Detecting Virtual Environment Files

Created the Monday 11 March 2019. Updated 2 months, 1 week ago.

Some files are created by Virtualbox and VMware on the system.

Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.

Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.

Some Files Example

Below is a list of files that can be detected on virtual machines:

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw",
"C:\WINDOWS\system32\drivers\vmmouse.sys",
"C:\WINDOWS\system32\drivers\vmhgfs.sys",
"C:\WINDOWS\system32\drivers\VBoxMouse.sys",
"C:\WINDOWS\system32\drivers\VBoxGuest.sys",
"C:\WINDOWS\system32\drivers\VBoxSF.sys",
"C:\WINDOWS\system32\drivers\VBoxVideo.sys",
"C:\WINDOWS\system32\vboxdisp.dll",
"C:\WINDOWS\system32\vboxhook.dll",
"C:\WINDOWS\system32\vboxmrxnp.dll",
"C:\WINDOWS\system32\vboxogl.dll",
"C:\WINDOWS\system32\vboxoglarrayspu.dll",
"C:\WINDOWS\system32\vboxoglcrutil.dll",
"C:\WINDOWS\system32\vboxoglerrorspu.dll",
"C:\WINDOWS\system32\vboxoglfeedbackspu.dll",
"C:\WINDOWS\system32\vboxoglpassthroughspu.dll",
"C:\WINDOWS\system32\vboxservice.exe",
"C:\WINDOWS\system32\vboxtray.exe",
"C:\WINDOWS\system32\VBoxControl.exe"

Technique Identifier

U1333

Code Snippets

#include <iostream>
#include <windows.h>

using namespace std;


BOOL FileExists(TCHAR* szPath)
{
	DWORD dwAttrib = GetFileAttributes(szPath);
	return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

// Check if file related to sandbox exist
int CheckFile()
{
    bool hAppend;
    LPSTR fname[] = {"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\agent.pyw",
                     "C:\\WINDOWS\\system32\\drivers\\vmmouse.sys",
                     "C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys",
                     "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys",
                     "C:\\WINDOWS\\system32\\vboxdisp.dll",
                     "C:\\WINDOWS\\system32\\vboxhook.dll",
                     "C:\\WINDOWS\\system32\\vboxmrxnp.dll",
                     "C:\\WINDOWS\\system32\\vboxogl.dll",
                     "C:\\WINDOWS\\system32\\vboxoglarrayspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglcrutil.dll",
                     "C:\\WINDOWS\\system32\\vboxoglerrorspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglpackspu.dll",
                     "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll",
                     "C:\\WINDOWS\\system32\\vboxservice.exe",
                     "C:\\WINDOWS\\system32\\vboxtray.exe",
                     "C:\\WINDOWS\\system32\\VBoxControl.exe",
                     // ADD YOUR FILE HERE!
                    };

    for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)
    {

        if (FileExists(fname[i]))
            cout << " [+] File exist: " << (fname[i]) << endl;
		else
            cout << " [-] File doesn't exist: " << (fname[i]) << endl;

    }

    return 0;
}


int main()
{
    CheckFile();
    return 0;
}

Detection Rules

                                    rule:
  meta:
    name: reference anti-VM strings targeting VMWare
    namespace: anti-analysis/anti-vm/vm-detection
    author: michael.hunhoff@fireeye.com
    scope: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp
    examples:
      - al-khaser_x86.exe_
  features:
    - or:
      - string: /VMWare/i
      - string: /VMTools/i
      - string: /SOFTWARE\\VMware, Inc\.\\VMware Tools/i
      - string: /vmnet.sys/i
      - string: /vmmouse.sys/i
      - string: /vmusb.sys/i
      - string: /vm3dmp.sys/i
      - string: /vmci.sys/i
      - string: /vmhgfs.sys/i
      - string: /vmmemctl.sys/i
      - string: /vmx86.sys/i
      - string: /vmrawdsk.sys/i
      - string: /vmusbmouse.sys/i
      - string: /vmkdb.sys/i
      - string: /vmnetuserif.sys/i
      - string: /vmnetadapter.sys/i
      - string: /\\\\.\\HGFS/i
      - string: /\\\\.\\vmci/i
      - string: /vmtoolsd.exe/i
      - string: /vmwaretray.exe/i
      - string: /vmwareuser.exe/i
      - string: /VGAuthService.exe/i
      - string: /vmacthlp.exe/i
      - string: /vmci/i
        description: VMWare VMCI Bus Driver
      - string: /vmhgfs/i
        description: VMWare Host Guest Control Redirector
      - string: /vmmouse/i
      - string: /vmmemctl/i
        description: VMWare Guest Memory Controller Driver
      - string: /vmusb/i
      - string: /vmusbmouse/i
      - string: /vmx_svga/i
      - string: /vmxnet/i
      - string: /vmx86/i
      - string: /VMwareVMware/i
      - string: /vmGuestLib.dll/i

rule:
  meta:
    name: reference anti-VM strings
    namespace: anti-analysis/anti-vm/vm-detection
    author: moritz.raabe@fireeye.com
    scope: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
    examples:
      - Practical Malware Analysis Lab 17-02.dll_
  features:
    - or:
      - string: /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS/i
      - string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
      - string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\.*ProcessorNameString/i
      - string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer/i
      - string: /A M I/i
      - string: /Hyper-V/i
      - string: /Kernel-VMDetection-Private/i
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
      - string: /KVMKVMKVM/i
        description: KVM
      - string: /Microsoft Hv/i
        description: Microsoft Hyper-V or Windows Virtual PC
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
      - string: /avghookx.dll/i
        description: AVG
      - string: /avghooka.dll/i
        description: AVG
      - string: /snxhk.dll/i
        description: Avast
      - string: /pstorec.dll/i
        description: SunBelt Sandbox
      - string: /vmcheck.dll/i
        description: Virtual PC
      - string: /wpespy.dll/i
        description: WPE Pro
      - string: /cmdvrt64.dll/i
        description: Comodo Container
      - string: /cmdvrt32.dll/i
        description: Comodo Container
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
      - string: /sample.exe/i
      - string: /bot.exe/i
      - string: /sandbox.exe/i
      - string: /malware.exe/i
      - string: /test.exe/i
      - string: /klavme.exe/i
      - string: /myapp.exe/i
      - string: /testapp.exe/i

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Stopping Malware With a Fake Virtual Machine | McAfee Blog