[HN Gopher] LLVM-powered devirtualization
       ___________________________________________________________________
        
       LLVM-powered devirtualization
        
       Author : dddnzzz334
       Score  : 153 points
       Date   : 2024-11-26 12:38 UTC (10 hours ago)
        
 (HTM) web link (blog.thalium.re)
 (TXT) w3m dump (blog.thalium.re)
        
       | anthk wrote:
       | Also, Bochs can fool most VM detectors as it can emulate a whole
       | CPU in software, but an i7 might be able to run a fully emulated
       | Pentium 4 based computer with ease in almost real time. But
       | Bochs' debugger can do crazy things to most malware and
       | propietary obfuscators.
        
         | poincaredisk wrote:
         | I find that hard to believe. Bochs is trivial to detect, unless
         | you heavily patch it, then it's still detectable (for example,
         | by leveraging known bugs/mismatches with a real CPSs). And
         | that's just a tip of the iceberg as far as antivm goes.
         | 
         | But I agree that many detectors used by malware don't expect
         | Bochs and thus don't detect it.
        
           | anthk wrote:
           | Bochs can use several BIOSes than its own ones.
        
       | PoignardAzur wrote:
       | Interestingly, a lot of the techniques this article describes are
       | also used in fuzzing. I wonder how much overlap there is between
       | fuzzing and devirtualization.
        
       ___________________________________________________________________
       (page generated 2024-11-26 23:00 UTC)