FileSystem  H  FileSystem  Registry  Generic OS Queries  Global OS object  UI artifacts  OS Features  Processes  Network  CPU  Hardware  Firmware tables  Hooks  Timing  WMI  Human-like behavior  macOS

Filesystem detection methods

The principle of all the filesystem detection methods is the following: there are no such files and directories in usual host; however they exist in particular virtual environments and sandboxes. Virtual environment may be detected if such an artifact is present.

1. Check if specific files exist

This method uses the difference in files which are present in usual host system and virtual environments. There are quite a few file artifacts present in virtual environments which are specific for such kinds of systems. These files are not present on usual host systems where no virtual environment is installed.

Function used:

• GetFileAttributes // if attributes are invalid then no file exists

Code sample

BOOL is_FileExists(TCHAR* szPath)
{
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

/*
Check against some of VMWare blacklisted files
*/
VOID vmware_files()
{
/* Array of strings of blacklisted paths */
TCHAR* szPaths[] = {
_T("system32\\drivers\\vmmouse.sys"),
_T("system32\\drivers\\vmhgfs.sys"),
};
    
/* Getting Windows Directory */
WORD dwlength = sizeof(szPaths) / sizeof(szPaths[0]);
TCHAR szWinDir[MAX_PATH] = _T("");
TCHAR szPath[MAX_PATH] = _T("");
GetWindowsDirectory(szWinDir, MAX_PATH);
    
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
PathCombine(szPath, szWinDir, szPaths[i]);
TCHAR msg[256] = _T("");
_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking file %s: "), szPath);
if (is_FileExists(szPath))
print_results(TRUE, msg);
else
print_results(FALSE, msg);
}
}

Credits for this code sample: al-khaser project

Signature recommendations

If the following function contains its only argument from the table column `Path`:

• GetFileAttributes(path)

then it’s an indication of application trying to use the evasion technique.

Detections table

2. Check if specific directories are present

This method uses the difference in directories which are present in usual host system and virtual environments. There are quite a few directory artifacts present in virtual environments which are specific for such kinds of systems. These directories are not present on usual host systems where no virtual environment is installed.

Function used:

• GetFileAttributes // if attributes are invalid then no file exists

Code sample

BOOL is_DirectoryExists(TCHAR* szPath)
{
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

/*
Check against VMWare blacklisted directory
*/
BOOL vmware_dir()
{
TCHAR szProgramFile[MAX_PATH];
TCHAR szPath[MAX_PATH] = _T("");
TCHAR szTarget[MAX_PATH] = _T("VMWare\\");
if (IsWoW64())
ExpandEnvironmentStrings(_T("%ProgramW6432%"), szProgramFile, ARRAYSIZE(szProgramFile));
else
SHGetSpecialFolderPath(NULL, szProgramFile, CSIDL_PROGRAM_FILES, FALSE);
PathCombine(szPath, szProgramFile, szTarget);
return is_DirectoryExists(szPath);
}

Credits for this code sample: al-khaser project

Signature recommendations

If the following function contains its only argument from the table column `Path`:

• GetFileAttributes(path)

then it’s an indication of application trying to use the evasion technique.

Detections table

3. Check if full path to the executable contains one of the specific strings

This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific paths - and malware samples check these paths.

Functions used to get executable path:

• GetModuleFileName
• GetProcessImageFileNameA/W
• QueryFullProcessImageName

Code sample (function GetModuleFileName)

int gensandbox_path() {
char path[500];
size_t i;
DWORD pathsize = sizeof(path);

GetModuleFileName(NULL, path, pathsize);

for (i = 0; i < strlen(path); i++) { /* case-insensitive */
path[i] = toupper(path[i]);
}

// some sample values from the table
if (strstr(path, "\\SAMPLE") != NULL) {
return TRUE;
}
if (strstr(path, "\\VIRUS") != NULL) {
return TRUE;
}
if (strstr(path, "SANDBOX") != NULL) {
return TRUE;
}

return FALSE;
}

Credits for this code sample: pafish project

Code sample (function QueryFullProcessImageName)

DWORD PID = 1337; // process ID of the target process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, PID);
DWORD value = MAX_PATH;
char buffer[MAX_PATH];
QueryFullProcessImageName(hProcess, 0, buffer, &value);
printf("EXE Path: %s\n", buffer);

No signature recommendations

Signature recommendations are not provided as it’s hard to say why exactly application wants to get its full path. Function calls may be hooked - and that’s it, just general recommendation.

Detections table

4. Check if the executable is run from specific directory

This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific directories - and malware samples check these directories.

It’s just a particular case of checking presence of specific strings in full application path, please refer to the section above for code sample and signature recommendations.

As this very method is pretty old and is not commonly used, the links to external sources are provided for the reference on this method:

• VB code sample
• python code sample
• anti-emulation tricks
• stub for C code

Detections table

5. Check if the executable files with specific names are present in physical disk drives' root

This method relies on peculiarities of virtual environments, in this case it’s presence of specific files in disk root root directories.

Function used:

• GetFileAttributes // if attributes are invalid then no file exists

Code sample (function GetModuleFileName)

int pafish_exists_file(char * filename) {
DWORD res = INVALID_FILE_ATTRIBUTES;
if (pafish_iswow64() == TRUE) {
void *old = NULL;
// Disable redirection immediately prior to calling GetFileAttributes.
if (pafish_disable_wow64_fs_redirection(&old) ) {
res = GetFileAttributes(filename);
// Ignoring MSDN recommendation of exiting if this call fails.
pafish_revert_wow64_fs_redirection(old);
}
}
else {
res = GetFileAttributes(filename);
}
return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
}

int gensandbox_common_names() {
DWORD dwSize = MAX_PATH;
char szLogicalDrives[MAX_PATH] = {0};
DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
BOOL exists;

if (dwResult > 0 && dwResult <= MAX_PATH)
{
char* szSingleDrive = szLogicalDrives;
char filename[MAX_PATH] = {0};
while(*szSingleDrive)
{
if (GetDriveType(szSingleDrive) != DRIVE_REMOVABLE ) {
snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
exists = pafish_exists_file(filename);
if (exists) return TRUE;
                
snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
exists = pafish_exists_file(filename);
if (exists) return TRUE;
}

szSingleDrive += strlen(szSingleDrive) + 1;
}
}

return FALSE;
}

Credits for this code sample: pafish project

Signature recommendations

If the following function contains its only argument from the table column `Path`:

• GetFileAttributes(path)

then it’s an indication of application trying to use the evasion technique.

Detections table

Countermeasures

Hook target functions and return appropriate results if indicators (files from tables) are checked.

Credits

Credits go to open-source projects from where code samples were taken:

• al-khaser project on github
• pafish project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.