基于Registry的虚拟机检测

简介

通常在编写的恶意软件会被蓝队捕捉，那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项，注意不是防止破解，理论上任何软件都会被破解，我们需要做的其实只是增加蓝队的破解成本。

通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware，virtualbox等知名虚拟机软件，也有可能是自研的沙箱，那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环，本文将叙述一部分常见的虚拟机软件会注册的Registry，检测虚拟机防止破解以便让蓝队成员增加破解成本。

检测原理

通常在虚拟内，虚拟机软件会注册一些在物理机上不存在的注册表项，如果在注册表内出现了这样的选项，基本可以判定为运行在虚拟机环境，当然这种判断也有误报的可能，一些虚拟机软件会在物理界也注册一些相同的选项，但是对于虚拟机内，这样的表项算是比较少。

通常注册表项会使用windows提供的api进行查询，会使用让如下函数：

ntdll.dll导出:

NtOpenKey
NtEnumerateKey
NtQueryValueKey
NtClose

以及在其之上封装出的kernel32.dll的导出函数:

RegOpenKey
RegOpenKeyEx
RegQueryValue
RegQueryValueEx
RegCloseKey
RegEnumKeyEx

检查注册表路径

代码来自:https://github.com/a0rtega/pafish

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
    return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
    HKEY regkey;
    LONG ret;

    /* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
    if (pafish_iswow64()) {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
    }
    else {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
    }

    if (ret == ERROR_SUCCESS) {
        RegCloseKey(regkey);
        return TRUE;
    }
    else
        return FALSE;
}

对于蓝队，如果注册表查询中出现了如下表项，那么该软件可能就在使用逃避技术。

Detect

Registry path

Details (if any)

[general]

HKLM\Software\Classes\Folder\shell\sandbox

Hyper-V

HKLM\SOFTWARE\Microsoft\Hyper-V

HKLM\SOFTWARE\Microsoft\VirtualMachine

HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters

Usually "HostName" and "VirtualMachineName" values are read under this path

HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat

HKLM\SYSTEM\ControlSet001\Services\vmicvss

HKLM\SYSTEM\ControlSet001\Services\vmicshutdown

HKLM\SYSTEM\ControlSet001\Services\vmicexchange

Parallels

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

Sandboxie

HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie

VirtualBox

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

HKLM\HARDWARE\ACPI\DSDT\VBOX__

HKLM\HARDWARE\ACPI\FADT\VBOX__

HKLM\HARDWARE\ACPI\RSDT\VBOX__

HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions

HKLM\SYSTEM\ControlSet001\Services\VBoxGuest

HKLM\SYSTEM\ControlSet001\Services\VBoxMouse

HKLM\SYSTEM\ControlSet001\Services\VBoxService

HKLM\SYSTEM\ControlSet001\Services\VBoxSF

HKLM\SYSTEM\ControlSet001\Services\VBoxVideo

VirtualPC

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

HKLM\SYSTEM\ControlSet001\Services\vpcbus

HKLM\SYSTEM\ControlSet001\Services\vpc-s3

HKLM\SYSTEM\ControlSet001\Services\vpcuhub

HKLM\SYSTEM\ControlSet001\Services\msvmmouf

VMware

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

HKCU\SOFTWARE\VMware, Inc.\VMware Tools

HKLM\SOFTWARE\VMware, Inc.\VMware Tools

HKLM\SYSTEM\ControlSet001\Services\vmdebug

HKLM\SYSTEM\ControlSet001\Services\vmmouse

HKLM\SYSTEM\ControlSet001\Services\VMTools

HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL

HKLM\SYSTEM\ControlSet001\Services\vmware

HKLM\SYSTEM\ControlSet001\Services\vmci

HKLM\SYSTEM\ControlSet001\Services\vmx86

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*

Wine

HKCU\SOFTWARE\Wine

HKLM\SOFTWARE\Wine

Xen

HKLM\HARDWARE\ACPI\DSDT\xen

HKLM\HARDWARE\ACPI\FADT\xen

HKLM\HARDWARE\ACPI\RSDT\xen

HKLM\SYSTEM\ControlSet001\Services\xenevtchn

HKLM\SYSTEM\ControlSet001\Services\xennet

HKLM\SYSTEM\ControlSet001\Services\xennet6

HKLM\SYSTEM\ControlSet001\Services\xensvc

HKLM\SYSTEM\ControlSet001\Services\xenvdb

检查特定的表项内的字符串

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
    return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
    /*
        regkey_s == "HARDWARE\\Description\\System";
        value_s == "SystemBiosVersion";
        lookup == "VBOX";
    */

    HKEY regkey;
    LONG ret;
    DWORD size;
    char value[1024], * lookup_str;
    size_t lookup_size;

    lookup_size = strlen(lookup);
    lookup_str = malloc(lookup_size+sizeof(char));
    strncpy(lookup_str, lookup, lookup_size+sizeof(char));
    size = sizeof(value);

    /* regkey_s == "HARDWARE\\Description\\System"; */
    if (pafish_iswow64()) {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
    }
    else {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
    }

    if (ret == ERROR_SUCCESS) {
        /* value_s == "SystemBiosVersion"; */
        ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
        RegCloseKey(regkey);

        if (ret == ERROR_SUCCESS) {
            size_t i;
            for (i = 0; i < strlen(value); i++) { /* case-insensitive */
                value[i] = toupper(value[i]);
            }
            for (i = 0; i < lookup_size; i++) { /* case-insensitive */
                lookup_str[i] = toupper(lookup_str[i]);
            }
            if (strstr(value, lookup_str) != NULL) {
                free(lookup_str);
                return TRUE;
            }
        }
    }

    free(lookup_str);
    return FALSE;
}

Detect

Registry path

Registry key

String

[general]

HKLM\HARDWARE\Description\System

SystemBiosDate

06/23/99

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

A M I

BOCHS

HKLM\HARDWARE\Description\System

SystemBiosVersion

BOCHS

HKLM\HARDWARE\Description\System

VideoBiosVersion

BOCHS

Anubis

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

ProductID

76487-337-8429955-22614

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductID

76487-337-8429955-22614

CwSandbox

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

ProductID

76487-644-3177037-23510

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductID

76487-644-3177037-23510

JoeBox

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

ProductID

55274-640-2673064-23950

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductID

55274-640-2673064-23950

Parallels

HKLM\HARDWARE\Description\System

SystemBiosVersion

PARALLELS

HKLM\HARDWARE\Description\System

VideoBiosVersion

PARALLELS

QEMU

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

QEMU

HKLM\HARDWARE\Description\System

SystemBiosVersion

QEMU

HKLM\HARDWARE\Description\System

VideoBiosVersion

QEMU

HKLM\HARDWARE\Description\System\BIOS

SystemManufacturer

QEMU

VirtualBox

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VBOX

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VBOX

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VBOX

HKLM\HARDWARE\Description\System

SystemBiosVersion

VBOX

HKLM\HARDWARE\Description\System

VideoBiosVersion

VIRTUALBOX

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

VIRTUAL

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

DeviceDesc

VBOX

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

FriendlyName

VBOX

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

DeviceDesc

VBOX

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

FriendlyName

VBOX

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

DeviceDesc

VBOX

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

SystemProductName

VBOX

HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation

SystemProductName

VIRTUAL

HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation

SystemProductName

VIRTUALBOX

VMware

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VMWARE

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VMWARE

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VMWARE

HKLM\HARDWARE\Description\System

SystemBiosVersion

VMWARE

HKLM\HARDWARE\Description\System

SystemBiosVersion

INTEL - 6040000

HKLM\HARDWARE\Description\System

VideoBiosVersion

VMWARE

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

DeviceDesc

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

FriendlyName

VMware

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

DeviceDesc

VMware

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

FriendlyName

VMware

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

DeviceDesc

VMware

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

FriendlyName

VMware

HKCR\Installer\Products

ProductName

vmware tools

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

vmware tools

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

vmware tools

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

vmware tools

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

CoInstallers32

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

DriverDesc

VMware*

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

InfSection

vmx*

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

ProviderName

VMware*

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings

Device Description

VMware*

HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation

SystemProductName

VMWARE

HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video

Service

vm3dmp

HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video

Service

vmx_svga

HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000

Device Description

VMware SVGA*

Xen

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

Xen

LINKS

GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families doGitHub

Malware Evasion EncyclopediaEvasion techniques

上一页动态调用无导入表编译下一页利用杀毒软件删除任意文件

最后更新于4年前