Thursday, July 25, 2019

How to detect sendboxed - virtualized environment from delphi application ?

program Project1;

uses
  Windows;

function IsInSandbox:boolean;
var
hOpen:    HKEY;
sBuff:    array[0..256] of char;
BuffSize: integer;
hMod:THandle;
begin
  Result := False;

  hMod:= GetModuleHandle('SbieDll.dll');  //Sandboxie
  if hMod <> 0 then Result := True;

  hMod:= GetModuleHandle('dbghelp.dll'); // Thread Expert
  if hMod <> 0 then Result := True;

  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar('Software\Microsoft\Windows\CurrentVersion'), 0, KEY_QUERY_VALUE, hOpen)) = ERROR_SUCCESS then
  begin
    BuffSize := SizeOf(sBuff);
    RegQueryValueEx(hOpen, PChar('ProductId'), nil, nil, @sBuff, @BuffSize);
    if sBuff = '55274-640-2673064-23950' then //Joe Box
      Result := True
    else if sBuff = '76487-644-3177037-23510' then //CW Sandbox
      Result := True
    else if sBuff = '76487-337-8429955-22614' then //Anubis
      Result := True
    else
      Result := False;
    RegCloseKey(hOpen);
  end;
end;

begin
if IsInSandbox = True then
MessageBox(0,pchar('Inside Sandbox'),NIL,0)
else
MessageBox(0,pchar('NOT Inside Sandbox'),NIL,0);
end.


----------------------------------

https://reverseengineering.stackexchange.com/questions/1686/how-to-detect-a-virtualized-environment
Here are some tricks for detecting VM's:

VirtualBox

VirtualPc

Hypervisor detection



https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/


5. Checking for Existence of Files Indicating a VM 
When these files are found to exist in the file system, this may indicate the existence of virtualization software. These can also be retrieved in multiple ways like: WMIC, Win API and CMD.
  • VMware
C:\windows\System32\Drivers\Vmmouse.sys
C:\windows\System32\Drivers\vm3dgl.dll
C:\windows\System32\Drivers\vmdum.dll
C:\windows\System32\Drivers\vm3dver.dll
C:\windows\System32\Drivers\vmtray.dll
C:\windows\System32\Drivers\VMToolsHook.dll
C:\windows\System32\Drivers\vmmousever.dll
C:\windows\System32\Drivers\vmhgfs.dll
C:\windows\System32\Drivers\vmGuestLib.dll
C:\windows\System32\Drivers\VmGuestLibJava.dll
C:\windows\System32\Driversvmhgfs.dll
  • VirtualBox
C:\windows\System32\Drivers\VBoxMouse.sys
C:\windows\System32\Drivers\VBoxGuest.sys
C:\windows\System32\Drivers\VBoxSF.sys
C:\windows\System32\Drivers\VBoxVideo.sys
C:\windows\System32\vboxdisp.dll
C:\windows\System32\vboxhook.dll
C:\windows\System32\vboxmrxnp.dll
C:\windows\System32\vboxogl.dll
C:\windows\System32\vboxoglarrayspu.dll
C:\windows\System32\vboxoglcrutil.dll
C:\windows\System32\vboxoglerrorspu.dll
C:\windows\System32\vboxoglfeedbackspu.dll
C:\windows\System32\vboxoglpackspu.dll
C:\windows\System32\vboxoglpassthroughspu.dll
C:\windows\System32\vboxservice.exe
C:\windows\System32\vboxtray.exe

C:\windows\System32\VBoxControl.exe

6. Checking for Running Services
Identifying whether one the following processes is running indicates a virtual environment.
These can also be retrieved in multiple ways WMIC, Win API and CMD
(wmic -> Service list, sc.exe /query) 
  • VMTools
  • Vmhgfs
  • VMMEMCTL
  • Vmmouse
  • Vmrawdsk
  • Vmusbmouse
  • Vmvss
  • Vmscsi
  • Vmxnet
  • vmx_svga
  • Vmware Tools
  • Vmware Physical Disk Helper Service
Conclusion
Malware authors eventually find virtual machine and sandbox evasion techniques that will work.
Organizations should:
  1. Be aware of the evasion tactics so they can harden their environments
  2. Use this knowledge to identify VM evasion tactics and improve malware detection
  3. Look for advanced security approaches that are harder to identify and evade. IDS systems, for example, often use sandboxes to run and test suspicious code, however, advanced endpoint protection does not use sandboxes which are easy to identify and therefore these evasion tactics are not feasible.
As further reading, we recommend this SANS white paper detailing sandbox  evasion tactics.


Use GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep,” said the researchers.

To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.

No comments:

Post a Comment

Beogradsko programiranje=