基于Registry的虚拟机检测

简介
通常在编写的恶意软件会被蓝队捕捉，那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项，注意不是防止破解，理论上任何软件都会被破解，我们需要做的其实只是增加蓝队的破解成本。
通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware，virtualbox等知名虚拟机软件，也有可能是自研的沙箱，那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环，本文将叙述一部分常见的虚拟机软件会注册的Registry，检测虚拟机防止破解以便让蓝队成员增加破解成本。
检测原理
通常在虚拟内，虚拟机软件会注册一些在物理机上不存在的注册表项，如果在注册表内出现了这样的选项，基本可以判定为运行在虚拟机环境，当然这种判断也有误报的可能，一些虚拟机软件会在物理界也注册一些相同的选项，但是对于虚拟机内，这样的表项算是比较少。
通常注册表项会使用windows提供的api进行查询，会使用让如下函数：
ntdll.dll导出:
NtOpenKey
NtEnumerateKey
NtQueryValueKey
NtClose
以及在其之上封装出的kernel32.dll的导出函数:
RegOpenKey
RegOpenKeyEx
RegQueryValue
RegQueryValueEx
RegCloseKey
RegEnumKeyEx
检查注册表路径
代码来自:https://github.com/a0rtega/pafish​
1
/* sample of usage: see detection of VirtualBox in the table below to check registry path */
2
int vbox_reg_key7() {
3
    return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
4
}
5
​
6
/* code is taken from "pafish" project, see references on the parent page */
7
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
8
    HKEY regkey;
9
    LONG ret;
10
​
11
    /* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
12
    if (pafish_iswow64()) {
13
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
14
    }
15
    else {
16
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
17
    }
18
​
19
    if (ret == ERROR_SUCCESS) {
20
        RegCloseKey(regkey);
21
        return TRUE;
22
    }
23
    else
24
        return FALSE;
25
}
Copied!
对于蓝队，如果注册表查询中出现了如下表项，那么该软件可能就在使用逃避技术。
Detect
Registry path
Details (if any)
[general]
HKLM\Software\Classes\Folder\shell\sandbox
​
Hyper-V
HKLM\SOFTWARE\Microsoft\Hyper-V
​
​
HKLM\SOFTWARE\Microsoft\VirtualMachine
​
​
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
Usually "HostName" and "VirtualMachineName" values are read under this path
​
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat
​
​
HKLM\SYSTEM\ControlSet001\Services\vmicvss
​
​
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown
​
​
HKLM\SYSTEM\ControlSet001\Services\vmicexchange
​
Parallels
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
Sandboxie
HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv
​
​
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
​
VirtualBox
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
​
HKLM\HARDWARE\ACPI\DSDT\VBOX__
​
​
HKLM\HARDWARE\ACPI\FADT\VBOX__
​
​
HKLM\HARDWARE\ACPI\RSDT\VBOX__
​
​
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
​
​
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest
​
​
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse
​
​
HKLM\SYSTEM\ControlSet001\Services\VBoxService
​
​
HKLM\SYSTEM\ControlSet001\Services\VBoxSF
​
​
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo
​
VirtualPC
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
​
HKLM\SYSTEM\ControlSet001\Services\vpcbus
​
​
HKLM\SYSTEM\ControlSet001\Services\vpc-s3
​
​
HKLM\SYSTEM\ControlSet001\Services\vpcuhub
​
​
HKLM\SYSTEM\ControlSet001\Services\msvmmouf
​
VMware
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
​
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
​
​
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
​
​
HKLM\SYSTEM\ControlSet001\Services\vmdebug
​
​
HKLM\SYSTEM\ControlSet001\Services\vmmouse
​
​
HKLM\SYSTEM\ControlSet001\Services\VMTools
​
​
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL
​
​
HKLM\SYSTEM\ControlSet001\Services\vmware
​
​
HKLM\SYSTEM\ControlSet001\Services\vmci
​
​
HKLM\SYSTEM\ControlSet001\Services\vmx86
​
​
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*
​
​
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*
​
​
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*
​
​
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*
​
Wine
HKCU\SOFTWARE\Wine
​
​
HKLM\SOFTWARE\Wine
​
Xen
HKLM\HARDWARE\ACPI\DSDT\xen
​
​
HKLM\HARDWARE\ACPI\FADT\xen
​
​
HKLM\HARDWARE\ACPI\RSDT\xen
​
​
HKLM\SYSTEM\ControlSet001\Services\xenevtchn
​
​
HKLM\SYSTEM\ControlSet001\Services\xennet
​
​
HKLM\SYSTEM\ControlSet001\Services\xennet6
​
​
HKLM\SYSTEM\ControlSet001\Services\xensvc
​
​
HKLM\SYSTEM\ControlSet001\Services\xenvdb
​
检查特定的表项内的字符串
1
/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
2
int vbox_reg_key2() {
3
    return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
4
}
5
​
6
/* code is taken from "pafish" project, see references on the parent page */
7
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
8
    /*
9
        regkey_s == "HARDWARE\\Description\\System";
10
        value_s == "SystemBiosVersion";
11
        lookup == "VBOX";
12
    */
13
​
14
    HKEY regkey;
15
    LONG ret;
16
    DWORD size;
17
    char value[1024], * lookup_str;
18
    size_t lookup_size;
19
​
20
    lookup_size = strlen(lookup);
21
    lookup_str = malloc(lookup_size+sizeof(char));
22
    strncpy(lookup_str, lookup, lookup_size+sizeof(char));
23
    size = sizeof(value);
24
​
25
    /* regkey_s == "HARDWARE\\Description\\System"; */
26
    if (pafish_iswow64()) {
27
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
28
    }
29
    else {
30
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
31
    }
32
​
33
    if (ret == ERROR_SUCCESS) {
34
        /* value_s == "SystemBiosVersion"; */
35
        ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
36
        RegCloseKey(regkey);
37
​
38
        if (ret == ERROR_SUCCESS) {
39
            size_t i;
40
            for (i = 0; i < strlen(value); i++) { /* case-insensitive */
41
                value[i] = toupper(value[i]);
42
            }
43
            for (i = 0; i < lookup_size; i++) { /* case-insensitive */
44
                lookup_str[i] = toupper(lookup_str[i]);
45
            }
46
            if (strstr(value, lookup_str) != NULL) {
47
                free(lookup_str);
48
                return TRUE;
49
            }
50
        }
51
    }
52
​
53
    free(lookup_str);
54
    return FALSE;
55
}
Copied!
​
Detect
Registry path
Registry key
String
[general]
HKLM\HARDWARE\Description\System
SystemBiosDate
06/23/99
​
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
A M I
BOCHS
HKLM\HARDWARE\Description\System
SystemBiosVersion
BOCHS
​
HKLM\HARDWARE\Description\System
VideoBiosVersion
BOCHS
Anubis
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-337-8429955-22614
​
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-337-8429955-22614
CwSandbox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-644-3177037-23510
​
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-644-3177037-23510
JoeBox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
55274-640-2673064-23950
​
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
55274-640-2673064-23950
Parallels
HKLM\HARDWARE\Description\System
SystemBiosVersion
PARALLELS
​
HKLM\HARDWARE\Description\System
VideoBiosVersion
PARALLELS
QEMU
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
QEMU
​
HKLM\HARDWARE\Description\System
SystemBiosVersion
QEMU
​
HKLM\HARDWARE\Description\System
VideoBiosVersion
QEMU
​
HKLM\HARDWARE\Description\System\BIOS
SystemManufacturer
QEMU
VirtualBox
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
​
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
​
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
​
HKLM\HARDWARE\Description\System
SystemBiosVersion
VBOX
​
HKLM\HARDWARE\Description\System
VideoBiosVersion
VIRTUALBOX
​
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
VIRTUAL
​
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
DeviceDesc
VBOX
​
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
FriendlyName
VBOX
​
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
DeviceDesc
VBOX
​
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
FriendlyName
VBOX
​
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
DeviceDesc
VBOX
​
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
SystemProductName
VBOX
​
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VIRTUAL
​
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VIRTUALBOX
VMware
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
​
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
​
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
​
HKLM\HARDWARE\Description\System
SystemBiosVersion
VMWARE
​
HKLM\HARDWARE\Description\System
SystemBiosVersion
INTEL - 6040000
​
HKLM\HARDWARE\Description\System
VideoBiosVersion
VMWARE
​
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
VMware
​
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
0
VMware
​
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
1
VMware
​
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
DeviceDesc
VMware
​
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
FriendlyName
VMware
​
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
DeviceDesc
VMware
​
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
FriendlyName
VMware
​
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
DeviceDesc
VMware
​
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
FriendlyName
VMware
​
HKCR\Installer\Products
ProductName
vmware tools
​
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
​
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
​
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
​
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
CoInstallers32
​
​
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
DriverDesc
VMware*
​
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
InfSection
vmx*
​
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
ProviderName
VMware*
​
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings
Device Description
VMware*
​
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VMWARE
​
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video
Service
vm3dmp
​
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video
Service
vmx_svga
​
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000
Device Description
VMware SVGA*
Xen
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
Xen
LINKS
GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
GitHub
​

防御逃避 - 以前

动态调用无导入表编译

下一个 - 防御逃避

利用杀毒软件删除任意文件

最近更新 1yr ago

复制链接

内容