程序时返回的时间值的取值修改为预置的固定值，所述固定值根据检测程序在真实系统中运行时所耗费的时间来确定。The value of the time value returned when a certain detection program is run in the virtual machine system is modified to a preset fixed value, and the fixed value is determined according to the time spent when the detection program runs in a real system.

根据本发明的虚拟机系统的反检测方法和装置，可以将虚拟机系统中存在的与真实系统中取值不同的特征信息进行修改，从而使得虚拟机检测工具在通过查询这些特征信息来进行检测时，得到的查询结果与真实系统中的查询结果相同，也即使得虚拟机检测工具的检测失效，由此达到虚拟机反检测的目的。这样在虚拟机中运行的恶意程序就不会故意隐藏自身的特征，进而可以根据恶意程序中存在的恶意特征，实现对恶意程序的发现。According to the anti-detection method and device of the virtual machine system of the present invention, the feature information existing in the virtual machine system and having different values in the real system can be modified, so that the virtual machine detection tool can perform detection by querying these feature information When , the obtained query result is the same as that in the real system, that is, the detection of the virtual machine detection tool is invalidated, thereby achieving the purpose of anti-detection of the virtual machine. In this way, the malicious program running in the virtual machine will not deliberately hide its own characteristics, and then the malicious program can be discovered according to the malicious characteristics existing in the malicious program.

上述说明仅是本发明技术方案的概述，为了能够更清楚了解本发明的技术手段，而可依照说明书的内容予以实施，并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂，以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述，各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的，而并不认为是对本发明的限制。而且在整个附图中，用相同的参考符号表示相同的部件。在附图中：Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

图1示出了根据本发明一个实施例的方法的流程图；Fig. 1 shows the flowchart of the method according to one embodiment of the present invention;

图2示出了根据本发明一个实施例的装置的示意图；Figure 2 shows a schematic diagram of a device according to an embodiment of the present invention;

以及，as well as,

图3示出了根据本发明一个实施例的系统的示意图。Fig. 3 shows a schematic diagram of a system according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例，然而应当理解，可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反，提供这些实施例是为了能够更透彻地理解本公开，并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

参见图1，本发明实施例提供了一种虚拟机系统的反检测方法，该方法可以包括以下步骤：Referring to Fig. 1, the embodiment of the present invention provides a kind of anti-detection method of virtual machine system, and this method may comprise the following steps:

S101：获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；S101: Obtain feature information in the current virtual machine system that has different values from the real system operating environment;

其中，所谓的真实系统运行环境，也可以称为真主机运行环境，是相对于虚拟机系统而言的，是由真实的计算机软硬件设备构成的一个运行环境，而虚拟机系统可以看作是运行在真实系统运行环境中的一个应用程序，该应用程序通过模拟真实系统运行环境中的软硬件设备，来构造一个运行在真实系统中的另一个封闭式的系统，在理想的情况下，在虚拟机系统中运行一些程序时，与这些程序在真实系统中运行时不会体现出任何差别。但是，虚拟机系统中的软硬件设备毕竟是模拟出来的，例如，虚拟机系统的网卡等设备，实际上并不存在这样的一块网卡，只是通过程序的方式来模拟出网卡的功能，等等。既然是模拟，那么一般就必然存在模拟不全的情况，使得虚拟机系统中存在一些与真实系统中具有不同取值的特征信息，一些虚拟机检测工具就是通过检测这些特征信息的取值情况，来判断当前运行环境是真实系统还是虚拟机系统。因此，在本发明实施例中，就可以首先获取到当前虚拟机系统中存在的这种特征信息，然后将这些信息的取值修改为与真实系统中的取值一致，这样，当虚拟机检测工具需要检测这些特征信息的取值时，就可以将修改后的取值返回，使得返回值与在真实系统中的返回值相同，从而使得虚拟机检测工具失效。Among them, the so-called real system operating environment, which can also be called the real host operating environment, is an operating environment composed of real computer software and hardware devices relative to the virtual machine system, and the virtual machine system can be regarded as An application program running in the real system operating environment, the application program constructs another closed system running in the real system by simulating the hardware and software devices in the real system operating environment, ideally, in When some programs are running in the virtual machine system, there will be no difference between these programs running in the real system. However, the software and hardware devices in the virtual machine system are simulated after all. For example, the network card and other devices of the virtual machine system do not actually exist such a network card, but the functions of the network card are simulated through the program, etc. . Since it is a simulation, generally there must be incomplete simulation, so that there are some characteristic information in the virtual machine system that have different values from those in the real system. Some virtual machine detection tools detect the values of these characteristic information. Determine whether the current operating environment is a real system or a virtual machine system. Therefore, in the embodiment of the present invention, it is possible to first obtain the feature information existing in the current virtual machine system, and then modify the value of this information to be consistent with the value in the real system, so that when the virtual machine detects When the tool needs to detect the value of these feature information, it can return the modified value, so that the returned value is the same as the returned value in the real system, thus making the virtual machine detection tool invalid.

需要说明的是，虽然对于不同的计算机设备而言，具有各自的真实系统运行环境，对于运行在各自真实系统中的虚拟机系统而言，也是分别模拟各自所在的真实系统环境，但是，虚拟机系统在模拟真实系统环境时可能存在的模拟不全的情况却比较具有通用性，也即，一般情况下，如果某虚拟机系统中对某特征信息模拟的不全，在其他虚拟机系统中，就可能也存在对该特征信息也模拟的不全的情况，并且对于同一特征信息而言，其在不同的真实系统环境中的取值一般是相同或者具有相同的特点。因此，在具体实现时，可以根据预先对一些虚拟机系统中可能存在的模拟不全的特征信息进行收集，也即，可以通过人工分析等方式，对多个虚拟机系统进行分析，获取虚拟机系统中有哪些特征信息一般是模拟不全的，以此生成特征信息列表，或者以文件或者数据库等形式保存这种特征信息。同时，可以保存这种特征信息在真实系统环境中的取值情况。这样，针对当前待处理的虚拟机系统而言，就可以对预先保存的这些特征信息进行轮询，分别取出当前虚拟机系统中这些特征信息的取值，对于各个特征信息的取值而言，判断其是否与预先保存的真实系统环境对应的取值相同，如果相同，则证明当前虚拟机系统对该特征信息已经模拟全了，如果不相同，则证明当前虚拟机系统对该特征信息模拟的不全，相应的，该特征信息就属于当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息。也就是说，对于当前虚拟机系统而言，其中存在的与真实系统运行环境具有不同取值的特征信息，一般是预先保存的特征信息集合的一个子集。It should be noted that although different computer devices have their own real system operating environments, and virtual machine systems running in their respective real systems simulate their respective real system environments, however, virtual machines The incomplete simulation that may exist when the system simulates the real system environment is more general, that is, in general, if a certain feature information is not simulated completely in a virtual machine system, in other virtual machine systems, it may be There are also incomplete simulations of the characteristic information, and for the same characteristic information, its values in different real system environments are generally the same or have the same characteristics. Therefore, in actual implementation, it is possible to collect in advance the incomplete simulation feature information that may exist in some virtual machine systems, that is, to analyze multiple virtual machine systems through manual analysis and other methods to obtain the Which characteristic information in the simulation is generally incomplete, so as to generate a list of characteristic information, or save this characteristic information in the form of files or databases. At the same time, the value of this feature information in the real system environment can be saved. In this way, for the current virtual machine system to be processed, the pre-saved characteristic information can be polled, and the values of these characteristic information in the current virtual machine system can be taken out respectively. For the value of each characteristic information, Determine whether it is the same as the value corresponding to the pre-saved real system environment. If it is the same, it proves that the current virtual machine system has fully simulated the characteristic information. If it is not the same, it proves that the current virtual machine system simulates the characteristic information. Correspondingly, the feature information belongs to the feature information in the current virtual machine system that has different values from the real system operating environment. That is to say, for the current virtual machine system, the feature information with different values from the real system operating environment is generally a subset of the pre-saved feature information set.

当然，在实际应用中，也可以不是预先对可能存在的取值不同于真实系统的特征信息进行收集，例如，可以直接分别获取到各种信息在当前虚拟机环境以及当前运行环境中的取值，然后比对其是否相同，如果不同，则可以将其作为所述的当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息提取出来，同时记录下这种特征信息在真实系统中的取值。Of course, in practical applications, it is not necessary to collect the characteristic information that may have values different from the real system in advance. For example, the values of various information in the current virtual machine environment and the current operating environment can be obtained directly. , and then compare whether they are the same, if they are different, it can be extracted as feature information with different values from the real system operating environment in the current virtual machine system, and record this feature information in the real system at the same time value of .

S102：将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；S102: Modify the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment;

由于预先保存了在真实系统运行环境下，各个特征信息的取值情况，或者可以实时获取到当前的真实系统环境中各个特征信息的取值情况，因此，在发现了与真实系统运行环境中取值不同的特征信息之后，就可以将其在虚拟机系统中的取值修改为与真实系统中的取值相同。Since the value of each feature information in the real system operating environment is pre-saved, or the value of each feature information in the current real system environment can be obtained in real time, therefore, the value of each feature information in the real system operating environment is found to be different from that in the real system operating environment. After the feature information with different values is obtained, its value in the virtual machine system can be modified to be the same as that in the real system.

需要说明的是，本发明实施例中，对于某特征信息而言，其在真实系统中的取值可能是某个固定的数值或字符串等，或者也可能是一个取值范围，等等，因此对虚拟机系统中一些特征信息的取值进行修改时，所谓的修改为与真实系统中的取值相同，可以包括将某特征信息的取值修改为与某个数值或者字符串等相等，也可以包括将某特征信息的取值修改为属于某取值范围，等等，后文的具体实例中对此会有详细的描述。It should be noted that, in the embodiment of the present invention, for a certain characteristic information, its value in the real system may be a certain fixed value or character string, etc., or may also be a value range, etc., Therefore, when modifying the value of some characteristic information in the virtual machine system, the so-called modification to be the same as the value in the real system may include modifying the value of a certain characteristic information to be equal to a certain value or string, etc. It may also include modifying the value of a certain characteristic information to belong to a certain value range, etc., which will be described in detail in the specific examples below.

S103：当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。S103: When receiving a request to query feature information in the current virtual machine system, return the modified value so that the query result in the virtual machine system is the same as the query result in the real system operating environment.

由于已经对虚拟机环境中的特征信息的取值进行了修改，因此，在接收到查询特征信息的取值的请求时，就可以将修改后的取值返回给检测方，由于修改后的取值与在真实系统中的取值相同，因此，就可以使得检测方获取到的在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同，进而，检测方就无法通过此次查询获知当前是一个虚拟机系统运行环境，从而实现虚拟机系统的反检测。Since the value of the characteristic information in the virtual machine environment has been modified, when a request for querying the value of the characteristic information is received, the modified value can be returned to the detection party. The value is the same as the value in the real system. Therefore, the query result obtained by the detection party in the virtual machine system is the same as the query result in the real system operating environment, and then the detection party cannot pass this time. The query shows that it is currently a virtual machine system operating environment, so as to realize the anti-detection of the virtual machine system.

换言之，所谓的当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息，可以是虚拟机系统检测工具在检测虚拟机系统时常用的一些特征信息，例如，包括以下特征信息中的一种或任意几种的组合：虚拟系统与真实系统之间的通讯指令返回值、虚拟系统中的注册表配置信息、虚拟系统中的代表性文件、虚拟系统中的进程信息、特定程序在虚拟系统与真实系统中的运行时间差值、虚拟系统中的网络设备控制MAC地址信息、虚拟系统中的网卡信息、虚拟系统中的系统设备信息，等。其中，对于虚拟系统与真实系统之间的通讯指令返回值的取值而言，可以包括：后门IN指令的返回值、终端描述符表IDT基址、本地描述符表LDT基址和全局描述符表GDT基址、STR指令的返回值，在对这些信息的取值进行修改时，可以在真实机系统运行环境中执行修改的操作；而对于上述其他各种特征信息的取值，则可以在虚拟机系统内部进行修改。In other words, the so-called characteristic information in the current virtual machine system that has different values from the real system operating environment may be some characteristic information commonly used by virtual machine system detection tools when detecting virtual machine systems, for example, including one of the following characteristic information One or any combination of several types: the return value of the communication command between the virtual system and the real system, the registry configuration information in the virtual system, the representative files in the virtual system, the process information in the virtual system, the specific program in the virtual system The running time difference with the real system, the network device control MAC address information in the virtual system, the network card information in the virtual system, the system device information in the virtual system, etc. Among them, the return value of the communication command between the virtual system and the real system may include: the return value of the backdoor IN command, the base address of the terminal descriptor table IDT, the base address of the local descriptor table LDT and the global descriptor Table GDT base address, return value of STR instruction, when modifying the value of these information, the modified operation can be performed in the real machine system operating environment; and for the value of other above-mentioned characteristic information, it can be modified in Modifications are made within the virtual machine system.

下面结合虚拟机检测工具在检测虚拟机系统时常用的一些特征信息及其检测手段，对如何进行特征信息的取值的修改进行详细的介绍。The following describes in detail how to modify the value of feature information in combination with some feature information and detection methods commonly used by virtual machine detection tools when detecting virtual machine systems.

虚拟机检测手段一：通过执行特权指令来检测虚拟机Virtual machine detection method 1: Detect virtual machines by executing privileged instructions

Vmware（是一种虚拟机软件）为真实系统与虚拟机之间提供了相互沟通的通讯机制，它使用“IN”指令来读取特定端口的数据以进行两机通讯，但由于IN指令属于特权指令，在处于保护模式下的真机上执行此指令时，除非权限允许，否则将会触发类型为“EXCEPTION PRIV INSTRUCTION”的异常，但在虚拟机系统中并不会发生异常，在指定功能号0A（获取VMware版本）的情况下，它会在EBX中返回其版本号“VMXH”；而当功能号为0x14时，可用于获取VMware内存大小。因此，在进行虚拟机检测时，就可以获取虚拟机系统中的IN指令的返回值，如果大于0时则可以证明当前处于虚拟机系统中。Vmware (a virtual machine software) provides a communication mechanism between the real system and the virtual machine. It uses the "IN" command to read the data of a specific port for two-machine communication, but because the IN command is a privilege instruction, when executing this instruction on a real machine in protected mode, unless the permission allows, an exception of the type "EXCEPTION PRIV INSTRUCTION" will be triggered, but no exception will occur in the virtual machine system, and the specified function number 0A (Get VMware version), it will return its version number "VMXH" in EBX; and when the function number is 0x14, it can be used to get VMware memory size. Therefore, when the virtual machine is detected, the return value of the IN instruction in the virtual machine system can be obtained, and if it is greater than 0, it can prove that it is currently in the virtual machine system.

为此，为了进行虚拟机反检测，就可以将虚拟机系统中IN指令的返回值修改为某种特定类型的异常信息，使其与在真实系统中的取值相同，这样，当虚拟机系统接收到IN指令时，就可以返回该特定类型的异常信息，从而避免被检测出是虚拟机系统，这样在虚拟机中运行的恶意程序就不会故意隐藏自身的特征，进而可以根据恶意程序中存在的恶意特征，实现对恶意程序的发现。For this reason, in order to perform virtual machine anti-detection, the return value of the IN command in the virtual machine system can be modified to a specific type of exception information, making it the same as the value in the real system. In this way, when the virtual machine system When the IN command is received, it can return the specific type of abnormal information, so as to avoid being detected as a virtual machine system, so that the malicious program running in the virtual machine will not intentionally hide its own characteristics, and then can be detected according to the malicious program. Existing malicious features to realize the discovery of malicious programs.

虚拟机检测手段二：利用IDT（Interrupt Descriptor Table，中断描述符表）基址检测虚拟机Virtual machine detection method 2: use IDT (Interrupt Descriptor Table, interrupt descriptor table) base address to detect virtual machines

利用IDT基址检测虚拟机的方法是一种通用方式，对VMware和Virtual PC均适用。IDT是用于查找处理中断时所用的软件函数，它是一个由256项组成的数据，其中每一中断对应一项函数。为了读取IDT基址，需要通过SIDT指令来读取IDTR（中断描述符表寄存器，用于IDT在内存中的基址）。The method of using the IDT base address to detect a virtual machine is a general method, which is applicable to both VMware and Virtual PC. IDT is used to find the software function used when processing interrupts. It is a data consisting of 256 items, and each interrupt corresponds to a function. In order to read the IDT base address, the IDTR (interrupt descriptor table register, used for the base address of the IDT in memory) needs to be read through the SIDT instruction.

由于只存在一个IDTR，但又存在两个操作系统，即虚拟机系统和真实系统。为了防止发生冲突，VMM（虚拟机监控器）必须更改虚拟机中的IDT地址，利用真实系统与虚拟机环境中执行SIDT指令的差异即可用于检测虚拟机是否存在。例如，VMware虚拟机系统上的IDT地址通常位于0xFFXXXXXX，而Virtual PC通常位于0xE8XXXXXX，而在真实系统上一般都位于0x80xxxxxx。因此，通过判断执行SIDT指令后返回的第一字节是否大于0xD0（其中的0x是十六进制提示符，代表后面的数字是十六机制的，因此，实际上是用第一个字节的数值与D0进行比较），若是则说明它处于虚拟机，否则处于真实系统中。Because there is only one IDTR, but there are two operating systems, namely the virtual machine system and the real system. In order to prevent conflicts, VMM (Virtual Machine Monitor) must change the IDT address in the virtual machine, and the difference between the execution of SIDT instructions in the real system and the virtual machine environment can be used to detect whether the virtual machine exists. For example, the IDT address on the VMware virtual machine system is usually located at 0xFFXXXXXX, while the Virtual PC is usually located at 0xE8XXXXXX, and on the real system is generally located at 0x80xxxxxx. Therefore, by judging whether the first byte returned after executing the SIDT instruction is greater than 0xD0 (the 0x is a hexadecimal prompt, which means that the following number is a hexadecimal mechanism, so the first byte is actually used The value is compared with D0), if it is, it means that it is in the virtual machine, otherwise it is in the real system.

因此，为了进行虚拟机反检测，就可以将虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0，使其与在真实系统中的取值范围相同，这样，当虚拟机系统接收到SIDT指令时，其返回值的第一字字节的取值就会小于0xD0，从而避免被检测出是虚拟机系统。Therefore, in order to perform virtual machine anti-detection, the value of the first byte of the IDT base address in the virtual machine system can be modified to be less than 0xD0, making it the same value range as in the real system. In this way, when the virtual machine When the computer system receives the SIDT instruction, the value of the first byte of the return value will be less than 0xD0, so as to avoid being detected as a virtual machine system.

虚拟机检测手段三：利用LDT（Local Descriptor Table，本地描述符表）和GDT（Global Descriptor Table，全局描述符表）的检测方法；Virtual machine detection method three: detection methods using LDT (Local Descriptor Table, local descriptor table) and GDT (Global Descriptor Table, global descriptor table);

在保护模式下，所有的内存访问都要通过GDT或者LDT才能进行。这些表包含有段描述符的调用入口。各个段描述符都包含有各段的基址，访问权限，类型和使用信息，而且每个段描述符都拥有一个与之相匹配的段选择子，各个段选择子都为软件程序提供一个GDT或LDT索引（与之相关联的段描述符偏移量），一个全局/本地标志（决定段选择子是指向GDT还是LDT），以及访问权限信息。In protected mode, all memory accesses must go through GDT or LDT. These tables contain call entries for segment descriptors. Each segment descriptor contains the base address, access rights, type and usage information of each segment, and each segment descriptor has a matching segment selector, and each segment selector provides a GDT for the software program or LDT index (the segment descriptor offset associated with it), a global/local flag (determines whether the segment selector points to the GDT or LDT), and access rights information.

若想访问段中的某一字节，必须同时提供一个段选择子和一个偏移量。段选择子为段提供可访问的段描述符地址（在GDT或者LDT中）。通过段描述符，处理器从中获取段在线性地址空间里的基址，而偏移量用于确定字节地址相对基址的位置。假定处理器在当前权限级别（CPL）可访问这个段，那么通过这种机制就可以访问在GDT或LDT中的各种有效代码、数据或者堆栈段，这里的CPL是指当前可执行代码段的保护级别。GDT的线性基址被保存在GDT寄存器（GDTR）中，而LDT的线性基址被保存在LDT寄存器（LDTR）中。If you want to access a certain byte in a segment, you must provide both a segment selector and an offset. The segment selector provides the address of the accessible segment descriptor (in GDT or LDT) for the segment. Through the segment descriptor, the processor obtains the base address of the segment in the linear address space, and the offset is used to determine the position of the byte address relative to the base address. Assuming that the processor can access this segment at the current privilege level (CPL), then through this mechanism, various valid codes, data or stack segments in GDT or LDT can be accessed, where CPL refers to the current executable code segment protection level. The linear base address of the GDT is stored in the GDT register (GDTR), while the linear base address of the LDT is stored in the LDT register (LDTR).

由于虚拟机系统与真实系统中的GDT和LDT并不能相同，这与使用IDT的检测方法一样，因此虚拟机必须为它们提供一个“复制体”。关于GDT和LDT的基址可通过SGDT和SLDT指令获取。一般而言，当LDT基址位于0x0000（只有两字节）时为真实系统，否则为虚拟机，而当GDT基址位于0xFFXXXXXX时说明处于虚拟机中，否则为真实主机。Since the GDT and LDT in the virtual machine system and the real system are not the same, which is the same as the detection method using IDT, the virtual machine must provide a "replica" for them. The base address of GDT and LDT can be obtained by SGDT and SLDT instructions. Generally speaking, when the LDT base address is at 0x0000 (only two bytes), it is a real system, otherwise it is a virtual machine, and when the GDT base address is at 0xFFXXXXXX, it means that it is in a virtual machine, otherwise it is a real host.

因此，为了进行虚拟机反检测，就可以将虚拟机系统中LDT基址的取值修改为等于0x0000，将虚拟机系统中GDT基址的第一字字节修改为非0xFF，使其与在真实系统中的取值范围相同，这样，当虚拟机系统接收到SGDT和SLDT指令时，其返回值就会与在真实系统中的取值相同，从而避免被检测出是虚拟机系统，这样在虚拟机中运行的恶意程序就不会故意隐藏自身的特征，进而可以根据恶意程序中存在的恶意特征，实现对恶意程序的发现。Therefore, in order to perform virtual machine anti-detection, the value of the LDT base address in the virtual machine system can be modified to be equal to 0x0000, and the first byte of the GDT base address in the virtual machine system can be modified to be non-0xFF, so that it is the same as that in The range of values in the real system is the same, so that when the virtual machine system receives the SGDT and SLDT instructions, its return value will be the same as the value in the real system, so as to avoid being detected as a virtual machine system, so in The malicious program running in the virtual machine will not deliberately hide its own characteristics, and then the malicious program can be discovered according to the malicious characteristics existing in the malicious program.

虚拟机检测手段四：基于STR（Store Task Register，存储任务寄存器）的检测方法Virtual machine detection method four: detection method based on STR (Store Task Register, storage task register)

在保护模式下运行的所有程序在切换任务时，对于当前任务中指向TSS（Task State Segment，任务状态段）的段选择器将会被存储在任务寄存器中，TSS中包含有当前任务的可执行环境状态，包括通用寄存器状态、段寄存器状态、标志寄存器状态、EIP寄存器状态等等，当此项任务再次被执行时，处理器就会其原先保存的任务状态。每项任务均有其自己的TSS，可以通过STR指令来获取指向当前任务中TSS的段选择器。这里STR指令是用于将TR（Task Register，任务寄存器）中的段选择器存储到目标操作数，目标操作数可以是通用寄存器或内存位置，使用此指令存储的段选择器指向当前正在运行的任务的TSS。在虚拟机和真实系统之中，通过STR读取的地址是不同的，当地址等于0x0040xxxx时，说明处于虚拟机中，否则为真实系统。When all programs running in protected mode switch tasks, the segment selector pointing to TSS (Task State Segment, task state segment) in the current task will be stored in the task register, and the TSS contains the executable of the current task Environment state, including general register state, segment register state, flag register state, EIP register state, etc. When this task is executed again, the processor will retain its original task state. Each task has its own TSS, and the segment selector pointing to the TSS in the current task can be obtained through the STR command. Here the STR instruction is used to store the segment selector in TR (Task Register, task register) to the target operand. The target operand can be a general-purpose register or a memory location. The segment selector stored by this instruction points to the currently running Task TSS. In the virtual machine and the real system, the address read by STR is different. When the address is equal to 0x0040xxxx, it means that it is in the virtual machine, otherwise it is the real system.

因此，为了进行虚拟机反检测，就可以将虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040，这样，当虚拟机系统接收到STR指令时，其返回值就会与在真实系统中的取值相同，从而避免被检测出是虚拟机系统。Therefore, in order to perform virtual machine anti-detection, the first two bytes of the return value of the STR instruction in the virtual machine system can be modified to be non-0x0040, so that when the virtual machine system receives the STR instruction, its return value will be the same as The value is the same in the real system, so as to avoid being detected as a virtual machine system.

虚拟机检测手段五：基于注册表检测虚拟机Virtual machine detection method five: detect virtual machines based on the registry

在Windows虚拟机中常常安装有VMware Tools以及其它的虚拟硬件（如网络适配器、虚拟打印机、USB集线器等等），它们都会创建任何程序都可以读取的Windows注册表项，因此可以通过检测注册表中的一些关键字符来判断程序是否处于虚拟机之中。关于这些注册表的位置可以通过在注册表中搜索关键词“vmware”来获取，例如下面是在VMware下的WinXP中查找到的一些注册表项，如表1所示：VMware Tools and other virtual hardware (such as network adapters, virtual printers, USB hubs, etc.) are often installed in Windows virtual machines. They will create Windows registry entries that can be read by any program, so they can be detected by detecting the registry. Some key characters in to determine whether the program is in a virtual machine. The locations of these registries can be obtained by searching for the keyword "vmware" in the registry. For example, the following are some registry entries found in WinXP under VMware, as shown in Table 1:

表1Table 1

因此，为了进行虚拟机反检测，就可以将虚拟机系统中的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，注册表配置信息包括注册表项和/或键值，这样，当虚拟机系统接收到查询某注册表配置信息的指令时，其返回值就不会再存在与虚拟机相关的关键词，从而避免被检测出是虚拟机系统。Therefore, in order to perform virtual machine anti-detection, keywords related to the virtual machine contained in the registry configuration information in the virtual machine system can be replaced with preset strings that have nothing to do with the virtual machine; wherein, the registry configuration information Including registry entries and/or key values, so that when the virtual machine system receives an instruction to query certain registry configuration information, the return value will no longer contain keywords related to the virtual machine, thereby avoiding being detected as a virtual machine system.

虚拟机检测手段六：基于时间差的检测方式Virtual machine detection method six: detection method based on time difference

本方法通过运行一段特定代码，然后比较这段代码在虚拟机和真实主机之中的相对运行时间，以此来判断是否处于虚拟机之中。这段代码可以通过RDTSC指令来实现，RDTSC指令是用于将计算机启动以来的CPU运行周期数存放到EDX：EAX里面，其中EDX是高位，而EAX是低位。以xchg ecx,eax一句指令的运行时间为例，这段指令在某真实主机Windows 7系统上的运行时间为0000001E，而该指令在虚拟机WinXP下的运行时间为00000442，两者之间的运行时间明显差别很多，在虚拟机中的运行速度远不如真实系统的，一般情况下，当它的运行时间大于0xFF时，就可以确定它处于虚拟机之中了。This method judges whether the code is in the virtual machine by running a specific code and comparing the relative running time of the code in the virtual machine and the real host. This code can be realized by the RDTSC instruction. The RDTSC instruction is used to store the number of CPU operating cycles since the computer was started in EDX:EAX, where EDX is the high bit and EAX is the low bit. Take the running time of the xchg ecx,eax command as an example, the running time of this command on a real host Windows 7 system is 0000001E, and the running time of this command on the virtual machine WinXP is 00000442, the running time between the two The time is obviously different, and the running speed in the virtual machine is far lower than that of the real system. Generally, when its running time is greater than 0xFF, it can be determined that it is in the virtual machine.

因此，为了进行虚拟机反检测，就可以将虚拟机系统中运行某检测程序时返回的时间值的取值修改为某预置的固定值，这样，当接收到运行某段程序的指令时，就可以将返回的运行耗费时间值设置为该固定值，而不是该程序实际运行时所耗费的时间，其中，该固定值可以根据检测程序在真实系统中运行时所耗费的时间来确定。Therefore, in order to perform virtual machine anti-detection, the value of the time value returned when running a certain detection program in the virtual machine system can be modified to a preset fixed value, so that when an instruction to run a certain program is received, Then the returned running time value can be set as the fixed value instead of the actual running time of the program, wherein the fixed value can be determined according to the time spent when the detection program is running in the real system.

虚拟机检测手段七：利用虚拟硬件指纹检测虚拟机Virtual machine detection method seven: use virtual hardware fingerprints to detect virtual machines

利用虚拟硬件指纹也可用于检测虚拟机的存在，比如VMware默认的网卡MAC地址前缀为“00-05-69，00-0C-29或者00-50-56”，这前3节是由VMware分配的唯一标识符OUI，以供它的虚拟化适配器使用，这与真实系统环境下的MAC地址是不同的，如果检测发现MAC地址前缀为“00-05-69，00-0C-29或者00-50-56”，则可以确定是在虚拟机系统中了。The use of virtual hardware fingerprints can also be used to detect the existence of virtual machines. For example, the default network card MAC address prefix of VMware is "00-05-69, 00-0C-29 or 00-50-56". The first 3 sections are assigned by VMware. The unique identifier OUI for its virtualization adapter is used, which is different from the MAC address in the real system environment. If the detection finds that the MAC address prefix is "00-05-69, 00-0C-29 or 00- 50-56", you can be sure that it is in the virtual machine system.

因此，为了进行虚拟机反检测，就可以将虚拟机系统中的MAC地址的前缀修改为00-05-69、00-0C-29、00-50-56之外的其他值，这样，当虚拟机系统接收到查询其MAC地址的指令时，其返回值就不会再具有与虚拟机相关的特征，从而避免被检测出是虚拟机系统。Therefore, in order to perform virtual machine anti-detection, the prefix of the MAC address in the virtual machine system can be modified to other values other than 00-05-69, 00-0C-29, and 00-50-56, so that when the virtual machine When the machine system receives an instruction to query its MAC address, its return value will no longer have the characteristics related to the virtual machine, so as to avoid being detected as a virtual machine system.

另外，虚拟机检测工具还可能通过查询代表性文件、进程信息、网卡信息或系统设备信息等中是否存在与虚拟机相关的关键词来进行检测，例如，有一些文件是只有虚拟机中才会存在特定的文件，这些存在中存在与虚拟机相关的特定表示，例如：C:\\Program Files\\VMware\\VMwareTools\\vmtoolsd.exe；也有些进程是虚拟机中才会存在特定的进程，其中也存在与虚拟机相关的特定表示，例如：vmtoolsd.exe；虚拟机中的网卡有虚拟机的特定标识，例如Model Number:VMware,VMware Virtual S1.0，虚拟机中的系统设备也可能包含虚拟机的特定标识，例如：\\.\DISPLAY1VMware SVGAII、VMware,VMware Virtual S SCSI Disk Device、VMware VMCI Bus Device等等。因此，为了进行虚拟机反检测，就可以将虚拟机系统中的代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串，这样，当虚拟机系统接收到查询这些信息的指令时，其返回值就不会再具有与虚拟机相关的特征，从而避免被检测出是虚拟机系统。In addition, virtual machine detection tools may also detect by querying whether there are keywords related to virtual machines in representative files, process information, network card information, or system device information. For example, some files are only available in virtual machines. There are specific files, and there are specific representations related to virtual machines in these existences, for example: C:\\Program Files\\VMware\\VMwareTools\\vmtoolsd.exe; there are also some processes that only exist in virtual machines. , which also has a specific representation related to the virtual machine, such as: vmtoolsd.exe; the network card in the virtual machine has a specific identification of the virtual machine, such as Model Number: VMware, VMware Virtual S1.0, and the system equipment in the virtual machine may also Contains the specific identification of the virtual machine, for example: \\.\DISPLAY1VMware SVGAII, VMware,VMware Virtual S SCSI Disk Device, VMware VMCI Bus Device, etc. Therefore, in order to perform virtual machine anti-detection, the keywords related to the virtual machine contained in the value of the representative file path, process information, network card information or system device information in the virtual machine system can be deleted or modified to be related to the virtual machine. In this way, when the virtual machine system receives an instruction to query these information, its return value will no longer have the characteristics related to the virtual machine, so as to avoid being detected as a virtual machine system.

总之，在本发明实施例中，可以将虚拟机系统中存在的与真实系统中取值不同的特征信息进行修改，从而使得虚拟机检测工具在通过查询这些特征信息来进行检测时，得到的查询结果与真实系统中的查询结果相同，由此达到虚拟机反检测的目的，这样在虚拟机中运行的恶意程序就不会故意隐藏自身的特征，进而可以根据恶意程序中存在的恶意特征，实现对恶意程序的发现。In a word, in the embodiment of the present invention, the feature information existing in the virtual machine system that has different values from the real system can be modified, so that when the virtual machine detection tool performs detection by querying these feature information, the query obtained The result is the same as the query result in the real system, thereby achieving the purpose of anti-detection of the virtual machine, so that the malicious program running in the virtual machine will not intentionally hide its own characteristics, and then according to the malicious characteristics in the malicious program, realize Discovery of malicious programs.

与本发明实施例提供的虚拟机系统的反检测方法相对应，本发明实施例还提供了一种虚拟机系统的反检测装置，参见图2，该装置可以包括：Corresponding to the anti-detection method of the virtual machine system provided by the embodiment of the present invention, the embodiment of the present invention also provides an anti-detection device of the virtual machine system, referring to FIG. 2 , the device may include:

特征信息获取单元201，用于获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；A featureinformation acquisition unit 201, configured to acquire feature information in the current virtual machine system that has values different from those in the real system operating environment;

特征信息修改单元202，用于将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；A characteristicinformation modification unit 202, configured to modify the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment;

特征信息返回单元203，用于当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。The characteristicinformation return unit 203 is used to return the modified value when receiving the request for querying the characteristic information in the current virtual machine system, so that the query result in the virtual machine system is the same as the query result in the real system operating environment same.

其中，所述特征信息包括以下特征信息中的一种或任意几种的组合：Wherein, the feature information includes one or any combination of the following feature information:

虚拟系统与真实系统之间的通讯指令返回值；The return value of the communication command between the virtual system and the real system;

虚拟系统中的注册表配置信息；Registry configuration information in the virtual system;

虚拟系统中的代表性文件；Representative files in the virtual system;

虚拟系统中的进程信息；Process information in the virtual system;

特定程序在虚拟系统与真实系统中的运行时间差值；The difference between the running time of a specific program in the virtual system and the real system;

虚拟系统中的网络设备控制MAC地址信息；Network devices in the virtual system control MAC address information;

虚拟系统中的网卡信息；Network card information in the virtual system;

虚拟系统中的系统设备信息。System device information in the virtual system.

在实际应用中，所述特征信息修改单元202可以包括：In practical applications, the featureinformation modifying unit 202 may include:

第一修改子单元，用于在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；The first modification subunit is used to modify the return value of the communication command between the virtual system and the real system in the real system operating environment;

第二修改子单元，用于在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。The second modification subunit is used to modify one or more of the registry configuration information, representative files, process information, running time difference, network card information, and system device information in the virtual system in the virtual machine system The value of the species is modified.

其中，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；Wherein, the return value of the communication command between the virtual system and the real system includes: the return value of the backdoor IN command;

所述特征信息修改单元202具体用于：The characteristicinformation modifying unit 202 is specifically used for:

将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。Modifying the return value of the IN instruction in the virtual machine system to a specific type of exception information.

所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；The return value of the communication command between the virtual system and the real system includes: terminal descriptor table IDT base address;

所述特征信息修改单元202具体用于：The characteristicinformation modifying unit 202 is specifically used for:

将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。Modify the value of the first byte of the IDT base address in the virtual machine system to be less than 0xD0.

所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；The return value of the communication instruction between the virtual system and the real system includes: the base address of the local descriptor table LDT and the base address of the global descriptor table GDT;

所述特征信息修改单元202具体用于：The characteristicinformation modifying unit 202 is specifically used for:

将所述虚拟机系统中LDT基址修改为0x0000；Modify the LDT base address in the virtual machine system to 0x0000;

将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。Modify the first byte of the GDT base address in the virtual machine system to be non-0xFF.

所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；The return value of the communication command between the virtual system and the real system includes: the return value of the STR command;

所述特征信息修改单元202具体用于：The characteristicinformation modifying unit 202 is specifically used for:

将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。Modify the first two bytes of the return value of the STR instruction in the virtual machine system to be non-0x0040.

如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的注册表配置信息，则所述特征信息修改单元202具体用于：If the distinguishing feature information in the current virtual machine system that is different from the operating environment of the real system is registry configuration information in the virtual system, the featureinformation modifying unit 202 is specifically configured to:

将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with preset character strings that have nothing to do with the virtual machine; wherein the registry configuration information includes registry entries and/or keys value.

如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述特征信息修改单元202具体用于：If the distinguishing feature information in the current virtual machine system that is different from the operating environment of the real system is representative files, process information, network card information, or system device information in the virtual system in the virtual system, the featureinformation modifying unit 202 specifically Used for:

将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。Deleting or modifying the keywords related to the virtual machine included in the value of the representative file path, process information, network card information or system device information to a character string not related to the virtual machine.

如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的MAC地址，则所述特征信息修改单元202具体用于：If the distinguishing characteristic information in the current virtual machine system that is different from the operating environment of the real system is the MAC address in the virtual system, the characteristicinformation modifying unit 202 is specifically configured to:

将所述虚拟机系统中的MAC地址的前缀修改为非00-05-69，并且非00-0C-29，并且非00-50-56。Modify the prefix of the MAC address in the virtual machine system to be not 00-05-69, not 00-0C-29, and not 00-50-56.

如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为特定程序在虚拟系统与真实系统中的运行时间差值，则所述特征信息修改单元202具体用于：If the distinguishing characteristic information in the current virtual machine system that is different from the operating environment of the real system is the difference between the running time of a specific program in the virtual system and the real system, then the characteristicinformation modifying unit 202 is specifically configured to:

将在虚拟机系统中运行某检测程序时返回的时间值的取值修改为预置的固定值，所述固定值根据检测程序在真实系统中运行时所耗费的时间来确定。The value of the time value returned when a certain detection program is run in the virtual machine system is modified to a preset fixed value, and the fixed value is determined according to the time spent when the detection program runs in a real system.

与本发明实施例提供的前述虚拟机系统的反检测方法及装置相对应，本发明实施例还提供了一种虚拟机系统的反检测系统，参见图3，包括前文所述的虚拟机系统的反检测装置301、虚拟机系统302以及真实系统303，其中：Corresponding to the above-mentioned anti-detection method and device for the virtual machine system provided by the embodiment of the present invention, the embodiment of the present invention also provides an anti-detection system for the virtual machine system, see FIG. 3 , including the above-mentioned virtual machinesystem Anti-detection device 301,virtual machine system 302 andreal system 303, wherein:

在所述真实系统303运行环境中启动所述虚拟机系统302后，启动所述虚拟机系统的反检测装置301，以便通过所述虚拟机系统的反检测装置301中的特征信息获取单元3011、特征信息修改单元3012、特征信息返回单元3013对当前虚拟机系统中不同于真实系统运行环境的区别特征信息进行修改，并返回给检测方，以此避免被检测方检测出当前处于虚拟机系统。After starting thevirtual machine system 302 in the operating environment of thereal system 303, start theanti-detection device 301 of the virtual machine system, so as to pass the featureinformation acquisition unit 3011, The characteristicinformation modification unit 3012 and the characteristicinformation returning unit 3013 modify the distinguishing characteristic information in the current virtual machine system different from the real system operating environment, and return it to the detecting party, so as to prevent the detected party from detecting that it is currently in the virtual machine system.

总之，在本发明实施例提供的上述装置及系统中，可以将虚拟机系统中存在的与真实系统中取值不同的特征信息进行修改，从而使得虚拟机检测工具在通过查询这些特征信息来进行检测时，得到的查询结果与真实系统中的查询结果相同，由此达到虚拟机反检测的目的。这样在虚拟机中运行的恶意程序就不会故意隐藏自身的特征，进而可以根据恶意程序中存在的恶意特征，实现对恶意程序的发现。In a word, in the above-mentioned device and system provided by the embodiment of the present invention, the feature information existing in the virtual machine system that has different values from the real system can be modified, so that the virtual machine detection tool can query these feature information to perform During detection, the query results obtained are the same as those in the real system, thereby achieving the purpose of virtual machine anti-detection. In this way, the malicious program running in the virtual machine will not deliberately hide its own characteristics, and then the malicious program can be discovered according to the malicious characteristics existing in the malicious program.

在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述，构造这类系统所要求的结构是显而易见的。此外，本发明也不针对任何特定编程语言。应当明白，可以利用各种编程语言实现在此描述的本发明的内容，并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

在此处所提供的说明书中，说明了大量具体细节。然而，能够理解，本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中，并未详细示出公知的方法、结构和技术，以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地，应当理解，为了精简本公开并帮助理解各个发明方面中的一个或多个，在上面对本发明的示例性实施例的描述中，本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而，并不应将该公开的方法解释成反映如下意图：即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说，如下面的权利要求书所反映的那样，发明方面在于少于前面公开的单个实施例的所有特征。因此，遵循具体实施方式的权利要求书由此明确地并入该具体实施方式，其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员可以理解，可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件，以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外，可以采用任何组合对本说明书（包括伴随的权利要求、摘要和附图）中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述，本说明书（包括伴随的权利要求、摘要和附图）中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外，本领域的技术人员能够理解，尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征，但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如，在下面的权利要求书中，所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现，或者以在一个或者多个处理器上运行的软件模块实现，或者以它们的组合实现。本领域的技术人员应当理解，可以在实践中使用微处理器或者数字信号处理器（DSP）来实现根据本发明实施例的虚拟机系统的反检测装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序（例如，计算机程序和计算机程序产品）。这样的实现本发明的程序可以存储在计算机可读介质上，或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到，或者在载体信号上提供，或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the anti-detection device of the virtual machine system according to the embodiment of the present invention . The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制，并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中，不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中，这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

本申请可以应用于计算机系统/服务器，其可与众多其它通用或专用计算系统环境或配置一起操作。适于与计算机系统/服务器一起使用的众所周知的计算系统、环境和/或配置的例子包括但不限于：个人计算机系统、服务器计算机系统、瘦客户机、厚客户机、手持或膝上设备、基于微处理器的系统、机顶盒、可编程消费电子产品、网络个人电脑、小型计算机系统﹑大型计算机系统和包括上述任何系统的分布式云计算技术环境，等等。The application may be applied to computer systems/servers that are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, Microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, and distributed cloud computing technology environments including any of the above, etc.

计算机系统/服务器可以在由计算机系统执行的计算机系统可执行指令（诸如程序模块）的一般语境下描述。通常，程序模块可以包括例程、程序、目标程序、组件、逻辑、数据结构等等，它们执行特定的任务或者实现特定的抽象数据类型。计算机系统/服务器可以在分布式云计算环境中实施，分布式云计算环境中，任务是由通过通信网络链接的远程处理设备执行的。在分布式云计算环境中，程序模块可以位于包括存储设备的本地或远程计算系统存储介质上。Computer systems/servers may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server can be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including storage devices.

本文公开了A1、一种虚拟机系统的反检测方法，包括：获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。A2、如A1所述的方法，所述特征信息包括以下特征信息中的一种或任意几种的组合：虚拟系统与真实系统之间的通讯指令返回值；虚拟系统中的注册表配置信息；虚拟系统中的代表性文件；虚拟系统中的进程信息；特定程序在虚拟系统与真实系统中的运行时间差值；虚拟系统中的网络设备控制MAC地址信息；虚拟系统中的网卡信息；虚拟系统中的系统设备信息。A3、如A2所述的方法，所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。A4、如A2或A3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。A5、如A2或A3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。A6、如A2或A3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述虚拟机系统中LDT基址修改为0x0000；将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。A7、如A2或A3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。A8、如A2或A3所述的方法，如果所述特征信息为虚拟系统中的注册表配置信息，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。A9、如A2或A3所述的方法，如果所述特征信息为虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。A10、如A2或A3所述的方法，如果所述特征信息为虚拟系统中的MAC地址，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将所述虚拟机系统中的MAC地址的前缀修改为非00-05-69，并且非00-0C-29，并且非00-50-56。A11、如A2或A3所述的方法，如果所述特征信息为特定程序在虚拟系统与真实系统中的运行时间差值，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：将在虚拟机系统中运行某检测程序时返回的时间值的取值修改为预置的固定值，所述固定值根据检测程序在真实系统中运行时所耗费的时间来确定。This paper discloses A1, an anti-detection method of a virtual machine system, including: obtaining feature information in the current virtual machine system that has different values from the real system operating environment; modifying the value of the feature information in the current virtual machine system It is the same value as in the real system operating environment; when receiving a request to query the feature information in the current virtual machine system, the modified value is returned, so that the query results in the virtual machine system are the same as those in the real system operating environment The query results in the same. A2. The method as described in A1, the feature information includes one or any combination of the following feature information: the return value of the communication command between the virtual system and the real system; the registry configuration information in the virtual system; Representative files in the virtual system; process information in the virtual system; running time difference between a specific program in the virtual system and the real system; network device control MAC address information in the virtual system; network card information in the virtual system; virtual system System device information in . A3. The method as described in A2, the modifying the value of the characteristic information in the current virtual machine system to the same value as that in the real system running environment includes: in the real system running environment, pairing the virtual system with the Modify the value of the return value of the communication command between the real systems; in the virtual machine system, the registry configuration information, representative files, process information, running time difference, network card information, system equipment information in the virtual system One or more values of any of them are modified. A4. The method described in A2 or A3, the return value of the communication command between the virtual system and the real system includes: the return value of the backdoor IN command; the modification of the value of the feature information in the current virtual machine system Making the value the same as that in the real system running environment includes: modifying the return value of the IN instruction in the virtual machine system to a specific type of exception information. A5. The method described in A2 or A3, the return value of the communication command between the virtual system and the real system includes: the base address of the terminal descriptor table IDT; the value of the characteristic information in the current virtual machine system Modifying to the same value as that in the real system operating environment includes: modifying the value of the first byte of the IDT base address in the virtual machine system to be less than 0xD0. A6. The method described in A2 or A3, the return value of the communication instruction between the virtual system and the real system includes: the base address of the local descriptor table LDT and the base address of the global descriptor table GDT; the current virtual machine system Modifying the value of the feature information described in the above to the same value as that in the real system operating environment includes: modifying the LDT base address in the virtual machine system to 0x0000; changing the first word of the GDT base address in the virtual machine system to Byte modified to something other than 0xFF. A7. The method described in A2 or A3, the return value of the communication command between the virtual system and the real system includes: the return value of the STR command; the value of the characteristic information in the current virtual machine system is modified to The same value as that in the real system running environment includes: modifying the first two bytes of the return value of the STR instruction in the virtual machine system to be non-0x0040. A8, the method as described in A2 or A3, if the characteristic information is the registry configuration information in the virtual system, then the value of the characteristic information in the current virtual machine system is modified to be the same as that in the real system operating environment The same value includes: replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with a preset string that has nothing to do with the virtual machine; wherein, the registry configuration information includes registration Table entry and/or key value. A9. The method as described in A2 or A3, if the feature information is a representative file, process information, network card information or system device information in the virtual system, then the extraction of the feature information in the current virtual machine system Modifying the value to the same value as in the real system operating environment includes: deleting or modifying the keywords related to the virtual machine contained in the value of the representative file path, process information, network card information or system device information to be the same as Virtual machine independent string. A10. The method described in A2 or A3, if the feature information is the MAC address in the virtual system, then modify the value of the feature information in the current virtual machine system to be the same as that in the real system operating environment The values include: modifying the prefix of the MAC address in the virtual machine system to be other than 00-05-69, and not 00-0C-29, and not 00-50-56. A11. The method described in A2 or A3, if the feature information is the difference between the running time of a specific program in the virtual system and the real system, then modify the value of the feature information in the current virtual machine system to The same value as in the real system operating environment includes: modifying the value of the time value returned when a certain detection program is run in the virtual machine system to a preset fixed value, and the fixed value is run in the real system according to the detection program to determine the time spent.

本文公开了B12、一种虚拟机系统的反检测装置，包括：特征信息获取单元，用于获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；特征信息修改单元，用于将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；特征信息返回单元，用于当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。B13、如B12所述的装置，所述特征信息包括以下特征信息中的一种或任意几种的组合：虚拟系统与真实系统之间的通讯指令返回值；虚拟系统中的注册表配置信息；虚拟系统中的代表性文件；虚拟系统中的进程信息；特定程序在虚拟系统与真实系统中的运行时间差值；虚拟系统中的网络设备控制MAC地址信息；虚拟系统中的网卡信息；虚拟系统中的系统设备信息。B14、如B13所述的装置，所述特征信息修改单元包括：第一修改子单元，用于在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；第二修改子单元，用于在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。B15、如B13或B14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；所述特征信息修改单元具体用于：将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。B16、如B13或B14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；所述特征信息修改单元具体用于：将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。B17、如B13或B14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；所述特征信息修改单元具体用于：将所述虚拟机系统中LDT基址修改为0x0000；将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。B18、如B13或B14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；所述特征信息修改单元具体用于：将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。B19、如B13或B14所述的装置，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的注册表配置信息，则所述特征信息修改单元具体用于：将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。B20、如B13或B14所述的装置，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述特征信息修改单元具体用于：将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。B21、如B13或B14所述的装置，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的MAC地址，则所述特征信息修改单元具体用于：将所述虚拟机系统中的MAC地址的前缀修改为非00-05-69，并且非00-0C-29，并且非00-50-56。B22、如B13或B14所述的装置，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为特定程序在虚拟系统与真实系统中的运行时间差值，则所述特征信息修改单元具体用于：将在虚拟机系统中运行某检测程序时返回的时间值的取值修改为预置的固定值，所述固定值根据检测程序在真实系统中运行时所耗费的时间来确定。This article discloses B12, an anti-detection device for a virtual machine system, including: a feature information acquisition unit, used to acquire feature information in the current virtual machine system that has different values from the real system operating environment; a feature information modification unit, used to Modify the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment; the characteristic information returning unit is used to return when receiving a request for querying the characteristic information in the current virtual machine system The modified value makes the query result in the virtual machine system the same as the query result in the real system operating environment. B13. The device as described in B12, the feature information includes one or any combination of the following feature information: the return value of the communication command between the virtual system and the real system; the registry configuration information in the virtual system; Representative files in the virtual system; process information in the virtual system; running time difference between a specific program in the virtual system and the real system; network device control MAC address information in the virtual system; network card information in the virtual system; virtual system System device information in . B14. The device as described in B13, wherein the feature information modification unit includes: a first modification subunit, configured to perform a value adjustment on the return value of the communication command between the virtual system and the real system in the real system operating environment Modify; the second modification subunit is used to modify one or more of the registry configuration information, representative files, process information, running time difference, network card information, and system device information in the virtual system in the virtual machine system Any number of values can be modified. B15. The device as described in B13 or B14, the return value of the communication command between the virtual system and the real system includes: the return value of the backdoor IN command; the feature information modification unit is specifically used to: use the virtual machine system The value of the return value of the IN instruction is changed to a specific type of exception information. B16. The device as described in B13 or B14, the return value of the communication command between the virtual system and the real system includes: the base address of the terminal descriptor table IDT; the characteristic information modification unit is specifically used to: use the virtual machine The value of the first byte of the IDT base address in the system is changed to less than 0xD0. B17. The device as described in B13 or B14, the return value of the communication instruction between the virtual system and the real system includes: the base address of the local descriptor table LDT and the base address of the global descriptor table GDT; the feature information modification unit specifically It is used for: modifying the LDT base address in the virtual machine system to 0x0000; modifying the first byte of the GDT base address in the virtual machine system to be non-0xFF. B18. The device as described in B13 or B14, the return value of the communication command between the virtual system and the real system includes: the return value of the STR command; the characteristic information modification unit is specifically used to: The first two bytes of the return value of the STR instruction are modified to be non-0x0040. B19, the device as described in B13 or B14, if the distinguishing feature information in the current virtual machine system that is different from the real system operating environment is registry configuration information in the virtual system, then the feature information modifying unit is specifically used for: replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with preset character strings that have nothing to do with the virtual machine; wherein the registry configuration information includes registry entries and/or keys value. B20, the device as described in B13 or B14, if the distinguishing feature information in the current virtual machine system that is different from the real system operating environment is representative files, process information, network card information or system equipment in the virtual system in the virtual system information, the feature information modifying unit is specifically configured to: delete or modify the keywords related to the virtual machine contained in the value of the representative file path, process information, network card information or system device information to be related to the virtual machine Extraneous string. B21, the device as described in B13 or B14, if the distinguishing feature information in the current virtual machine system that is different from the real system operating environment is the MAC address in the virtual system, then the feature information modifying unit is specifically used to: The prefix of the MAC address in the above virtual machine system is modified to be not 00-05-69, not 00-0C-29, and not 00-50-56. B22. The device as described in B13 or B14, if the distinguishing characteristic information in the current virtual machine system that is different from the operating environment of the real system is the difference in running time of a specific program in the virtual system and the real system, then the characteristic information The modifying unit is specifically used to: modify the value of the time value returned when a certain detection program is run in the virtual machine system to a preset fixed value, and the fixed value is determined according to the time spent when the detection program runs in the real system Sure.

Claims (20)

Translated fromChinese

1.一种虚拟机系统的反检测方法，包括：1. An anti-detection method of a virtual machine system, comprising:获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；Obtain feature information with values different from those in the real system operating environment in the current virtual machine system;将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；Modifying the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment;当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。When a request for querying feature information in the current virtual machine system is received, the modified value is returned, so that the query result in the virtual machine system is the same as the query result in the real system operating environment.2.如权利要求1所述的方法，所述特征信息包括以下特征信息中的一种或任意几种的组合：2. The method according to claim 1, wherein the feature information includes one or any combination of the following feature information:虚拟系统与真实系统之间的通讯指令返回值；The return value of the communication command between the virtual system and the real system;虚拟系统中的注册表配置信息；Registry configuration information in the virtual system;虚拟系统中的代表性文件；Representative files in the virtual system;虚拟系统中的进程信息；Process information in the virtual system;特定程序在虚拟系统与真实系统中的运行时间差值；The difference between the running time of a specific program in the virtual system and the real system;虚拟系统中的网络设备控制MAC地址信息；Network devices in the virtual system control MAC address information;虚拟系统中的网卡信息；Network card information in the virtual system;虚拟系统中的系统设备信息。System device information in the virtual system.3.如权利要求2所述的方法，所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：3. The method according to claim 2, said modifying the value of said characteristic information in the current virtual machine system to the same value as that in the real system operating environment comprises:在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；Modifying the return value of the communication command between the virtual system and the real system in the real system operating environment;在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。In the virtual machine system, one or more values of registry configuration information, representative files, process information, running time difference, network card information, and system device information in the virtual system are modified.4.如权利要求2或3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；4. The method according to claim 2 or 3, wherein the return value of the communication command between the virtual system and the real system comprises: the return value of the backdoor IN command;所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。Modifying the return value of the IN instruction in the virtual machine system to a specific type of exception information.5.如权利要求2或3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；5. The method according to claim 2 or 3, wherein the return value of the communication instruction between the virtual system and the real system comprises: terminal descriptor table IDT base address;所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。Modify the value of the first byte of the IDT base address in the virtual machine system to be less than 0xD0.6.如权利要求2或3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；6. The method according to claim 2 or 3, wherein the return value of the communication instruction between the virtual system and the real system comprises: a local descriptor table LDT base address and a global descriptor table GDT base address;所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:将所述虚拟机系统中LDT基址修改为0x0000；Modify the LDT base address in the virtual machine system to 0x0000;将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。Modify the first byte of the GDT base address in the virtual machine system to be non-0xFF.7.如权利要求2或3所述的方法，所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；7. The method according to claim 2 or 3, wherein the return value of the communication command between the virtual system and the real system comprises: the return value of the STR command;所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：The modification of the value of the feature information in the current virtual machine system to the same value as that in the real system operating environment includes:将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。Modify the first two bytes of the return value of the STR instruction in the virtual machine system to be non-0x0040.8.如权利要求2或3所述的方法，如果所述特征信息为虚拟系统中的注册表配置信息，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：8. The method according to claim 2 or 3, if the feature information is registry configuration information in the virtual system, then modifying the value of the feature information in the current virtual machine system to run with the real system The same values in the environment include:将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with preset character strings that have nothing to do with the virtual machine; wherein the registry configuration information includes registry entries and/or keys value.9.如权利要求2或3所述的方法，如果所述特征信息为虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：9. The method according to claim 2 or 3, if the feature information is a representative file, process information, network card information or system device information in the virtual system, then the feature information in the current virtual machine system Modify the value of the value to be the same as that in the real system operating environment, including:将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。Deleting or modifying the keywords related to the virtual machine included in the value of the representative file path, process information, network card information or system device information to a character string not related to the virtual machine.10.如权利要求2或3所述的方法，如果所述特征信息为虚拟系统中的MAC地址，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：10. The method according to claim 2 or 3, if the feature information is a MAC address in a virtual system, then modifying the value of the feature information in the current virtual machine system to be the same as that in the real system operating environment The same values include:将所述虚拟机系统中的MAC地址的前缀修改为非00-05-69，并且非00-0C-29，并且非00-50-56。Modify the prefix of the MAC address in the virtual machine system to be not 00-05-69, not 00-0C-29, and not 00-50-56.11.如权利要求2或3所述的方法，如果所述特征信息为特定程序在虚拟系统与真实系统中的运行时间差值，则所述将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值包括：11. The method according to claim 2 or 3, if the characteristic information is the running time difference of a specific program in the virtual system and the real system, then the value of the characteristic information in the current virtual machine system Modifications to the same values as those in the real system operating environment include:将在虚拟机系统中运行某检测程序时返回的时间值的取值修改为预置的固定值，所述固定值根据检测程序在真实系统中运行时所耗费的时间来确定。The value of the time value returned when a certain detection program is run in the virtual machine system is modified to a preset fixed value, and the fixed value is determined according to the time spent when the detection program runs in a real system.12.一种虚拟机系统的反检测装置，包括：12. An anti-detection device for a virtual machine system, comprising:特征信息获取单元，用于获取当前虚拟机系统中与真实系统运行环境具有不同取值的特征信息；A feature information acquisition unit, configured to acquire feature information in the current virtual machine system that has values different from those in the real system operating environment;特征信息修改单元，用于将当前虚拟机系统中所述特征信息的取值修改为与真实系统运行环境中相同的取值；A characteristic information modifying unit, configured to modify the value of the characteristic information in the current virtual machine system to the same value as that in the real system operating environment;特征信息返回单元，用于当接收到查询当前虚拟机系统中的特征信息的请求时，返回修改后的取值，使得在虚拟机系统中的查询结果与在真实系统运行环境中的查询结果相同。The characteristic information returning unit is used to return the modified value when receiving a request for querying the characteristic information in the current virtual machine system, so that the query result in the virtual machine system is the same as the query result in the real system operating environment .13.如权利要求12所述的装置，所述特征信息包括以下特征信息中的一种或任意几种的组合：13. The device according to claim 12, wherein the feature information includes one or any combination of the following feature information:虚拟系统与真实系统之间的通讯指令返回值；The return value of the communication command between the virtual system and the real system;虚拟系统中的注册表配置信息；Registry configuration information in the virtual system;虚拟系统中的代表性文件；Representative files in the virtual system;虚拟系统中的进程信息；Process information in the virtual system;特定程序在虚拟系统与真实系统中的运行时间差值；The difference between the running time of a specific program in the virtual system and the real system;虚拟系统中的网络设备控制MAC地址信息；Network devices in the virtual system control MAC address information;虚拟系统中的网卡信息；Network card information in the virtual system;虚拟系统中的系统设备信息。System device information in the virtual system.14.如权利要求13所述的装置，所述特征信息修改单元包括：14. The device according to claim 13, the characteristic information modifying unit comprising:第一修改子单元，用于在真实系统运行环境中对所述虚拟系统与真实系统之间的通讯指令返回值的取值进行修改；The first modification subunit is used to modify the return value of the communication command between the virtual system and the real system in the real system operating environment;第二修改子单元，用于在虚拟机系统中对所述虚拟系统中的注册表配置信息、代表性文件、进程信息、运行时间差值、网卡信息、系统设备信息中的一种或任意多种的取值进行修改。The second modification subunit is used to modify one or more of the registry configuration information, representative files, process information, running time difference, network card information, and system device information in the virtual system in the virtual machine system The value of the species is modified.15.如权利要求13或14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：后门IN指令的返回值；15. The device according to claim 13 or 14, wherein the return value of the communication command between the virtual system and the real system comprises: the return value of the backdoor IN command;所述特征信息修改单元具体用于：The feature information modifying unit is specifically used for:将所述虚拟机系统中IN指令的返回值的取值修改为特定类型的异常信息。Modifying the return value of the IN instruction in the virtual machine system to a specific type of exception information.16.如权利要求13或14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：终端描述符表IDT基址；16. The device according to claim 13 or 14, wherein the return value of the communication command between the virtual system and the real system comprises: a terminal descriptor table IDT base address;所述特征信息修改单元具体用于：The characteristic information modifying unit is specifically used for:将所述虚拟机系统中IDT基址的第一字字节的取值修改为小于0xD0。Modify the value of the first byte of the IDT base address in the virtual machine system to be less than 0xD0.17.如权利要求13或14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：本地描述符表LDT基址和全局描述符表GDT基址；17. The device according to claim 13 or 14, wherein the return value of the communication instruction between the virtual system and the real system comprises: a local descriptor table LDT base address and a global descriptor table GDT base address;所述特征信息修改单元具体用于：The characteristic information modifying unit is specifically used for:将所述虚拟机系统中LDT基址修改为0x0000；Modify the LDT base address in the virtual machine system to 0x0000;将所述虚拟机系统中GDT基址的第一字字节修改为非0xFF。Modify the first byte of the GDT base address in the virtual machine system to be non-0xFF.18.如权利要求13或14所述的装置，所述虚拟系统与真实系统之间的通讯指令返回值包括：STR指令的返回值；18. The device according to claim 13 or 14, wherein the return value of the communication command between the virtual system and the real system comprises: the return value of the STR command;所述特征信息修改单元具体用于：The feature information modifying unit is specifically used for:将所述虚拟机系统中STR指令的返回值的前两个字节修改为非0x0040。Modify the first two bytes of the return value of the STR instruction in the virtual machine system to be non-0x0040.19.如权利要求13或14所述的装置，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的注册表配置信息，则所述特征信息修改单元具体用于：19. The device according to claim 13 or 14, if the distinguishing feature information in the current virtual machine system that is different from the operating environment of the real system is registry configuration information in the virtual system, the feature information modifying unit specifically uses At:将所述虚拟机系统的注册表配置信息中包含的与虚拟机相关的关键词替换为预置的与虚拟机无关的字符串；其中，所述注册表配置信息包括注册表项和/或键值。replacing the virtual machine-related keywords contained in the registry configuration information of the virtual machine system with preset strings not related to the virtual machine; wherein the registry configuration information includes registry entries and/or keys value.20.如权利要求13或14所述的装置，如果所述当前虚拟机系统中不同于真实系统运行环境的区别特征信息为虚拟系统中的虚拟系统中的代表性文件、进程信息、网卡信息或系统设备信息，则所述特征信息修改单元具体用于：20. The device according to claim 13 or 14, if the distinguishing characteristic information in the current virtual machine system that is different from the operating environment of the real system is representative files, process information, network card information or system equipment information, the characteristic information modifying unit is specifically used for:将所述代表性文件路径、进程信息、网卡信息或系统设备信息的取值中包含的与虚拟机相关的关键词删除或修改为与虚拟机无关的字符串。Deleting or modifying the keywords related to the virtual machine included in the value of the representative file path, process information, network card information or system device information to a character string not related to the virtual machine.

Images