idiotc4t's blog
搜索文档…
idiotc4t's blog
关于这个博客
武器设计
我也不知道能不能写
C2手稿
先占个位置
武器化
COM组件相关的武器化开发技术
攻击demo的bof改造
Go项目反射改造
VulnBins的利用 (vuln driver)
红队研究
NtQueryInformationProcess逆向
NetUserAdd逆向
应急响应
WannaMine4.0专杀的一些技巧
防御逃避
ReflectiveDLLInjection变形应用
Execute-Assembly实现
ShadowMove复现与思考
载入第二个Ntdll绕Hook
编译时混淆字符串&函数调用
基于线程结束的EventLog绕过
动态获取系统调用(syscall)号
基于内存补丁的AMSI绕过
基于API Hook和DLL注入的AMSI绕过
基于内存补丁ETW的绕过
基于断链的DLL隐藏
基于HEX字符串执行的AV绕过
CobaltStrike Argue命令实现
简单的分离免杀
伪装PPID规避检测
伪装命令行规避检测
通过重写ring3 API函数实现免杀
动态调用无导入表编译
基于Registry的虚拟机检测
利用杀毒软件删除任意文件
反转字符串绕杀软
重新加载.text节拖钩
x64转换层&跨位数进程注入
代码与进程注入
Divide and Conquer
Clipboard Data Deliver
.NET Reflective Injection
APC Thread Hijack
CreateRemoteThread
APC Injection
Mapping Injection
Bypass Session 0 Injection
WhiteFile Offset Table Generate Shellcode
Early Bird
Early Bird & CreateRemoteThread
TLS Code Execute
SEH Code Execute
APC & NtTestAlert Code Execute
NtCreateSection & NtMapViewOfSection Code Execute
Process Hollowing
SetContext Hijack Thread
DLL Hollowing
权限提升
基于注册表劫持BypassUAC
基于dll劫持BypassUac
通过com组件BypassUAC
通过复制Token提权到SYSTEM
通过code&dll注入提权到SYSTEM
通过伪装PPID提权到SYSTEM
通过系统服务提权到SYSTEM
权限维持
主机特征绑定木马
寻找有价值的文件
获取机器安装的软件
通过API添加Windows用户
Detours InLine Hook
DLL劫持
RID劫持
自启动服务
编写简单远控
注册表自启动项
GitBook 提供支持
基于Registry的虚拟机检测

简介

通常在编写的恶意软件会被蓝队捕捉,那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项,注意不是防止破解,理论上任何软件都会被破解,我们需要做的其实只是增加蓝队的破解成本。
通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware,virtualbox等知名虚拟机软件,也有可能是自研的沙箱,那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环,本文将叙述一部分常见的虚拟机软件会注册的Registry,检测虚拟机防止破解以便让蓝队成员增加破解成本。

检测原理

通常在虚拟内,虚拟机软件会注册一些在物理机上不存在的注册表项,如果在注册表内出现了这样的选项,基本可以判定为运行在虚拟机环境,当然这种判断也有误报的可能,一些虚拟机软件会在物理界也注册一些相同的选项,但是对于虚拟机内,这样的表项算是比较少。
通常注册表项会使用windows提供的api进行查询,会使用让如下函数:
ntdll.dll导出:
  • NtOpenKey
  • NtEnumerateKey
  • NtQueryValueKey
  • NtClose
以及在其之上封装出的kernel32.dll的导出函数:
  • RegOpenKey
  • RegOpenKeyEx
  • RegQueryValue
  • RegQueryValueEx
  • RegCloseKey
  • RegEnumKeyEx

检查注册表路径

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
对于蓝队,如果注册表查询中出现了如下表项,那么该软件可能就在使用逃避技术。
Detect
Registry path
Details (if any)
[general]
HKLM\Software\Classes\Folder\shell\sandbox
Hyper-V
HKLM\SOFTWARE\Microsoft\Hyper-V
HKLM\SOFTWARE\Microsoft\VirtualMachine
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
Usually "HostName" and "VirtualMachineName" values are read under this path
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat
HKLM\SYSTEM\ControlSet001\Services\vmicvss
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown
HKLM\SYSTEM\ControlSet001\Services\vmicexchange
Parallels
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
Sandboxie
HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
VirtualBox
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\HARDWARE\ACPI\FADT\VBOX__
HKLM\HARDWARE\ACPI\RSDT\VBOX__
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse
HKLM\SYSTEM\ControlSet001\Services\VBoxService
HKLM\SYSTEM\ControlSet001\Services\VBoxSF
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo
VirtualPC
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\SYSTEM\ControlSet001\Services\vpcbus
HKLM\SYSTEM\ControlSet001\Services\vpc-s3
HKLM\SYSTEM\ControlSet001\Services\vpcuhub
HKLM\SYSTEM\ControlSet001\Services\msvmmouf
VMware
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*
Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SYSTEM\ControlSet001\Services\vmdebug
HKLM\SYSTEM\ControlSet001\Services\vmmouse
HKLM\SYSTEM\ControlSet001\Services\VMTools
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL
HKLM\SYSTEM\ControlSet001\Services\vmware
HKLM\SYSTEM\ControlSet001\Services\vmci
HKLM\SYSTEM\ControlSet001\Services\vmx86
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*
Wine
HKCU\SOFTWARE\Wine
HKLM\SOFTWARE\Wine
Xen
HKLM\HARDWARE\ACPI\DSDT\xen
HKLM\HARDWARE\ACPI\FADT\xen
HKLM\HARDWARE\ACPI\RSDT\xen
HKLM\SYSTEM\ControlSet001\Services\xenevtchn
HKLM\SYSTEM\ControlSet001\Services\xennet
HKLM\SYSTEM\ControlSet001\Services\xennet6
HKLM\SYSTEM\ControlSet001\Services\xensvc
HKLM\SYSTEM\ControlSet001\Services\xenvdb

检查特定的表项内的字符串

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
regkey_s == "HARDWARE\\Description\\System";
value_s == "SystemBiosVersion";
lookup == "VBOX";
*/
HKEY regkey;
LONG ret;
DWORD size;
char value[1024], * lookup_str;
size_t lookup_size;
lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);
/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}
if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);
if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value[i] = toupper(value[i]);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str[i] = toupper(lookup_str[i]);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}
free(lookup_str);
return FALSE;
}
Detect
Registry path
Registry key
String
[general]
HKLM\HARDWARE\Description\System
SystemBiosDate
06/23/99
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
A M I
BOCHS
HKLM\HARDWARE\Description\System
SystemBiosVersion
BOCHS
HKLM\HARDWARE\Description\System
VideoBiosVersion
BOCHS
Anubis
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-337-8429955-22614
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-337-8429955-22614
CwSandbox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
76487-644-3177037-23510
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
76487-644-3177037-23510
JoeBox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductID
55274-640-2673064-23950
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductID
55274-640-2673064-23950
Parallels
HKLM\HARDWARE\Description\System
SystemBiosVersion
PARALLELS
HKLM\HARDWARE\Description\System
VideoBiosVersion
PARALLELS
QEMU
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
QEMU
HKLM\HARDWARE\Description\System
SystemBiosVersion
QEMU
HKLM\HARDWARE\Description\System
VideoBiosVersion
QEMU
HKLM\HARDWARE\Description\System\BIOS
SystemManufacturer
QEMU
VirtualBox
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VBOX
HKLM\HARDWARE\Description\System
SystemBiosVersion
VBOX
HKLM\HARDWARE\Description\System
VideoBiosVersion
VIRTUALBOX
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
VIRTUAL
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
DeviceDesc
VBOX
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
FriendlyName
VBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
DeviceDesc
VBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
FriendlyName
VBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
DeviceDesc
VBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
SystemProductName
VBOX
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VIRTUAL
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VIRTUALBOX
VMware
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
VMWARE
HKLM\HARDWARE\Description\System
SystemBiosVersion
VMWARE
HKLM\HARDWARE\Description\System
SystemBiosVersion
INTEL - 6040000
HKLM\HARDWARE\Description\System
VideoBiosVersion
VMWARE
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
0
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
1
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
DeviceDesc
VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum
FriendlyName
VMware
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
DeviceDesc
VMware
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum
FriendlyName
VMware
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
DeviceDesc
VMware
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum
FriendlyName
VMware
HKCR\Installer\Products
ProductName
vmware tools
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
vmware tools
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
CoInstallers32
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
DriverDesc
VMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
InfSection
vmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
ProviderName
VMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings
Device Description
VMware*
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation
SystemProductName
VMWARE
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video
Service
vm3dmp
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video
Service
vmx_svga
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000
Device Description
VMware SVGA*
Xen
HKLM\HARDWARE\Description\System\BIOS
SystemProductName
Xen

LINKS

GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
GitHub
Malware Evasion Encyclopedia
Evasion techniques
防御逃避 - 以前
动态调用无导入表编译
下一个 - 防御逃避
利用杀毒软件删除任意文件
最近更新 1yr ago
复制链接
大纲
简介
检测原理
检查注册表路径
检查特定的表项内的字符串
LINKS