Detecting Virtual Environment Files

Created the Monday 11 March 2019. Updated 3 years, 6 months ago.

Some files are created by Virtualbox and VMware on the system.

Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.

Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.

Some Files Example

Below is a list of files that can be detected on virtual machines:

“C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw”,
“C:\WINDOWS\system32\drivers\vmmouse.sys”,
“C:\WINDOWS\system32\drivers\vmhgfs.sys”,
“C:\WINDOWS\system32\drivers\VBoxMouse.sys”,
“C:\WINDOWS\system32\drivers\VBoxGuest.sys”,
“C:\WINDOWS\system32\drivers\VBoxSF.sys”,
“C:\WINDOWS\system32\drivers\VBoxVideo.sys”,
“C:\WINDOWS\system32\vboxdisp.dll”,
“C:\WINDOWS\system32\vboxhook.dll”,
“C:\WINDOWS\system32\vboxmrxnp.dll”,
“C:\WINDOWS\system32\vboxogl.dll”,
“C:\WINDOWS\system32\vboxoglarrayspu.dll”,
“C:\WINDOWS\system32\vboxoglcrutil.dll”,
“C:\WINDOWS\system32\vboxoglerrorspu.dll”,
“C:\WINDOWS\system32\vboxoglfeedbackspu.dll”,
“C:\WINDOWS\system32\vboxoglpassthroughspu.dll”,
“C:\WINDOWS\system32\vboxservice.exe”,
“C:\WINDOWS\system32\vboxtray.exe”,
“C:\WINDOWS\system32\VBoxControl.exe”

Technique Identifier

U1333

Code Snippets

Thomas Roccia

#include <iostream>
#include <windows.h>

using namespace std;


BOOL FileExists(TCHAR* szPath)
{
	DWORD dwAttrib = GetFileAttributes(szPath);
	return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

// Check if file related to sandbox exist
int CheckFile()
{
    bool hAppend;
    LPSTR fname[] = {"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\agent.pyw",
                     "C:\\WINDOWS\\system32\\drivers\\vmmouse.sys",
                     "C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys",
                     "C:\\WINDOWS\\system32\\vboxdisp.dll",
                     "C:\\WINDOWS\\system32\\vboxhook.dll",
                     "C:\\WINDOWS\\system32\\vboxmrxnp.dll",
                     "C:\\WINDOWS\\system32\\vboxogl.dll",
                     "C:\\WINDOWS\\system32\\vboxoglarrayspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglcrutil.dll",
                     "C:\\WINDOWS\\system32\\vboxoglerrorspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglpackspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll",
                     "C:\\WINDOWS\\system32\\vboxservice.exe",
                     "C:\\WINDOWS\\system32\\vboxtray.exe",
                     "C:\\WINDOWS\\system32\\VBoxControl.exe",
                     // ADD YOUR FILE HERE!
                    };

    for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)
    {

        if (FileExists(fname[i]))
            cout << " [+] File exist: " << (fname[i]) << endl;
		else
            cout << " [-] File doesn't exist: " << (fname[i]) << endl;

    }

    return 0;
}


int main()
{
    CheckFile();
    return 0;
}

Open Snippet

Detection Rules

CAPA

rule:
  meta:
    name: reference anti-VM strings targeting VMWare
    namespace: anti-analysis/anti-vm/vm-detection
    author: michael.hunhoff@fireeye.com
    scope: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp
    examples:
      - al-khaser_x86.exe_
  features:
    - or:
      - string: /VMWare/i
      - string: /VMTools/i
      - string: /SOFTWARE\\VMware, Inc\.\\VMware Tools/i
      - string: /vmnet.sys/i
      - string: /vmmouse.sys/i
      - string: /vmusb.sys/i
      - string: /vm3dmp.sys/i
      - string: /vmci.sys/i
      - string: /vmhgfs.sys/i
      - string: /vmmemctl.sys/i
      - string: /vmx86.sys/i
      - string: /vmrawdsk.sys/i
      - string: /vmusbmouse.sys/i
      - string: /vmkdb.sys/i
      - string: /vmnetuserif.sys/i
      - string: /vmnetadapter.sys/i
      - string: /\\\\.\\HGFS/i
      - string: /\\\\.\\vmci/i
      - string: /vmtoolsd.exe/i
      - string: /vmwaretray.exe/i
      - string: /vmwareuser.exe/i
      - string: /VGAuthService.exe/i
      - string: /vmacthlp.exe/i
      - string: /vmci/i
        description: VMWare VMCI Bus Driver
      - string: /vmhgfs/i
        description: VMWare Host Guest Control Redirector
      - string: /vmmouse/i
      - string: /vmmemctl/i
        description: VMWare Guest Memory Controller Driver
      - string: /vmusb/i
      - string: /vmusbmouse/i
      - string: /vmx_svga/i
      - string: /vmxnet/i
      - string: /vmx86/i
      - string: /VMwareVMware/i
      - string: /vmGuestLib.dll/i

rule:
  meta:
    name: reference anti-VM strings
    namespace: anti-analysis/anti-vm/vm-detection
    author: moritz.raabe@fireeye.com
    scope: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
    examples:
      - Practical Malware Analysis Lab 17-02.dll_
  features:
    - or:
      - string: /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS/i
      - string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
      - string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\.*ProcessorNameString/i
      - string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer/i
      - string: /A M I/i
      - string: /Hyper-V/i
      - string: /Kernel-VMDetection-Private/i
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
      - string: /KVMKVMKVM/i
        description: KVM
      - string: /Microsoft Hv/i
        description: Microsoft Hyper-V or Windows Virtual PC
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
      - string: /avghookx.dll/i
        description: AVG
      - string: /avghooka.dll/i
        description: AVG
      - string: /snxhk.dll/i
        description: Avast
      - string: /pstorec.dll/i
        description: SunBelt Sandbox
      - string: /vmcheck.dll/i
        description: Virtual PC
      - string: /wpespy.dll/i
        description: WPE Pro
      - string: /cmdvrt64.dll/i
        description: Comodo Container
      - string: /cmdvrt32.dll/i
        description: Comodo Container
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
      - string: /sample.exe/i
      - string: /bot.exe/i
      - string: /sandbox.exe/i
      - string: /malware.exe/i
      - string: /test.exe/i
      - string: /klavme.exe/i
      - string: /myapp.exe/i
      - string: /testapp.exe/i

Additional Resources

External Links

Stopping Malware With a Fake Virtual Machine | McAfee Blog