Firmware tables H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
There are special memory areas used by OS which contain specific artifacts if OS is run under virtual environment. These memory areas may be dumped using different methods depending on the OS version.
Firmware tables are retrieved via SYSTEM_FIRMWARE_TABLE_INFORMATION object. It’s defined the following way:
typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
ULONG ProviderSignature ;
SYSTEM_FIRMWARE_TABLE_ACTION Action ;
ULONG TableID ;
ULONG TableBufferLength ;
UCHAR TableBuffer [ ANYSIZE_ARRAY ]; // <- the result will reside in this field
} SYSTEM_FIRMWARE_TABLE_INFORMATION , * PSYSTEM_FIRMWARE_TABLE_INFORMATION ;
// helper enum
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
SystemFirmwareTable_Enumerate ,
SystemFirmwareTable_Get
} SYSTEM_FIRMWARE_TABLE_ACTION , * PSYSTEM_FIRMWARE_TABLE_ACTION ;
Retrieved firmware table is scanned for the presence of particular strings.
Depending on Windows version different functions are used for this check. See code samples below.
Code sample
// First, SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION * sfti =
( PSYSTEM_FIRMWARE_TABLE_INFORMATION ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , Length );
sfti -> Action = SystemFirmwareTable_Get ; // 1
sfti -> ProviderSignature = ' FIRM ' ;
sfti -> TableID = 0xC0000 ;
sfti -> TableBufferLength = Length ;
// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation (
SystemFirmwareTableInformation , // 76
sfti ,
Length ,
& Length );
Credits for this code sample: VMDE project
Signature recommendations
If the function
contains:
1st argument equal to 76 (SystemFirmwareTableInformation) 2nd argument has sfti->ProviderSignature field initialized to 'FIRM' and sfti->Action field initialized to 1 then it’s an indication of application trying to use this evasion technique.
Code sample
// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess ( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ , FALSE , csrss_pid );
NtReadVirtualMemory (
hCSRSS ,
0xC0000 ,
sfti ,
RegionSize ,
& memIO );
Signature recommendations
If the following function contains PID of csrss.exe process as its 3rd argument:
HANDLE hCSRSS = OpenProcess(..., csrss_pid) and is followed by the call to the following function:
NtReadVirtualMemory(hCSRSS, 0xC0000, ...) which contains:
1st argument equal to csrss.exe handle 2nd argument equal to 0xC0000 then it’s an indication of application trying to use this evasion technique.
Detections table Check if the following strings are present in Raw Firmware Table: Detect String Parallels Parallels(R) VirtualBox Innotek Oracle VirtualBox VirtualPC S3 Corp. VMWare VMware
Retrieved firmware table is scanned for the presence of particular strings.
Depending on Windows version different functions are used for this check. See code samples below.
Code sample
// SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION * sfti =
( PSYSTEM_FIRMWARE_TABLE_INFORMATION ) HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY , Length );
sfti -> Action = SystemFirmwareTable_Get ; // 1
sfti -> ProviderSignature = ' RSMB ' ;
sfti -> TableID = 0 ;
sfti -> TableBufferLength = Length ;
// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation (
SystemFirmwareTableInformation , // 76
sfti ,
Length ,
& Length );
Credits for this code sample: VMDE project
Signature recommendations
If the following function:
contains:
1st argument equal to 76 (SystemFirmwareTableInformation) 2nd argument has sfti->ProviderSignature field initialized to 'RSMB' and sfti->Action field initialized to 1 then it’s an indication of application trying to use this evasion technique.
Code sample
// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess ( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ , FALSE , csrss_pid );
NtReadVirtualMemory (
hCSRSS ,
0xE0000 ,
sfti ,
RegionSize ,
& memIO );
Signature recommendations
If the following function contains PID of csrss.exe process as its 3rd argument:
HANDLE hCSRSS = OpenProcess(..., csrss_pid) and is followed by the call to the following function:
NtReadVirtualMemory(hCSRSS, 0xE0000, ...) which contains:
1st argument equal to csrss.exe handle 2nd argument equal to 0xE0000 then it’s an indication of application trying to use this evasion technique.
Detections table Check if the following strings are present in Raw SMBIOS Firmware Table: Detect String Parallels Parallels Software International VirtualBox Innotek Oracle VirtualBox VirtualPC VS2005R2 VMWare VMware, Inc. VMware
On systems older than Vista change memory content of csrss.exe at given addresses. On Vista+ OS hook NtQuerySystemInformation for retrieving SystemFirmwareTableInformation class and parse SFTI structure for provided field values.
Credits go to open-source project from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.