
Detecting Virtual Environment Artefacts
Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\Description\System with a value of SystemBiosVersion and data of QEMU.
The Virtualbox Guest addition leaves many artifacts in the registry. A search for VBOX in the registry might find some keys.
The VMware installation directory C:\Program Files\VMware\VMware Tools may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.
VMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.
Code Snippets
Description
This is a snippet to detect most common registry keys created by virtual machines.
#include <iostream>
#include<Windows.h>
#include<stdio.h>
using namespace std;
int reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
HKEY regkey;
LONG ret;
DWORD size;
char value[1024];
if (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key))
{
if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))
{
cout << " [-] Reg value doesn't exist: " << (regkey) << endl;
}
else
{
cout << " [*] Reg value exist: " << (value) << endl;
}
}
else
{
if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))
{
cout << " [-] Reg value doesn't exist: " << (regkey) << endl;
}
else
{
cout << " [*] Reg value exist: " << (value) << endl;
}
}
}
int RegistryArtifacts()
{
HKEY hKey;
// list of registry key related virutal machines
LPCTSTR RegValuePath[] = { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"SOFTWARE\\VMware, Inc.\\VMware Tools",
"HARDWARE\\Description\\System",
"SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
"HARDWARE\\ACPI\\DSDT\\VBOX__",
"HARDWARE\\ACPI\\FADT\\VBOX__",
"HARDWARE\\ACPI\\RSDT\\VBOX__",
"SYSTEM\\ControlSet001\\Services\\VBoxGuest",
"SYSTEM\\ControlSet001\\Services\\VBoxMouse",
"SYSTEM\\ControlSet001\\Services\\VBoxService",
"SYSTEM\\ControlSet001\\Services\\VBoxSF",
"SYSTEM\\ControlSet001\\Services\\VBoxVideo",
};
for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)
{
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))
{
cout << " [-] Reg key doesn't exist: " << (RegValuePath[i]) << endl;
}
else
{
cout << " [*] Reg key exist: " << (RegValuePath[i]) << endl;
}
}
// Check for registry Value
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VBOX");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "VideoBiosVersion", "VIRTUALBOX");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", "06/23/99");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "QEMU");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "QEMU");
}
int main()
{
RegistryArtifacts();
return 0;
}
Detection Rules
rule:
meta:
name: check for windows sandbox via process name
namespace: anti-analysis/anti-vm/vm-detection
author: "@_re_fox"
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
references:
- https://github.com/LloydLabs/wsb-detect
examples:
- 773290480d5445f11d3dc1b800728966:0x140001140
features:
- and:
- match: enumerate processes
- string: CExecSvc.exe
rule:
meta:
name: reference anti-VM strings targeting VMWare
namespace: anti-analysis/anti-vm/vm-detection
author: michael.hunhoff@fireeye.com
scope: file
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp
examples:
- al-khaser_x86.exe_
features:
- or:
- string: /VMWare/i
- string: /VMTools/i
- string: /SOFTWARE\\VMware, Inc\.\\VMware Tools/i
- string: /vmnet.sys/i
- string: /vmmouse.sys/i
- string: /vmusb.sys/i
- string: /vm3dmp.sys/i
- string: /vmci.sys/i
- string: /vmhgfs.sys/i
- string: /vmmemctl.sys/i
- string: /vmx86.sys/i
- string: /vmrawdsk.sys/i
- string: /vmusbmouse.sys/i
- string: /vmkdb.sys/i
- string: /vmnetuserif.sys/i
- string: /vmnetadapter.sys/i
- string: /\\\\.\\HGFS/i
- string: /\\\\.\\vmci/i
- string: /vmtoolsd.exe/i
- string: /vmwaretray.exe/i
- string: /vmwareuser.exe/i
- string: /VGAuthService.exe/i
- string: /vmacthlp.exe/i
- string: /vmci/i
description: VMWare VMCI Bus Driver
- string: /vmhgfs/i
description: VMWare Host Guest Control Redirector
- string: /vmmouse/i
- string: /vmmemctl/i
description: VMWare Guest Memory Controller Driver
- string: /vmusb/i
- string: /vmusbmouse/i
- string: /vmx_svga/i
- string: /vmxnet/i
- string: /vmx86/i
- string: /VMwareVMware/i
- string: /vmGuestLib.dll/i
rule:
meta:
name: reference anti-VM strings
namespace: anti-analysis/anti-vm/vm-detection
author: moritz.raabe@fireeye.com
scope: file
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
references:
- https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
examples:
- Practical Malware Analysis Lab 17-02.dll_
features:
- or:
- string: /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS/i
- string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
- string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\.*ProcessorNameString/i
- string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE/i
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\/i
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer/i
- string: /A M I/i
- string: /Hyper-V/i
- string: /Kernel-VMDetection-Private/i
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
- string: /KVMKVMKVM/i
description: KVM
- string: /Microsoft Hv/i
description: Microsoft Hyper-V or Windows Virtual PC
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
- string: /avghookx.dll/i
description: AVG
- string: /avghooka.dll/i
description: AVG
- string: /snxhk.dll/i
description: Avast
- string: /pstorec.dll/i
description: SunBelt Sandbox
- string: /vmcheck.dll/i
description: Virtual PC
- string: /wpespy.dll/i
description: WPE Pro
- string: /cmdvrt64.dll/i
description: Comodo Container
- string: /cmdvrt32.dll/i
description: Comodo Container
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
- string: /sample.exe/i
- string: /bot.exe/i
- string: /sandbox.exe/i
- string: /malware.exe/i
- string: /test.exe/i
- string: /klavme.exe/i
- string: /myapp.exe/i
- string: /testapp.exe/i