"Devirtualization" in this post is something different, being an inverse of virtualization which is an obfuscation technique to hinder reverse engineering.
Also, Bochs can fool most VM detectors as it can emulate a whole CPU in software, but an i7 might be able to run a fully emulated Pentium 4 based computer with ease in almost real time. But Bochs' debugger can do crazy things to most malware and propietary obfuscators.
I find that hard to believe. Bochs is trivial to detect, unless you heavily patch it, then it's still detectable (for example, by leveraging known bugs/mismatches with a real CPSs). And that's just a tip of the iceberg as far as antivm goes.
But I agree that many detectors used by malware don't expect Bochs and thus don't detect it.
I wouldn't recommend using the term "devirtualization" here, as that term has been used to refer simplifying C++ virtual function calls (into normal function call) in LLVM. And such optimization has been turned on by default for quite some time.
Interestingly, a lot of the techniques this article describes are also used in fuzzing. I wonder how much overlap there is between fuzzing and devirtualization.
sanxiyn|1 year ago
"Devirtualization" in this post is something different, being an inverse of virtualization which is an obfuscation technique to hinder reverse engineering.
marssaxman|1 year ago
anthk|1 year ago
poincaredisk|1 year ago
But I agree that many detectors used by malware don't expect Bochs and thus don't detect it.
mshockwave|1 year ago
PoignardAzur|1 year ago
efilife|1 year ago
I should get some sleep