program Project1;
uses
Windows;
function IsInSandbox:boolean;
var
hOpen: HKEY;
sBuff: array[0..256] of char;
BuffSize: integer;
hMod:THandle;
begin
Result := False;
hMod:= GetModuleHandle('SbieDll.dll'); //Sandboxie
if hMod <> 0 then Result := True;
hMod:= GetModuleHandle('dbghelp.dll'); // Thread Expert
if hMod <> 0 then Result := True;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar('Software\Microsoft\Windows\CurrentVersion'), 0, KEY_QUERY_VALUE, hOpen)) = ERROR_SUCCESS then
begin
BuffSize := SizeOf(sBuff);
RegQueryValueEx(hOpen, PChar('ProductId'), nil, nil, @sBuff, @BuffSize);
if sBuff = '55274-640-2673064-23950' then //Joe Box
Result := True
else if sBuff = '76487-644-3177037-23510' then //CW Sandbox
Result := True
else if sBuff = '76487-337-8429955-22614' then //Anubis
Result := True
else
Result := False;
RegCloseKey(hOpen);
end;
end;
begin
if IsInSandbox = True then
MessageBox(0,pchar('Inside Sandbox'),NIL,0)
else
MessageBox(0,pchar('NOT Inside Sandbox'),NIL,0);
end.
----------------------------------
https://reverseengineering.stackexchange.com/questions/1686/how-to-detect-a-virtualized-environment
https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/
Use GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep,” said the researchers.
To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.
uses
Windows;
function IsInSandbox:boolean;
var
hOpen: HKEY;
sBuff: array[0..256] of char;
BuffSize: integer;
hMod:THandle;
begin
Result := False;
hMod:= GetModuleHandle('SbieDll.dll'); //Sandboxie
if hMod <> 0 then Result := True;
hMod:= GetModuleHandle('dbghelp.dll'); // Thread Expert
if hMod <> 0 then Result := True;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar('Software\Microsoft\Windows\CurrentVersion'), 0, KEY_QUERY_VALUE, hOpen)) = ERROR_SUCCESS then
begin
BuffSize := SizeOf(sBuff);
RegQueryValueEx(hOpen, PChar('ProductId'), nil, nil, @sBuff, @BuffSize);
if sBuff = '55274-640-2673064-23950' then //Joe Box
Result := True
else if sBuff = '76487-644-3177037-23510' then //CW Sandbox
Result := True
else if sBuff = '76487-337-8429955-22614' then //Anubis
Result := True
else
Result := False;
RegCloseKey(hOpen);
end;
end;
begin
if IsInSandbox = True then
MessageBox(0,pchar('Inside Sandbox'),NIL,0)
else
MessageBox(0,pchar('NOT Inside Sandbox'),NIL,0);
end.
----------------------------------
https://reverseengineering.stackexchange.com/questions/1686/how-to-detect-a-virtualized-environment
Here are some tricks for detecting VM's:
VirtualBox
- http://pastebin.com/RU6A2UuB (9 different methods, registry, dropped VBOX dlls, pipe names etc)
- http://pastebin.com/xhFABpPL (Machine provider name)
- http://pastebin.com/v8LnMiZs (Innotek trick)
- http://pastebin.com/fPY4MiYq (Bios Brand and Bios Version)
- http://pastebin.com/Geggzp4G (Bios Brand and Bios Version)
- http://pastebin.com/T0s5gVGW (Parsing SMBiosData searching for newly-introduced or bizarre type)
- http://pastebin.com/AjHWApes (Cadmus Mac Address Trick)
- http://pastebin.com/wh4NAP26 (VBoxSharedFolderFS Trick)
- http://pastebin.com/Nsv5B1yk (Resume Flag Trick)
VirtualPc
- http://pastebin.com/exAK5XQx (Reset Trick)
- http://pastebin.com/HVActZMC (CPUID Trick)
Hypervisor detection
https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/
5. Checking for Existence of Files Indicating a VM
When these files are found to exist in the file system, this may indicate the existence of virtualization software. These can also be retrieved in multiple ways like: WMIC, Win API and CMD.
When these files are found to exist in the file system, this may indicate the existence of virtualization software. These can also be retrieved in multiple ways like: WMIC, Win API and CMD.
- VMware
C:\windows\System32\Drivers\Vmmouse.sys
C:\windows\System32\Drivers\vm3dgl.dll
C:\windows\System32\Drivers\vmdum.dll
C:\windows\System32\Drivers\vm3dver.dll
C:\windows\System32\Drivers\vmtray.dll
C:\windows\System32\Drivers\VMToolsHook.dll
C:\windows\System32\Drivers\vmmousever.dll
C:\windows\System32\Drivers\vmhgfs.dll
C:\windows\System32\Drivers\vmGuestLib.dll
C:\windows\System32\Drivers\VmGuestLibJava.dll
C:\windows\System32\Driversvmhgfs.dll
- VirtualBox
C:\windows\System32\Drivers\VBoxMouse.sys
C:\windows\System32\Drivers\VBoxGuest.sys
C:\windows\System32\Drivers\VBoxSF.sys
C:\windows\System32\Drivers\VBoxVideo.sys
C:\windows\System32\vboxdisp.dll
C:\windows\System32\vboxhook.dll
C:\windows\System32\vboxmrxnp.dll
C:\windows\System32\vboxogl.dll
C:\windows\System32\vboxoglarrayspu.dll
C:\windows\System32\vboxoglcrutil.dll
C:\windows\System32\vboxoglerrorspu.dll
C:\windows\System32\vboxoglfeedbackspu.dll
C:\windows\System32\vboxoglpackspu.dll
C:\windows\System32\vboxoglpassthroughspu.dll
C:\windows\System32\vboxservice.exe
C:\windows\System32\vboxtray.exe
C:\windows\System32\VBoxControl.exe
6. Checking for Running Services
Identifying whether one the following processes is running indicates a virtual environment.
These can also be retrieved in multiple ways WMIC, Win API and CMD
(wmic -> Service list, sc.exe /query)
These can also be retrieved in multiple ways WMIC, Win API and CMD
(wmic -> Service list, sc.exe /query)
- VMTools
- Vmhgfs
- VMMEMCTL
- Vmmouse
- Vmrawdsk
- Vmusbmouse
- Vmvss
- Vmscsi
- Vmxnet
- vmx_svga
- Vmware Tools
- Vmware Physical Disk Helper Service
Conclusion
Malware authors eventually find virtual machine and sandbox evasion techniques that will work.
Malware authors eventually find virtual machine and sandbox evasion techniques that will work.
Organizations should:
- Be aware of the evasion tactics so they can harden their environments
- Use this knowledge to identify VM evasion tactics and improve malware detection
- Look for advanced security approaches that are harder to identify and evade. IDS systems, for example, often use sandboxes to run and test suspicious code, however, advanced endpoint protection does not use sandboxes which are easy to identify and therefore these evasion tactics are not feasible.
As further reading, we recommend this SANS white paper detailing sandbox evasion tactics.
Learn more about Cyberbit EDR Kernel-Based Endpoint Detection vs. Whitelisting
To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.
No comments:
Post a Comment
Beogradsko programiranje=