Detecting Virtual Environment Process

Created the Monday 11 March 2019. Updated 1 year, 2 months ago.

Process related to Virtualbox can be detected by malware by query the process list.

The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.

Technique Identifiers

U1334 B0009.004

Code Snippets

Description

This technique detects virtual environment processes by looking for common process names associated with virtualization software like VMware and VirtualBox.

It works by:

1. Maintaining a list of known virtual environment process names
1. Taking a snapshot of currently running processes
1. Comparing each running process against the known list
1. Returns true if any virtual environment process is found

#include <Windows.h>
#include <TlHelp32.h>
#include <vector>
#include <string>
#include <iostream>

bool DetectVirtualEnvironmentProcess() {
    // List of common virtual environment process names
    std::vector<std::wstring> virtualProcesses = {
        L"VMwareService.exe",
        L"VMwareTray.exe", 
        L"TPAutoConnSvc.exe",
        L"VMtoolsd.exe",
        L"VMwareuser.exe",
        // VirtualBox specific processes
        L"VBoxService.exe",
        L"VBoxTray.exe"
    };

    // Create snapshot of current processes
    HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE) {
        return false;
    }

    PROCESSENTRY32W pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32W);

    // Get first process
    if (!Process32FirstW(hProcessSnap, &pe32)) {
        CloseHandle(hProcessSnap);
        return false;
    }

    // Iterate through all processes
    do {
        for (const auto& virtualProcess : virtualProcesses) {
            // Case insensitive comparison of process names
            if (_wcsicmp(pe32.szExeFile, virtualProcess.c_str()) == 0) {
                std::wcout << L"Virtual environment process detected: " << pe32.szExeFile << std::endl;
                CloseHandle(hProcessSnap);
                return true;
            }
        }
    } while (Process32NextW(hProcessSnap, &pe32));

    CloseHandle(hProcessSnap);
    return false;
}

int main() {
    if (DetectVirtualEnvironmentProcess()) {
        std::cout << "Running in a virtual environment!" << std::endl;
    } else {
        std::cout << "No virtual environment detected." << std::endl;
    }
    return 0;
}

About Author Open Snippet

Author: 0x_ror / Target Platform: Windows

Detection Rules

rule:
  meta:
    name: check for windows sandbox via process name
    namespace: anti-analysis/anti-vm/vm-detection
    author: "@_re_fox"
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - and:
      - match: enumerate processes
      - string: CExecSvc.exe

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Stopping Malware With a Fake Virtual Machine | McAfee Blog