idiotc4t's blog
  • 关于这个博客
  • 武器设计
    • 我也不知道能不能写
    • C2手稿
      • Heap加密
      • 数据打包DataPacker
      • 真·手稿
      • 实现UML图
    • 先占个位置
  • 武器化
    • COM组件相关的武器化开发技术
    • 攻击demo的bof改造
    • Go项目反射改造
    • VulnBins的利用 (vuln driver)
  • 红队研究
    • NtQueryInformationProcess逆向
    • NetUserAdd逆向
  • 应急响应
    • WannaMine4.0专杀的一些技巧
  • 防御逃避
    • ReflectiveDLLInjection变形应用
    • Execute-Assembly实现
    • ShadowMove复现与思考
    • 载入第二个Ntdll绕Hook
    • 编译时混淆字符串&函数调用
    • 基于线程结束的EventLog绕过
    • 动态获取系统调用(syscall)号
    • 基于内存补丁的AMSI绕过
    • 基于API Hook和DLL注入的AMSI绕过
    • 基于内存补丁ETW的绕过
    • 基于断链的DLL隐藏
    • 基于HEX字符串执行的AV绕过
    • CobaltStrike Argue命令实现
    • 简单的分离免杀
    • 伪装PPID规避检测
    • 伪装命令行规避检测
    • 通过重写ring3 API函数实现免杀
    • 动态调用无导入表编译
    • 基于Registry的虚拟机检测
    • 利用杀毒软件删除任意文件
    • 反转字符串绕杀软
    • 重新加载.text节拖钩
    • x64转换层&跨位数进程注入
  • 代码与进程注入
    • Divide and Conquer
    • Clipboard Data Deliver
    • .NET Reflective Injection
    • APC Thread Hijack
    • CreateRemoteThread
    • APC Injection
    • Mapping Injection
    • Bypass Session 0 Injection
    • WhiteFile Offset Table Generate Shellcode
    • Early Bird
    • Early Bird & CreateRemoteThread
    • TLS Code Execute
    • SEH Code Execute
    • APC & NtTestAlert Code Execute
    • NtCreateSection & NtMapViewOfSection Code Execute
    • Process Hollowing
    • SetContext Hijack Thread
    • DLL Hollowing
  • 权限提升
    • 基于注册表劫持BypassUAC
    • 基于dll劫持BypassUac
    • 通过com组件BypassUAC
    • 通过复制Token提权到SYSTEM
    • 通过code&dll注入提权到SYSTEM
    • 通过伪装PPID提权到SYSTEM
    • 通过系统服务提权到SYSTEM
  • 权限维持
    • 主机特征绑定木马
    • 寻找有价值的文件
    • 获取机器安装的软件
    • 通过API添加Windows用户
    • Detours InLine Hook
    • DLL劫持
    • RID劫持
    • 自启动服务
    • 编写简单远控
    • 注册表自启动项
由 GitBook 提供支持
在本页
  • 简介
  • 检测原理
  • 检查注册表路径
  • 检查特定的表项内的字符串
  • LINKS

这有帮助吗?

  1. 防御逃避

基于Registry的虚拟机检测

简介

通常在编写的恶意软件会被蓝队捕捉,那么如何让蓝队花去更长时间去反编译我们的恶意软件这也成为了一种必选项,注意不是防止破解,理论上任何软件都会被破解,我们需要做的其实只是增加蓝队的破解成本。

通常蓝队会把捕捉到的恶意软件放在一个虚拟环境里如vmware,virtualbox等知名虚拟机软件,也有可能是自研的沙箱,那么如何识别软件是否运行在虚拟环境里会是防止破解重要的一环,本文将叙述一部分常见的虚拟机软件会注册的Registry,检测虚拟机防止破解以便让蓝队成员增加破解成本。

检测原理

通常在虚拟内,虚拟机软件会注册一些在物理机上不存在的注册表项,如果在注册表内出现了这样的选项,基本可以判定为运行在虚拟机环境,当然这种判断也有误报的可能,一些虚拟机软件会在物理界也注册一些相同的选项,但是对于虚拟机内,这样的表项算是比较少。

通常注册表项会使用windows提供的api进行查询,会使用让如下函数:

ntdll.dll导出:

  • NtOpenKey

  • NtEnumerateKey

  • NtQueryValueKey

  • NtClose

以及在其之上封装出的kernel32.dll的导出函数:

  • RegOpenKey

  • RegOpenKeyEx

  • RegQueryValue

  • RegQueryValueEx

  • RegCloseKey

  • RegEnumKeyEx

检查注册表路径

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
    return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
    HKEY regkey;
    LONG ret;

    /* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
    if (pafish_iswow64()) {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
    }
    else {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
    }

    if (ret == ERROR_SUCCESS) {
        RegCloseKey(regkey);
        return TRUE;
    }
    else
        return FALSE;
}

对于蓝队,如果注册表查询中出现了如下表项,那么该软件可能就在使用逃避技术。

Detect

Registry path

Details (if any)

[general]

HKLM\Software\Classes\Folder\shell\sandbox

Hyper-V

HKLM\SOFTWARE\Microsoft\Hyper-V

HKLM\SOFTWARE\Microsoft\VirtualMachine

HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters

Usually "HostName" and "VirtualMachineName" values are read under this path

HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat

HKLM\SYSTEM\ControlSet001\Services\vmicvss

HKLM\SYSTEM\ControlSet001\Services\vmicshutdown

HKLM\SYSTEM\ControlSet001\Services\vmicexchange

Parallels

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

Sandboxie

HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie

VirtualBox

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

HKLM\HARDWARE\ACPI\DSDT\VBOX__

HKLM\HARDWARE\ACPI\FADT\VBOX__

HKLM\HARDWARE\ACPI\RSDT\VBOX__

HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions

HKLM\SYSTEM\ControlSet001\Services\VBoxGuest

HKLM\SYSTEM\ControlSet001\Services\VBoxMouse

HKLM\SYSTEM\ControlSet001\Services\VBoxService

HKLM\SYSTEM\ControlSet001\Services\VBoxSF

HKLM\SYSTEM\ControlSet001\Services\VBoxVideo

VirtualPC

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

HKLM\SYSTEM\ControlSet001\Services\vpcbus

HKLM\SYSTEM\ControlSet001\Services\vpc-s3

HKLM\SYSTEM\ControlSet001\Services\vpcuhub

HKLM\SYSTEM\ControlSet001\Services\msvmmouf

VMware

HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*

Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW

HKCU\SOFTWARE\VMware, Inc.\VMware Tools

HKLM\SOFTWARE\VMware, Inc.\VMware Tools

HKLM\SYSTEM\ControlSet001\Services\vmdebug

HKLM\SYSTEM\ControlSet001\Services\vmmouse

HKLM\SYSTEM\ControlSet001\Services\VMTools

HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL

HKLM\SYSTEM\ControlSet001\Services\vmware

HKLM\SYSTEM\ControlSet001\Services\vmci

HKLM\SYSTEM\ControlSet001\Services\vmx86

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*

HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*

Wine

HKCU\SOFTWARE\Wine

HKLM\SOFTWARE\Wine

Xen

HKLM\HARDWARE\ACPI\DSDT\xen

HKLM\HARDWARE\ACPI\FADT\xen

HKLM\HARDWARE\ACPI\RSDT\xen

HKLM\SYSTEM\ControlSet001\Services\xenevtchn

HKLM\SYSTEM\ControlSet001\Services\xennet

HKLM\SYSTEM\ControlSet001\Services\xennet6

HKLM\SYSTEM\ControlSet001\Services\xensvc

HKLM\SYSTEM\ControlSet001\Services\xenvdb

检查特定的表项内的字符串

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
    return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
    /*
        regkey_s == "HARDWARE\\Description\\System";
        value_s == "SystemBiosVersion";
        lookup == "VBOX";
    */

    HKEY regkey;
    LONG ret;
    DWORD size;
    char value[1024], * lookup_str;
    size_t lookup_size;

    lookup_size = strlen(lookup);
    lookup_str = malloc(lookup_size+sizeof(char));
    strncpy(lookup_str, lookup, lookup_size+sizeof(char));
    size = sizeof(value);

    /* regkey_s == "HARDWARE\\Description\\System"; */
    if (pafish_iswow64()) {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
    }
    else {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
    }

    if (ret == ERROR_SUCCESS) {
        /* value_s == "SystemBiosVersion"; */
        ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
        RegCloseKey(regkey);

        if (ret == ERROR_SUCCESS) {
            size_t i;
            for (i = 0; i < strlen(value); i++) { /* case-insensitive */
                value[i] = toupper(value[i]);
            }
            for (i = 0; i < lookup_size; i++) { /* case-insensitive */
                lookup_str[i] = toupper(lookup_str[i]);
            }
            if (strstr(value, lookup_str) != NULL) {
                free(lookup_str);
                return TRUE;
            }
        }
    }

    free(lookup_str);
    return FALSE;
}

Detect

Registry path

Registry key

String

[general]

HKLM\HARDWARE\Description\System

SystemBiosDate

06/23/99

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

A M I

BOCHS

HKLM\HARDWARE\Description\System

SystemBiosVersion

BOCHS

HKLM\HARDWARE\Description\System

VideoBiosVersion

BOCHS

Anubis

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

ProductID

76487-337-8429955-22614

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductID

76487-337-8429955-22614

CwSandbox

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

ProductID

76487-644-3177037-23510

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductID

76487-644-3177037-23510

JoeBox

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

ProductID

55274-640-2673064-23950

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductID

55274-640-2673064-23950

Parallels

HKLM\HARDWARE\Description\System

SystemBiosVersion

PARALLELS

HKLM\HARDWARE\Description\System

VideoBiosVersion

PARALLELS

QEMU

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

QEMU

HKLM\HARDWARE\Description\System

SystemBiosVersion

QEMU

HKLM\HARDWARE\Description\System

VideoBiosVersion

QEMU

HKLM\HARDWARE\Description\System\BIOS

SystemManufacturer

QEMU

VirtualBox

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VBOX

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VBOX

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VBOX

HKLM\HARDWARE\Description\System

SystemBiosVersion

VBOX

HKLM\HARDWARE\Description\System

VideoBiosVersion

VIRTUALBOX

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

VIRTUAL

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

DeviceDesc

VBOX

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

FriendlyName

VBOX

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

DeviceDesc

VBOX

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

FriendlyName

VBOX

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

DeviceDesc

VBOX

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

SystemProductName

VBOX

HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation

SystemProductName

VIRTUAL

HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation

SystemProductName

VIRTUALBOX

VMware

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VMWARE

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VMWARE

HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier

VMWARE

HKLM\HARDWARE\Description\System

SystemBiosVersion

VMWARE

HKLM\HARDWARE\Description\System

SystemBiosVersion

INTEL - 6040000

HKLM\HARDWARE\Description\System

VideoBiosVersion

VMWARE

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

0

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

1

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

DeviceDesc

VMware

HKLM\SYSTEM\ControlSet001\Services\Disk\Enum

FriendlyName

VMware

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

DeviceDesc

VMware

HKLM\SYSTEM\ControlSet002\Services\Disk\Enum

FriendlyName

VMware

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

DeviceDesc

VMware

HKLM\SYSTEM\ControlSet003\Services\Disk\Enum

FriendlyName

VMware

HKCR\Installer\Products

ProductName

vmware tools

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

vmware tools

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

vmware tools

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

vmware tools

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

CoInstallers32

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

DriverDesc

VMware*

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

InfSection

vmx*

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

ProviderName

VMware*

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings

Device Description

VMware*

HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation

SystemProductName

VMWARE

HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video

Service

vm3dmp

HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video

Service

vmx_svga

HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000

Device Description

VMware SVGA*

Xen

HKLM\HARDWARE\Description\System\BIOS

SystemProductName

Xen

LINKS

上一页动态调用无导入表编译下一页利用杀毒软件删除任意文件

最后更新于4年前

这有帮助吗?

代码来自:

https://github.com/a0rtega/pafish
LogoGitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families doGitHub
LogoMalware Evasion EncyclopediaEvasion techniques