Detecting Virtual Environment Artefacts

Created the Monday 11 March 2019. Updated 3 years, 6 months ago.

Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\\Description\\System with a value of SystemBiosVersion and data of QEMU.

The VirtualBox Guest addition leaves many artifacts in the registry. A search for VBOX in the registry might find some keys.

The VMware installation directory C:\\Program Files\\VMware\\VMware Tools may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.

VMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.


Technique Identifier

U1332


Code Snippets

Thomas Roccia

Description

This is a snippet to detect most common registry keys created by virtual machines.

#include <iostream>
#include<Windows.h>
#include<stdio.h>

using namespace std;

int reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
	HKEY regkey;
	LONG ret;
	DWORD size;
	char value[1024];


	if (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey))
    {
        if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))
        {
            cout << " [-] Reg value doesn't exist: " << (regkey) << endl;
        }
        else
        {
            cout << " [*] Reg value exist: " << (value) << endl;
        }
	}

    else
    {
        if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))
        {
            cout << " [-] Reg value doesn't exist: " << (regkey) << endl;
        }
        else
        {
            cout << " [*] Reg value exist: " << (value) << endl;
        }
    }
}

int RegistryArtifacts()
{
    HKEY hKey;

    // list of registry key related virutal machines
    LPCTSTR RegValuePath[] = { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
                               "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
                               "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
                               "SOFTWARE\\VMware, Inc.\\VMware Tools",
                               "HARDWARE\\Description\\System",
                               "SOFTWARE\\Oracle\\VirtualBox Guest Additions",
                               "SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
                               "HARDWARE\\ACPI\\DSDT\\VBOX__",
                               "HARDWARE\\ACPI\\FADT\\VBOX__",
                               "HARDWARE\\ACPI\\RSDT\\VBOX__",
                               "SYSTEM\\ControlSet001\\Services\\VBoxGuest",
                               "SYSTEM\\ControlSet001\\Services\\VBoxMouse",
                               "SYSTEM\\ControlSet001\\Services\\VBoxService",
                               "SYSTEM\\ControlSet001\\Services\\VBoxSF",
                               "SYSTEM\\ControlSet001\\Services\\VBoxVideo",
                               };


    for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)
    {

        if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))
        {
            cout << " [-] Reg key doesn't exist: " << (RegValuePath[i]) << endl;
        }
        else
        {
            cout << " [*] Reg key exist: " << (RegValuePath[i]) << endl;
        }

    }

    // Check for registry Value
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VBOX");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "VideoBiosVersion", "VIRTUALBOX");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", "06/23/99");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "QEMU");
    reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "QEMU");
}

int main()
{
    RegistryArtifacts();
    return 0;
}

Detection Rules

rule Qemu_Detection
{
	meta:
		Author = "Thomas Roccia - @fr0gger_ - Unprotect Project"
		Description = "Checks for QEMU Registry Key"
	strings:
		$desc1 = "HARDWARE\\Description\\System" nocase wide ascii
		$desc2 = "SystemBiosVersion" nocase wide ascii
		$desc3 = "QEMU" wide nocase ascii

		$dev1 = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
		$dev2 = "Identifier" nocase wide ascii
		$dev3 = "QEMU" wide nocase ascii
	condition:
		any of ($desc*) or any of ($dev*)
}

rule VBox_Detection
{
	meta:
		Author = "Thomas Roccia - @fr0gger_ - Unprotect Project"
		Description = "Checks for VBOX Registry Key"
	strings:
		$desc1 = "HARDWARE\\Description\\System" nocase wide ascii
		$desc2 = "SystemBiosVersion" nocase wide ascii
		$desc3 = "VideoBiosVersion" nocase wide ascii

		$data1 = "VBOX" nocase wide ascii
		$data2 = "VIRTUALBOX" nocase wide ascii
		
		$dev1 = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
		$dev2 = "Identifier" nocase wide ascii
		$dev3 = "VBOX" nocase wide ascii

		$soft1 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions"
		$soft2 = "HARDWARE\\ACPI\\DSDT\\VBOX__"
		$soft3 = "HARDWARE\\ACPI\\FADT\\VBOX__"
		$soft4 = "HARDWARE\\ACPI\\RSDT\\VBOX__"
		$soft5 = "SYSTEM\\ControlSet001\\Services\\VBoxGuest"
		$soft6 = "SYSTEM\\ControlSet001\\Services\\VBoxService"
		$soft7 = "SYSTEM\\ControlSet001\\Services\\VBoxMouse"
		$soft8 = "SYSTEM\\ControlSet001\\Services\\VBoxVideo"

		$virtualbox1 = "VBoxHook.dll" nocase
	        $virtualbox2 = "VBoxService" nocase
        	$virtualbox3 = "VBoxTray" nocase
        	$virtualbox4 = "VBoxMouse" nocase
        	$virtualbox5 = "VBoxGuest" nocase
        	$virtualbox6 = "VBoxSF" nocase
        	$virtualbox7 = "VBoxGuestAdditions" nocase
        	$virtualbox8 = "VBOX HARDDISK"  nocase
        	$virtualbox9 = "VBoxVideo" nocase
		$virtualbox10 = "vboxhook" nocase
		$virtualbox11 = "vboxmrxnp" nocase
		$virtualbox12 = "vboxogl" nocase
		$virtualbox13 = "vboxoglarrayspu" nocase
		$virtualbox14 = "vboxoglcrutil"
		$virtualbox15 = "vboxoglerrorspu" nocase
		$virtualbox16 = "vboxoglfeedbackspu" nocase
		$virtualbox17 = "vboxoglpackspu" nocase
		$virtualbox18 = "vboxoglpassthroughspu" nocase
		$virtualbox19 = "vboxcontrol" nocase

        	// VirtualBox Mac Address
        	$virtualbox_mac_1a = "08-00-27"
        	$virtualbox_mac_1b = "08:00:27"
        	$virtualbox_mac_1c = "080027"	
	condition:
		any of ($desc*) and 
		1 of ($data*) or 
		any of ($dev*) or 
		any of ($soft*) or
		any of ($virtualbox*)
}
rule:
  meta:
    name: check for windows sandbox via process name
    namespace: anti-analysis/anti-vm/vm-detection
    author: "@_re_fox"
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - and:
      - match: enumerate processes
      - string: CExecSvc.exe

rule:
  meta:
    name: check for windows sandbox via registry
    namespace: anti-analysis/anti-vm/vm-detection
    author: "@_re_fox"
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - and:
      - api: RegOpenKeyEx
      - api: RegEnumValue
      - string: /\\Microsoft\\Windows\\CurrentVersion\\RunOnce/
      - string: /wmic useraccount where \"name='WDAGUtilityAccount'\"/i

Additional Resources

External Links

Subscribe to our Newsletter


The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.