idiotc4t's blog
搜索文档…
基于Registry的虚拟机检测

简介

通常在编写的恶意软件会被蓝队捕捉,那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项,注意不是防止破解,理论上任何软件都会被破解,我们需要做的其实只是增加蓝队的破解成本。
通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware,virtualbox等知名虚拟机软件,也有可能是自研的沙箱,那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环,本文将叙述一部分常见的虚拟机软件会注册的Registry,检测虚拟机防止破解以便让蓝队成员增加破解成本。

检测原理

通常在虚拟内,虚拟机软件会注册一些在物理机上不存在的注册表项,如果在注册表内出现了这样的选项,基本可以判定为运行在虚拟机环境,当然这种判断也有误报的可能,一些虚拟机软件会在物理界也注册一些相同的选项,但是对于虚拟机内,这样的表项算是比较少。
通常注册表项会使用windows提供的api进行查询,会使用让如下函数:
ntdll.dll导出:
  • NtOpenKey
  • NtEnumerateKey
  • NtQueryValueKey
  • NtClose
以及在其之上封装出的kernel32.dll的导出函数:
  • RegOpenKey
  • RegOpenKeyEx
  • RegQueryValue
  • RegQueryValueEx
  • RegCloseKey
  • RegEnumKeyEx

检查注册表路径

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
对于蓝队,如果注册表查询中出现了如下表项,那么该软件可能就在使用逃避技术。
Detect
Registry path
Details (if any)
[general]
HKLM\Software\Classes\Folder\shell\sandbox
Hyper-V
HKLM\SOFTWARE\Microsoft\Hyper-V
HKLM\SOFTWARE\Microsoft\VirtualMachine
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
Usually "HostName" and "VirtualMachineName" values are read under this path
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat
HKLM\SYSTEM\ControlSet001\Services\vmicvss
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown
HKLM\SYSTEM\ControlSet001\Services\vmicexchange
Parallels
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
Sandboxie
HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
VirtualBox
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\HARDWARE\ACPI\FADT\VBOX__
HKLM\HARDWARE\ACPI\RSDT\VBOX__
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse
HKLM\SYSTEM\ControlSet001\Services\VBoxService
HKLM\SYSTEM\ControlSet001\Services\VBoxSF
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo
VirtualPC
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\SYSTEM\ControlSet001\Services\vpcbus
HKLM\SYSTEM\ControlSet001\Services\vpc-s3
HKLM\SYSTEM\ControlSet001\Services\vpcuhub
HKLM\SYSTEM\ControlSet001\Services\msvmmouf
VMware
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SYSTEM\ControlSet001\Services\vmdebug
HKLM\SYSTEM\ControlSet001\Services\vmmouse
HKLM\SYSTEM\ControlSet001\Services\VMTools
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL
HKLM\SYSTEM\ControlSet001\Services\vmware
HKLM\SYSTEM\ControlSet001\Services\vmci
HKLM\SYSTEM\ControlSet001\Services\vmx86
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*
Wine
HKCU\SOFTWARE\Wine
HKLM\SOFTWARE\Wine
Xen
HKLM\HARDWARE\ACPI\DSDT\xen
HKLM\HARDWARE\ACPI\FADT\xen
HKLM\HARDWARE\ACPI\RSDT\xen
HKLM\SYSTEM\ControlSet001\Services\xenevtchn
HKLM\SYSTEM\ControlSet001\Services\xennet
HKLM\SYSTEM\ControlSet001\Services\xennet6
HKLM\SYSTEM\ControlSet001\Services\xensvc
HKLM\SYSTEM\ControlSet001\Services\xenvdb

检查特定的表项内的字符串

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
regkey_s == "HARDWARE\\Description\\System";
value_s == "SystemBiosVersion";
lookup == "VBOX";
*/
HKEY regkey;
LONG ret;
DWORD size;
char value[1024], * lookup_str;
size_t lookup_size;
lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);
/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}
if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);
if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value[i] = toupper(value[i]);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str[i] = toupper(lookup_str[i]);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}
free(lookup_str);
return FALSE;
}
Detect
Registry path
Registry key
String
[general]
HKLM\HARDWARE\Description\System
SystemBiosDate
06/23/99
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
A M I
BOCHS
HKLM\HARDWARE\Description\System
SystemBiosVersion
BOCHS
HKLM\HARDWARE\Description\System
VideoBiosVersion
BOCHS
Anubis
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-337-8429955-22614
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-337-8429955-22614
CwSandbox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-644-3177037-23510
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-644-3177037-23510
JoeBox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
55274-640-2673064-23950
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
55274-640-2673064-23950
Parallels
HKLM\HARDWARE\Description\System
SystemBiosVersion
PARALLELS
HKLM\HARDWARE\Description\System
VideoBiosVersion
PARALLELS
QEMU
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
QEMU
HKLM\HARDWARE\Description\System
SystemBiosVersion
QEMU
HKLM\HARDWARE\Description\System
VideoBiosVersion
QEMU
HKLM\HARDWARE\Description\System\BIOS
SystemManufacturer
QEMU
VirtualBox
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\Description\System
SystemBiosVersion
VBOX
HKLM\HARDWARE\Description\System
VideoBiosVersion
VIRTUALBOX
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
VIRTUAL
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
DeviceDesc
VBOX
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
FriendlyName
VBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
DeviceDesc
VBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
FriendlyName
VBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
DeviceDesc
VBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
SystemProductName
VBOX
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VIRTUAL
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VIRTUALBOX
VMware
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
HKLM\HARDWARE\Description\System
SystemBiosVersion
VMWARE
HKLM\HARDWARE\Description\System
SystemBiosVersion
INTEL - 6040000
HKLM\HARDWARE\Description\System
VideoBiosVersion
VMWARE
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
0
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
1
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
DeviceDesc
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
FriendlyName
VMware
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
DeviceDesc
VMware
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
FriendlyName
VMware
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
DeviceDesc
VMware
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
FriendlyName
VMware
HKCR\Installer\Products
ProductName
vmware tools
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
CoInstallers32
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
DriverDesc
VMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
InfSection
vmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
ProviderName
VMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings
Device Description
VMware*
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VMWARE
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video
Service
vm3dmp
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video
Service
vmx_svga
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000
Device Description
VMware SVGA*
Xen
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
Xen

LINKS

GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
GitHub
Malware Evasion Encyclopedia
Evasion techniques
复制链接
大纲
简介
检测原理
检查注册表路径
检查特定的表项内的字符串
LINKS