FileSystem H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
The principle of all the filesystem detection methods is the following: there are no such files and directories in usual host; however they exist in particular virtual environments and sandboxes. Virtual environment may be detected if such an artifact is present.
This method uses the difference in files which are present in usual host system and virtual environments. There are quite a few file artifacts present in virtual environments which are specific for such kinds of systems. These files are not present on usual host systems where no virtual environment is installed.
Function used:
Code sample
Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Path`:
then it’s an indication of application trying to use the evasion technique.
Detections table
Check if the following files exist: | ||
Detect | Path | Details (if any) |
---|---|---|
[general] | c:\[60 random hex symbols] | file unique to the PC used for encoding |
c:\take_screenshot.ps1 | ||
c:\loaddll.exe | ||
c:\email.doc | ||
c:\email.htm | ||
c:\123\email.doc | ||
c:\123\email.docx | ||
c:\a\foobar.bmp | ||
c:\a\foobar.doc | ||
c:\a\foobar.gif | ||
c:\symbols\aagmmc.pdb | ||
Parallels | c:\windows\system32\drivers\prleth.sys | Network Adapter |
c:\windows\system32\drivers\prlfs.sys | ||
c:\windows\system32\drivers\prlmouse.sys | Mouse Synchronization Tool | |
c:\windows\system32\drivers\prlvideo.sys | ||
c:\windows\system32\drivers\prltime.sys | Time Synchronization Driver | |
c:\windows\system32\drivers\prl_pv32.sys | Paravirtualization Driver | |
c:\windows\system32\drivers\prl_paravirt_32.sys | Paravirtualization Driver | |
VirtualBox | c:\windows\system32\drivers\VBoxMouse.sys | |
c:\windows\system32\drivers\VBoxGuest.sys | ||
c:\windows\system32\drivers\VBoxSF.sys | ||
c:\windows\system32\drivers\VBoxVideo.sys | ||
c:\windows\system32\vboxdisp.dll | ||
c:\windows\system32\vboxhook.dll | ||
c:\windows\system32\vboxmrxnp.dll | ||
c:\windows\system32\vboxogl.dll | ||
c:\windows\system32\vboxoglarrayspu.dll | ||
c:\windows\system32\vboxoglcrutil.dll | ||
c:\windows\system32\vboxoglerrorspu.dll | ||
c:\windows\system32\vboxoglfeedbackspu.dll | ||
c:\windows\system32\vboxoglpackspu.dll | ||
c:\windows\system32\vboxoglpassthroughspu.dll | ||
c:\windows\system32\vboxservice.exe | ||
c:\windows\system32\vboxtray.exe | ||
c:\windows\system32\VBoxControl.exe | ||
VirtualPC | c:\windows\system32\drivers\vmsrvc.sys | |
c:\windows\system32\drivers\vpc-s3.sys | ||
VMWare | c:\windows\system32\drivers\vmmouse.sys | Pointing PS/2 Device Driver |
c:\windows\system32\drivers\vmnet.sys | ||
c:\windows\system32\drivers\vmxnet.sys | PCI Ethernet Adapter | |
c:\windows\system32\drivers\vmhgfs.sys | HGFS Filesystem Driver | |
c:\windows\system32\drivers\vmx86.sys | ||
c:\windows\system32\drivers\hgfs.sys |
This method uses the difference in directories which are present in usual host system and virtual environments. There are quite a few directory artifacts present in virtual environments which are specific for such kinds of systems. These directories are not present on usual host systems where no virtual environment is installed.
Function used:
Code sample
Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Path`:
then it’s an indication of application trying to use the evasion technique.
Detections table
Check if the following files exist: | ||
Detect | Path | |
---|---|---|
CWSandbox | c:\analysis | |
VirtualBox | %PROGRAMFILES%\oracle\virtualbox guest additions\ | |
VMWare | %PROGRAMFILES%\VMWare\ |
This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific paths - and malware samples check these paths.
Functions used to get executable path:
Code sample (function GetModuleFileName)
Credits for this code sample: pafish project
Code sample (function QueryFullProcessImageName)
No signature recommendations
Signature recommendations are not provided as it’s hard to say why exactly application wants to get its full path. Function calls may be hooked - and that’s it, just general recommendation.
Detections table
Check if full path to the executable contains one of the following strings: | ||
Detect | String | |
---|---|---|
[general] | \sample | |
\virus | ||
sandbox |
This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific directories - and malware samples check these directories.
It’s just a particular case of checking presence of specific strings in full application path, please refer to the section above for code sample and signature recommendations.
As this very method is pretty old and is not commonly used, the links to external sources are provided for the reference on this method:
Detections table
Check if the executable is run from the following directories: | ||
Detect | Path | |
---|---|---|
Anubis | c:\insidetm |
This method relies on peculiarities of virtual environments, in this case it’s presence of specific files in disk root root directories.
Function used:
Code sample (function GetModuleFileName)
Credits for this code sample: pafish project
Signature recommendations
If the following function contains its only argument from the table column `Path`:
then it’s an indication of application trying to use the evasion technique.
Detections table
Check if the executables with particular names are present in disk root: | |
Detect | Path |
---|---|
[general] | malware.exe |
sample.exe |
Hook target functions and return appropriate results if indicators (files from tables) are checked.
Credits go to open-source projects from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.