Distinguish Virtual Environment By Relative Energy

With the Internet more and more popular, network has affected hundreds of thousands of households. Of course, people’s daily life has been tied to the Internet. However, subsequent network viruses, malicious software have multiplied. Malicious software analysis usually means the analysis of the behavior and purpose of the malicious software samples(such as computer virus, worm, Trojan horse and so on) you have got. It’s also means to understand their internal structure, communication process and the basic structure of the bottom. There is a very important point in the process of malicious software analysis, and that is we have effective detecting techniques and tools which is easy to install and unload. A lot of security researchers and security companies usually use virtual environment technology to analyse unkown malicious software samples. Because virtual environment technology makes the analysis process to be easier and makes malicious software’s executing processes to be under control. However, authors of malicious software work hard to study various methods to distinguish whether their malicious code is running in virtual environment or not. This article summarizes four methods to detect virtual environment from the point of computer module:looking for virtual machine environment artifacts in CPU, file system, and registry; looking for virtual machine environment artifacts in memory; looking for virtual machine environment specific virtual hardware; looking for virtual machine environment specific processor instructions and capabilities.Moreover, under the guidance of my tutor Professor Meiqin Wang and the researcher of Shandong Computing Center Jizhi Wang, this artical comes up with a new method to check virtual environment:relative energy measurement. This article use the energy measurement tool that is Intel Energy Checker to measure energy the computers consumed in real hardware platform and in virtual environment VMware Workstation and Xen. And then we use relative energy measurement to address the problem that absolute energy values are unreliable when detect virtual environment. And we get a conclusion in the end:in real hardware platform environment, the relative energy value is around5; and in virtual machine VMware Workstation, the relative energy value is very different from real hardware platform environment’s relative energy value; however, in Xen environment, the relative energy value is also around5and it is very hard to use it to distinguish whether it is virtual environment or not. So, in practice, considering the measurement error and other interferences, we have to find more distinguish characteristics in the future.