idiotc4t's blog
搜索文档…
基于Registry的虚拟机检测

简介

通常在编写的恶意软件会被蓝队捕捉,那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项,注意不是防止破解,理论上任何软件都会被破解,我们需要做的其实只是增加蓝队的破解成本。
通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware,virtualbox等知名虚拟机软件,也有可能是自研的沙箱,那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环,本文将叙述一部分常见的虚拟机软件会注册的Registry,检测虚拟机防止破解以便让蓝队成员增加破解成本。

检测原理

通常在虚拟内,虚拟机软件会注册一些在物理机上不存在的注册表项,如果在注册表内出现了这样的选项,基本可以判定为运行在虚拟机环境,当然这种判断也有误报的可能,一些虚拟机软件会在物理界也注册一些相同的选项,但是对于虚拟机内,这样的表项算是比较少。
通常注册表项会使用windows提供的api进行查询,会使用让如下函数:
ntdll.dll导出:
  • NtOpenKey
  • NtEnumerateKey
  • NtQueryValueKey
  • NtClose
以及在其之上封装出的kernel32.dll的导出函数:
  • RegOpenKey
  • RegOpenKeyEx
  • RegQueryValue
  • RegQueryValueEx
  • RegCloseKey
  • RegEnumKeyEx

检查注册表路径

1
/* sample of usage: see detection of VirtualBox in the table below to check registry path */
2
int vbox_reg_key7() {
3
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
4
}
5
6
/* code is taken from "pafish" project, see references on the parent page */
7
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
8
HKEY regkey;
9
LONG ret;
10
11
/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
12
if (pafish_iswow64()) {
13
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
14
}
15
else {
16
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
17
}
18
19
if (ret == ERROR_SUCCESS) {
20
RegCloseKey(regkey);
21
return TRUE;
22
}
23
else
24
return FALSE;
25
}
Copied!
对于蓝队,如果注册表查询中出现了如下表项,那么该软件可能就在使用逃避技术。
Detect
Registry path
Details (if any)
[general]
HKLM\Software\Classes\Folder\shell\sandbox
Hyper-V
HKLM\SOFTWARE\Microsoft\Hyper-V
HKLM\SOFTWARE\Microsoft\VirtualMachine
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
Usually "HostName" and "VirtualMachineName" values are read under this path
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat
HKLM\SYSTEM\ControlSet001\Services\vmicvss
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown
HKLM\SYSTEM\ControlSet001\Services\vmicexchange
Parallels
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
Sandboxie
HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
VirtualBox
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\HARDWARE\ACPI\FADT\VBOX__
HKLM\HARDWARE\ACPI\RSDT\VBOX__
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse
HKLM\SYSTEM\ControlSet001\Services\VBoxService

检查特定的表项内的字符串

1
/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
2
int vbox_reg_key2() {
3
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
4
}
5
6
/* code is taken from "pafish" project, see references on the parent page */
7
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
8
/*
9
regkey_s == "HARDWARE\\Description\\System";
10
value_s == "SystemBiosVersion";
11
lookup == "VBOX";
12
*/
13
14
HKEY regkey;
15
LONG ret;
16
DWORD size;
17
char value[1024], * lookup_str;
18
size_t lookup_size;
19
20
lookup_size = strlen(lookup);
21
lookup_str = malloc(lookup_size+sizeof(char));
22
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
23
size = sizeof(value);
24
25
/* regkey_s == "HARDWARE\\Description\\System"; */
26
if (pafish_iswow64()) {
27
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
28
}
29
else {
30
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
31
}
32
33
if (ret == ERROR_SUCCESS) {
34
/* value_s == "SystemBiosVersion"; */
35
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
36
RegCloseKey(regkey);
37
38
if (ret == ERROR_SUCCESS) {
39
size_t i;
40
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
41
value[i] = toupper(value[i]);
42
}
43
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
44
lookup_str[i] = toupper(lookup_str[i]);
45
}
46
if (strstr(value, lookup_str) != NULL) {
47
free(lookup_str);
48
return TRUE;
49
}
50
}
51
}
52
53
free(lookup_str);
54
return FALSE;
55
}
Copied!
Detect
Registry path
Registry key
String
[general]
HKLM\HARDWARE\Description\System
SystemBiosDate
06/23/99
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
A M I
BOCHS
HKLM\HARDWARE\Description\System
SystemBiosVersion
BOCHS
HKLM\HARDWARE\Description\System
VideoBiosVersion
BOCHS
Anubis
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-337-8429955-22614
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-337-8429955-22614
CwSandbox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-644-3177037-23510
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-644-3177037-23510
JoeBox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
55274-640-2673064-23950
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
55274-640-2673064-23950
Parallels
HKLM\HARDWARE\Description\System
SystemBiosVersion
PARALLELS
HKLM\HARDWARE\Description\System
VideoBiosVersion
PARALLELS
QEMU
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
QEMU
HKLM\HARDWARE\Description\System
SystemBiosVersion
QEMU
HKLM\HARDWARE\Description\System
VideoBiosVersion
QEMU
HKLM\HARDWARE\Description\System\BIOS
SystemManufacturer
QEMU
VirtualBox
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX

LINKS

GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
GitHub
Malware Evasion Encyclopedia
Evasion techniques