FileSystem  H  FileSystem  Registry  Generic OS Queries  Global OS object  UI artifacts  OS Features  Processes  Network  CPU  Hardware  Firmware tables  Hooks  Timing  WMI  Human-like behavior  macOS


Filesystem detection methods

The principle of all the filesystem detection methods is the following: there are no such files and directories in usual host; however they exist in particular virtual environments and sandboxes. Virtual environment may be detected if such an artifact is present.


 

1. Check if specific files exist

This method uses the difference in files which are present in usual host system and virtual environments. There are quite a few file artifacts present in virtual environments which are specific for such kinds of systems. These files are not present on usual host systems where no virtual environment is installed.

Function used:

Code sample

 

BOOL is_FileExists(TCHAR* szPath)
{
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

/*
Check against some of VMWare blacklisted files
*/
VOID vmware_files()
{
/* Array of strings of blacklisted paths */
TCHAR* szPaths[] = {
_T("system32\\drivers\\vmmouse.sys"),
_T("system32\\drivers\\vmhgfs.sys"),
};
    
/* Getting Windows Directory */
WORD dwlength = sizeof(szPaths) / sizeof(szPaths[0]);
TCHAR szWinDir[MAX_PATH] = _T("");
TCHAR szPath[MAX_PATH] = _T("");
GetWindowsDirectory(szWinDir, MAX_PATH);
    
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
PathCombine(szPath, szWinDir, szPaths[i]);
TCHAR msg[256] = _T("");
_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking file %s: "), szPath);
if (is_FileExists(szPath))
print_results(TRUE, msg);
else
print_results(FALSE, msg);
}
}

Credits for this code sample: al-khaser project

Signature recommendations

 

If the following function contains its only argument from the table column `Path`:

 

then it’s an indication of application trying to use the evasion technique.

Detections table

Check if the following files exist:
DetectPathDetails (if any)
[general]c:\[60 random hex symbols]file unique to the PC used for encoding
c:\take_screenshot.ps1 
c:\loaddll.exe 
c:\email.doc 
c:\email.htm 
c:\123\email.doc 
c:\123\email.docx 
c:\a\foobar.bmp 
c:\a\foobar.doc 
c:\a\foobar.gif 
c:\symbols\aagmmc.pdb 
Parallelsc:\windows\system32\drivers\prleth.sysNetwork Adapter
c:\windows\system32\drivers\prlfs.sys 
c:\windows\system32\drivers\prlmouse.sysMouse Synchronization Tool
c:\windows\system32\drivers\prlvideo.sys 
c:\windows\system32\drivers\prltime.sysTime Synchronization Driver
c:\windows\system32\drivers\prl_pv32.sysParavirtualization Driver
c:\windows\system32\drivers\prl_paravirt_32.sysParavirtualization Driver
VirtualBoxc:\windows\system32\drivers\VBoxMouse.sys 
c:\windows\system32\drivers\VBoxGuest.sys 
c:\windows\system32\drivers\VBoxSF.sys 
c:\windows\system32\drivers\VBoxVideo.sys 
c:\windows\system32\vboxdisp.dll 
c:\windows\system32\vboxhook.dll 
c:\windows\system32\vboxmrxnp.dll 
c:\windows\system32\vboxogl.dll 
c:\windows\system32\vboxoglarrayspu.dll 
c:\windows\system32\vboxoglcrutil.dll 
c:\windows\system32\vboxoglerrorspu.dll 
c:\windows\system32\vboxoglfeedbackspu.dll 
c:\windows\system32\vboxoglpackspu.dll 
c:\windows\system32\vboxoglpassthroughspu.dll 
c:\windows\system32\vboxservice.exe 
c:\windows\system32\vboxtray.exe 
c:\windows\system32\VBoxControl.exe 
VirtualPCc:\windows\system32\drivers\vmsrvc.sys 
c:\windows\system32\drivers\vpc-s3.sys 
VMWarec:\windows\system32\drivers\vmmouse.sysPointing PS/2 Device Driver
c:\windows\system32\drivers\vmnet.sys 
c:\windows\system32\drivers\vmxnet.sysPCI Ethernet Adapter
c:\windows\system32\drivers\vmhgfs.sysHGFS Filesystem Driver
c:\windows\system32\drivers\vmx86.sys 
c:\windows\system32\drivers\hgfs.sys 


 

2. Check if specific directories are present

This method uses the difference in directories which are present in usual host system and virtual environments. There are quite a few directory artifacts present in virtual environments which are specific for such kinds of systems. These directories are not present on usual host systems where no virtual environment is installed.

Function used:

Code sample

 

BOOL is_DirectoryExists(TCHAR* szPath)
{
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

/*
Check against VMWare blacklisted directory
*/
BOOL vmware_dir()
{
TCHAR szProgramFile[MAX_PATH];
TCHAR szPath[MAX_PATH] = _T("");
TCHAR szTarget[MAX_PATH] = _T("VMWare\\");
if (IsWoW64())
ExpandEnvironmentStrings(_T("%ProgramW6432%"), szProgramFile, ARRAYSIZE(szProgramFile));
else
SHGetSpecialFolderPath(NULL, szProgramFile, CSIDL_PROGRAM_FILES, FALSE);
PathCombine(szPath, szProgramFile, szTarget);
return is_DirectoryExists(szPath);
}

Credits for this code sample: al-khaser project

Signature recommendations

 

If the following function contains its only argument from the table column `Path`:

 

then it’s an indication of application trying to use the evasion technique.

Detections table

Check if the following files exist:
DetectPath
CWSandboxc:\analysis
VirtualBox%PROGRAMFILES%\oracle\virtualbox guest additions\
VMWare%PROGRAMFILES%\VMWare\


 

3. Check if full path to the executable contains one of the specific strings

This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific paths - and malware samples check these paths.

Functions used to get executable path:

Code sample (function GetModuleFileName)

 

int gensandbox_path() {
char path[500];
size_t i;
DWORD pathsize = sizeof(path);

GetModuleFileName(NULL, path, pathsize);

for (i = 0; i < strlen(path); i++) { /* case-insensitive */
path[i] = toupper(path[i]);
}

// some sample values from the table
if (strstr(path, "\\SAMPLE") != NULL) {
return TRUE;
}
if (strstr(path, "\\VIRUS") != NULL) {
return TRUE;
}
if (strstr(path, "SANDBOX") != NULL) {
return TRUE;
}

return FALSE;
}

Credits for this code sample: pafish project

Code sample (function QueryFullProcessImageName)

 

DWORD PID = 1337; // process ID of the target process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, PID);
DWORD value = MAX_PATH;
char buffer[MAX_PATH];
QueryFullProcessImageName(hProcess, 0, buffer, &value);
printf("EXE Path: %s\n", buffer);

No signature recommendations

 

Signature recommendations are not provided as it’s hard to say why exactly application wants to get its full path. Function calls may be hooked - and that’s it, just general recommendation.

Detections table

Check if full path to the executable contains one of the following strings:
DetectString
[general]\sample
\virus
sandbox


 

4. Check if the executable is run from specific directory

This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific directories - and malware samples check these directories.

It’s just a particular case of checking presence of specific strings in full application path, please refer to the section above for code sample and signature recommendations.

As this very method is pretty old and is not commonly used, the links to external sources are provided for the reference on this method:

Detections table

Check if the executable is run from the following directories:
DetectPath
Anubisc:\insidetm


 

5. Check if the executable files with specific names are present in physical disk drives' root

This method relies on peculiarities of virtual environments, in this case it’s presence of specific files in disk root root directories.

Function used:

Code sample (function GetModuleFileName)

 

int pafish_exists_file(char * filename) {
DWORD res = INVALID_FILE_ATTRIBUTES;
if (pafish_iswow64() == TRUE) {
void *old = NULL;
// Disable redirection immediately prior to calling GetFileAttributes.
if (pafish_disable_wow64_fs_redirection(&old) ) {
res = GetFileAttributes(filename);
// Ignoring MSDN recommendation of exiting if this call fails.
pafish_revert_wow64_fs_redirection(old);
}
}
else {
res = GetFileAttributes(filename);
}
return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
}

int gensandbox_common_names() {
DWORD dwSize = MAX_PATH;
char szLogicalDrives[MAX_PATH] = {0};
DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
BOOL exists;

if (dwResult > 0 && dwResult <= MAX_PATH)
{
char* szSingleDrive = szLogicalDrives;
char filename[MAX_PATH] = {0};
while(*szSingleDrive)
{
if (GetDriveType(szSingleDrive) != DRIVE_REMOVABLE ) {
snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
exists = pafish_exists_file(filename);
if (exists) return TRUE;
                
snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
exists = pafish_exists_file(filename);
if (exists) return TRUE;
}

szSingleDrive += strlen(szSingleDrive) + 1;
}
}

return FALSE;
}

Credits for this code sample: pafish project

Signature recommendations

 

If the following function contains its only argument from the table column `Path`:

 

then it’s an indication of application trying to use the evasion technique.

Detections table

Check if the executables with particular names are present in disk root:
DetectPath
[general]malware.exe
sample.exe


 

Countermeasures

Hook target functions and return appropriate results if indicators (files from tables) are checked.


 

Credits

Credits go to open-source projects from where code samples were taken:

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.