# 基于Registry的虚拟机检测 ## 简介 通常在编写的恶意软件会被蓝队捕捉,那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项,注意不是防止破解,理论上任何软件都会被破解,我们需要做的其实只是增加蓝队的破解成本。 通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware,virtualbox等知名虚拟机软件,也有可能是自研的沙箱,那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环,本文将叙述一部分常见的虚拟机软件会注册的Registry,检测虚拟机防止破解以便让蓝队成员增加破解成本。 ## 检测原理 通常在虚拟内,虚拟机软件会注册一些在物理机上不存在的注册表项,如果在注册表内出现了这样的选项,基本可以判定为运行在虚拟机环境,当然这种判断也有误报的可能,一些虚拟机软件会在物理界也注册一些相同的选项,但是对于虚拟机内,这样的表项算是比较少。 通常注册表项会使用windows提供的api进行查询,会使用让如下函数: ntdll.dll导出: * NtOpenKey * NtEnumerateKey * NtQueryValueKey * NtClose 以及在其之上封装出的kernel32.dll的导出函数: * RegOpenKey * RegOpenKeyEx * RegQueryValue * RegQueryValueEx * RegCloseKey * RegEnumKeyEx ## 检查注册表路径 代码来自: ``` /* sample of usage: see detection of VirtualBox in the table below to check registry path */ int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__"); } /* code is taken from "pafish" project, see references on the parent page */ int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; /* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */ if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE; } ``` 对于蓝队,如果注册表查询中出现了如下表项,那么该软件可能就在使用逃避技术。 | Detect | Registry path | Details (if any) | | ---------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | \[general] | HKLM\Software\Classes\Folder\shell\sandbox | | | Hyper-V | HKLM\SOFTWARE\Microsoft\Hyper-V | | | | HKLM\SOFTWARE\Microsoft\VirtualMachine | | | | HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters | Usually "HostName" and "VirtualMachineName" values are read under this path | | | HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat | | | | HKLM\SYSTEM\ControlSet001\Services\vmicvss | | | | HKLM\SYSTEM\ControlSet001\Services\vmicshutdown | | | | HKLM\SYSTEM\ControlSet001\Services\vmicexchange | | | Parallels | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN\_1AB8\* | Subkey has the following structure: VEN\_XXXX\&DEV\_YYYY\&SUBSYS\_ZZZZ\&REV\_WW | | Sandboxie | HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv | | | | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie | | | VirtualBox | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN\_80EE\* | Subkey has the following structure: VEN\_XXXX\&DEV\_YYYY\&SUBSYS\_ZZZZ\&REV\_WW | | | HKLM\HARDWARE\ACPI\DSDT\VBOX\_\_ | | | | HKLM\HARDWARE\ACPI\FADT\VBOX\_\_ | | | | HKLM\HARDWARE\ACPI\RSDT\VBOX\_\_ | | | | HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions | | | | HKLM\SYSTEM\ControlSet001\Services\VBoxGuest | | | | HKLM\SYSTEM\ControlSet001\Services\VBoxMouse | | | | HKLM\SYSTEM\ControlSet001\Services\VBoxService | | | | HKLM\SYSTEM\ControlSet001\Services\VBoxSF | | | | HKLM\SYSTEM\ControlSet001\Services\VBoxVideo | | | VirtualPC | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN\_5333\* | Subkey has the following structure: VEN\_XXXX\&DEV\_YYYY\&SUBSYS\_ZZZZ\&REV\_WW | | | HKLM\SYSTEM\ControlSet001\Services\vpcbus | | | | HKLM\SYSTEM\ControlSet001\Services\vpc-s3 | | | | HKLM\SYSTEM\ControlSet001\Services\vpcuhub | | | | HKLM\SYSTEM\ControlSet001\Services\msvmmouf | | | VMware | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN\_15AD\* | Subkey has the following structure: VEN\_XXXX\&DEV\_YYYY\&SUBSYS\_ZZZZ\&REV\_WW | | | HKCU\SOFTWARE\VMware, Inc.\VMware Tools | | | | HKLM\SOFTWARE\VMware, Inc.\VMware Tools | | | | HKLM\SYSTEM\ControlSet001\Services\vmdebug | | | | HKLM\SYSTEM\ControlSet001\Services\vmmouse | | | | HKLM\SYSTEM\ControlSet001\Services\VMTools | | | | HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL | | | | HKLM\SYSTEM\ControlSet001\Services\vmware | | | | HKLM\SYSTEM\ControlSet001\Services\vmci | | | | HKLM\SYSTEM\ControlSet001\Services\vmx86 | | | | HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar\_VMware\_IDE\_CD\* | | | | HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar\_VMware\_SATA\_CD\* | | | | HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware\_Virtual\_IDE\_Hard\_Drive\* | | | | HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware\_Virtual\_SATA\_Hard\_Drive\* | | | Wine | HKCU\SOFTWARE\Wine | | | | HKLM\SOFTWARE\Wine | | | Xen | HKLM\HARDWARE\ACPI\DSDT\xen | | | | HKLM\HARDWARE\ACPI\FADT\xen | | | | HKLM\HARDWARE\ACPI\RSDT\xen | | | | HKLM\SYSTEM\ControlSet001\Services\xenevtchn | | | | HKLM\SYSTEM\ControlSet001\Services\xennet | | | | HKLM\SYSTEM\ControlSet001\Services\xennet6 | | | | HKLM\SYSTEM\ControlSet001\Services\xensvc | | | | HKLM\SYSTEM\ControlSet001\Services\xenvdb | | ## 检查特定的表项内的字符串 ``` /* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */ int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX"); } /* code is taken from "pafish" project, see references on the parent page */ int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { /* regkey_s == "HARDWARE\\Description\\System"; value_s == "SystemBiosVersion"; lookup == "VBOX"; */ HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); /* regkey_s == "HARDWARE\\Description\\System"; */ if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { /* value_s == "SystemBiosVersion"; */ ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive */ value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { /* case-insensitive */ lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE; } ``` | Detect | Registry path | Registry key | String | | ---------- | --------------------------------------------------------------------------------------------- | ------------------ | ----------------------- | | \[general] | HKLM\HARDWARE\Description\System | SystemBiosDate | 06/23/99 | | | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | A M I | | BOCHS | HKLM\HARDWARE\Description\System | SystemBiosVersion | BOCHS | | | HKLM\HARDWARE\Description\System | VideoBiosVersion | BOCHS | | Anubis | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-337-8429955-22614 | | | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-337-8429955-22614 | | CwSandbox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-644-3177037-23510 | | | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-644-3177037-23510 | | JoeBox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 55274-640-2673064-23950 | | | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 55274-640-2673064-23950 | | Parallels | HKLM\HARDWARE\Description\System | SystemBiosVersion | PARALLELS | | | HKLM\HARDWARE\Description\System | VideoBiosVersion | PARALLELS | | QEMU | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | QEMU | | | HKLM\HARDWARE\Description\System | SystemBiosVersion | QEMU | | | HKLM\HARDWARE\Description\System | VideoBiosVersion | QEMU | | | HKLM\HARDWARE\Description\System\BIOS | SystemManufacturer | QEMU | | VirtualBox | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | | | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | | | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | | | HKLM\HARDWARE\Description\System | SystemBiosVersion | VBOX | | | HKLM\HARDWARE\Description\System | VideoBiosVersion | VIRTUALBOX | | | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VIRTUAL | | | HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VBOX | | | HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VBOX | | | HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VBOX | | | HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VBOX | | | HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VBOX | | | HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | SystemProductName | VBOX | | | HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUAL | | | HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUALBOX | | VMware | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | | | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | | | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | | | HKLM\HARDWARE\Description\System | SystemBiosVersion | VMWARE | | | HKLM\HARDWARE\Description\System | SystemBiosVersion | INTEL - 6040000 | | | HKLM\HARDWARE\Description\System | VideoBiosVersion | VMWARE | | | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VMware | | | HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 0 | VMware | | | HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 1 | VMware | | | HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VMware | | | HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VMware | | | HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VMware | | | HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VMware | | | HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VMware | | | HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VMware | | | HKCR\Installer\Products | ProductName | vmware tools | | | HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | | | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | | | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | | | HKLM\SYSTEM\ControlSet001\Control\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | CoInstallers32 | | | | HKLM\SYSTEM\ControlSet001\Control\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | DriverDesc | VMware\* | | | HKLM\SYSTEM\ControlSet001\Control\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | InfSection | vmx\* | | | HKLM\SYSTEM\ControlSet001\Control\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | ProviderName | VMware\* | | | HKLM\SYSTEM\ControlSet001\Control\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings | Device Description | VMware\* | | | HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VMWARE | | | HKLM\SYSTEM\CurrentControlSet\Control\Video\\{GUID}\Video | Service | vm3dmp | | | HKLM\SYSTEM\CurrentControlSet\Control\Video\\{GUID}\Video | Service | vmx\_svga | | | HKLM\SYSTEM\CurrentControlSet\Control\Video\\{GUID}\0000 | Device Description | VMware SVGA\* | | Xen | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | Xen | ## LINKS {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://idiotc4t.com/defense-evasion/rregistry-check-virtualmachine.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.