VboxEnumShares

Created the Saturday 17 August 2024. Updated 4 weeks, 2 days ago.

This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...) approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum and WNetEnumResource functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or "VBoxSrv" substrings in their names. The latter, VBoxSrv, serves as a pseudo-network redirector provided by VirtualBox, enabling access to shared folders within the guest OS. These folders are sub-resources of the VirtualBox Shared Folder resource. By systematically enumerating these folders, a malware sample can ascertain the presence of the hypervisor in an alternative manner.

Technique Identifier

U1347

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Code Snippets

#include <iostream>
#include <Windows.h>
#include <winnetwk.h>
#include <algorithm>
#include <string>

#pragma comment(lib, "Mpr.lib")

void EnumerateResources(LPNETRESOURCEW pRsrc, DWORD scope, DWORD type, DWORD usage) {
	HANDLE hEnum = NULL;
	DWORD result = WNetOpenEnumW(scope, type, usage, pRsrc, &hEnum);

	if (result != NO_ERROR) {
		std::cerr << "WNetOpenEnumW failed with error: " << result << std::endl;
		return;
	}

	BYTE buffer[65536];
	DWORD count;
	DWORD bufSize;

	do {
		count = (DWORD)-1;
		bufSize = sizeof(buffer);
		result = WNetEnumResourceW(hEnum, &count, buffer, &bufSize);

		if (result == NO_ERROR || result == ERROR_MORE_DATA) {
			// Results from WNetEnumResource are returned as an array of NETRESOURCE structures
			LPNETRESOURCEW pNR = (LPNETRESOURCEW)buffer;
			for (DWORD i = 0; i < count; i++) {
				std::wstring remoteName_upper;
				if (pNR[i].lpRemoteName) { // Convert RemoteName to uppercase
					remoteName_upper = pNR[i].lpRemoteName;
					std::transform(remoteName_upper.begin(), remoteName_upper.end(), remoteName_upper.begin(), ::towupper);
				}
				if (!remoteName_upper.empty() && (remoteName_upper.find(L"VIRTUALBOX") != std::wstring::npos || remoteName_upper.find(L"VBOXSVR") != std::wstring::npos)) {
					wprintf(L"Found VirtualBox environment! RemoteName: %ls, Provider: %ls\n", pNR[i].lpRemoteName, pNR[i].lpProvider);
				}
				else if (pNR[i].lpRemoteName) {
					wprintf(L"Net resource: %ls , %ls\n",
						pNR[i].lpRemoteName ? pNR[i].lpRemoteName : L"(null)",
						pNR[i].lpProvider ? pNR[i].lpProvider : L"(null)");
				}
				// If the resource has more children, enumerate them recursively
				if (pNR[i].dwUsage & RESOURCEUSAGE_CONTAINER) {
					EnumerateResources(&pNR[i], scope, type, usage);
				}
			}
		}
		else if (result != ERROR_NO_MORE_ITEMS) {
			std::cerr << "WNetEnumResourceW failed with error: " << result << std::endl;
			break;
		}
	} while (result == ERROR_MORE_DATA);

	WNetCloseEnum(hEnum);
}

int main() {
	EnumerateResources(nullptr, RESOURCE_GLOBALNET, RESOURCETYPE_DISK, 0);
	return 0;
}

Contributors

HoIIovv

VboxEnumShares

Technique Identifier

Featured Windows API's

Code Snippets

Contributors

Subscribe to our Newsletter