Flags

Flags are single-bit values that act as status indicators of executed arithmetic/logical operations. They are stored in a special CPU register called RFLAGS (64-bit systems). Most common flags:

Flag
Explanation
Key question

ZF zero flag

Set to 1 if operation result is 0.

Set to 0 if otherwise.

  • the equal flag

  • is the malware checking if 2 values are the same?

  • CMP followed by JE means it's testing for an exact match.

SF sign flag

Set to 1 if operation result is negative.

  • the less than flag

  • malware checking if the value is negative.

  • used in signed comparisons, like JL (Jump if less).

CF carry flag

Set to 1 if an arithmetic operation resulted in a carry out or a borrow.

  • the unsigned comparison flag

  • important for buffer checks and some cryptographic operations.

OF overthrow flag

Set to 1 if the result of a signed operation is too small/large to fit in the destination operand.

  • the signed comparison flag

  • used for JG (jump if greater) and JL (jump if less).

To be honest, this makes little sense to me. So let's look at it with some context. This example below is a super simplification of how malware checks if it's being run in a VM to evade detection.

Steps
Assembly code
Explanation

1

mov rax, 0x564D5868

The malware places the VMXh value (0x564D5868) into the RAX register.

2

in rax, dx

It then sets the DX register to another value (0x5658) which is the VX port identifier for VMware. Next, it executes the in rax, dx instruction, which attempts to read from the port specified in DX into the RAX register.

3

cmp rbx, 0x564D5868

The malware then compares the value in the RBX register with the original VMXh value. If this is a bare metal machine, this instruction would result in a privilege exception, as user-level code isn't allowed to access hardware directly.

If this is a VM, the hypervisor intercepts this instruction as it recognizes the VMXh value in RAX and the "VX" port. Instead of throwing an exception, it returns a value (often the same VMXh value) to a specified register, such as RBX.

4

je InAVirtualMachine

If they match, the malware concludes it is running inside a VM and can then alter its behavior.

PreviousOperation Codes and OperandsNextWindows Internals

Last updated

Was this helpful?