Check Environment

The goal of this transformation is to ensure that -- during execution -- the program is running ina "safe" environment. By "safe" we mean that we are not being monitored in any way. More specifically, that program will check that it is not being debugged, not being emulated, not being run inside a virtual machine, etc.

OptionArgumentsDescription
--Transform CheckEnvironment Check if we are being run in an environment where we are being monitored.
--CheckEnvironmentCount INTSPEC How many checkers to insert. Default=1.
--CheckEnvironmentSandboxes gdb, lldb, bochs, vmware, virtualBox, qemu, pin, cuckoo The list of sandbxes that should be detected. Default=None.
  • gdb = The gdb debugger
  • lldb = The lldb debugger
  • bochs = The Bochs emulator
  • vmware = The VMware virtual machine
  • virtualBox = The VirtualBox virtual machine
  • qemu = The QEMU emulator
  • pin = The Intel Pin tracing tool
  • cuckoo = The Cuckoo sandbox
--CheckEnvironmentResponseKinds abort, modifyGlobal, random, plugin Comma-separated list of ways to respond when a check fails. Default=None.
  • abort = Call the abort function
  • modifyGlobal = Make random modification to a global variable
  • random = Execute random bytes
  • plugin = Call one of the plugin responders