Firmware tables

Firmware tables H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS

Firmware tables detection methods

There are special memory areas used by OS which contain specific artifacts if OS is run under virtual environment. These memory areas may be dumped using different methods depending on the OS version.

Firmware tables are retrieved via SYSTEM_FIRMWARE_TABLE_INFORMATION object. It’s defined the following way:

typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
ULONG ProviderSignature;
SYSTEM_FIRMWARE_TABLE_ACTION Action;
ULONG TableID;
ULONG TableBufferLength;
UCHAR TableBuffer[ANYSIZE_ARRAY];  // <- the result will reside in this field
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;

// helper enum
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
SystemFirmwareTable_Enumerate,
SystemFirmwareTable_Get
} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;

1. Check if specific strings are present in Raw Firmware Table

Retrieved firmware table is scanned for the presence of particular strings.

Depending on Windows version different functions are used for this check. See code samples below.

1.1. Windows XP

Code sample

// First, SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
(PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get;  // 1
sfti->ProviderSignature = 'FIRM';
sfti->TableID = 0xC0000;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
SystemFirmwareTableInformation,  // 76 
sfti,
Length,
&Length);

Credits for this code sample: VMDE project

Signature recommendations

If the function

NtQuerySystemInformation

contains:

1st argument equal to 76 (SystemFirmwareTableInformation)
2nd argument has sfti->ProviderSignature field initialized to 'FIRM' and sfti->Action field initialized to 1

then it’s an indication of application trying to use this evasion technique.

1.2. Windows Vista+

Code sample

// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
hCSRSS, 
0xC0000,
sfti, 
RegionSize, 
&memIO);

Signature recommendations

If the following function contains PID of csrss.exe process as its 3rd argument:

HANDLE hCSRSS = OpenProcess(..., csrss_pid)

and is followed by the call to the following function:

NtReadVirtualMemory(hCSRSS, 0xC0000, ...)

which contains:

1st argument equal to csrss.exe handle
2nd argument equal to 0xC0000

then it’s an indication of application trying to use this evasion technique.

Detections table

Detect	String
Check if the following strings are present in Raw Firmware Table:
Parallels	Parallels(R)
VirtualBox	Innotek
	Oracle
	VirtualBox
VirtualPC	S3 Corp.
VMWare	VMware

2. Check if specific strings are present in Raw SMBIOS Firmware Table

Retrieved firmware table is scanned for the presence of particular strings.

Depending on Windows version different functions are used for this check. See code samples below.

2.1. Windows XP

Code sample

// SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
(PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get; // 1
sfti->ProviderSignature = 'RSMB';
sfti->TableID = 0;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
SystemFirmwareTableInformation,  // 76 
sfti,
Length,
&Length);

Credits for this code sample: VMDE project

Signature recommendations

If the following function:

NtQuerySystemInformation

contains:

1st argument equal to 76 (SystemFirmwareTableInformation)
2nd argument has sfti->ProviderSignature field initialized to 'RSMB' and sfti->Action field initialized to 1

then it’s an indication of application trying to use this evasion technique.

2.2. Windows Vista+

Code sample

// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
hCSRSS, 
0xE0000,
sfti, 
RegionSize, 
&memIO);

Signature recommendations

If the following function contains PID of csrss.exe process as its 3rd argument:

HANDLE hCSRSS = OpenProcess(..., csrss_pid)

and is followed by the call to the following function:

NtReadVirtualMemory(hCSRSS, 0xE0000, ...)

which contains:

1st argument equal to csrss.exe handle
2nd argument equal to 0xE0000

then it’s an indication of application trying to use this evasion technique.

Detections table

Detect	String
Check if the following strings are present in Raw SMBIOS Firmware Table:
Parallels	Parallels Software International
VirtualBox	Innotek
	Oracle
	VirtualBox
VirtualPC	VS2005R2
VMWare	VMware, Inc.
VMWare	VMware

Countermeasures

On systems older than Vista change memory content of csrss.exe at given addresses.
On Vista+ OS hook NtQuerySystemInformation for retrieving SystemFirmwareTableInformation class and parse SFTI structure for provided field values.

Credits

Credits go to open-source project from where code samples were taken:

VMDE project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.