Firmware tables  H  FileSystem  Registry  Generic OS Queries  Global OS object  UI artifacts  OS Features  Processes  Network  CPU  Hardware  Firmware tables  Hooks  Timing  WMI  Human-like behavior  macOS


Firmware tables detection methods

There are special memory areas used by OS which contain specific artifacts if OS is run under virtual environment. These memory areas may be dumped using different methods depending on the OS version.

Firmware tables are retrieved via SYSTEM_FIRMWARE_TABLE_INFORMATION object. It’s defined the following way:

 

typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
ULONG ProviderSignature;
SYSTEM_FIRMWARE_TABLE_ACTION Action;
ULONG TableID;
ULONG TableBufferLength;
UCHAR TableBuffer[ANYSIZE_ARRAY];  // <- the result will reside in this field
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;

// helper enum
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
SystemFirmwareTable_Enumerate,
SystemFirmwareTable_Get
} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;


 

1. Check if specific strings are present in Raw Firmware Table

Retrieved firmware table is scanned for the presence of particular strings.

Depending on Windows version different functions are used for this check. See code samples below.


 

1.1. Windows XP

Code sample

 

// First, SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
(PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get;  // 1
sfti->ProviderSignature = 'FIRM';
sfti->TableID = 0xC0000;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
SystemFirmwareTableInformation,  // 76 
sfti,
Length,
&Length);

Credits for this code sample: VMDE project

Signature recommendations

 

If the function

contains:

then it’s an indication of application trying to use this evasion technique.


 

1.2. Windows Vista+

Code sample

 

// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
hCSRSS, 
0xC0000,
sfti, 
RegionSize, 
&memIO);

Signature recommendations

 

If the following function contains PID of csrss.exe process as its 3rd argument:

and is followed by the call to the following function:

which contains:

then it’s an indication of application trying to use this evasion technique.

Detections table

Check if the following strings are present in Raw Firmware Table:
DetectString
ParallelsParallels(R)
VirtualBoxInnotek
Oracle
VirtualBox
VirtualPCS3 Corp.
VMWareVMware


 

2. Check if specific strings are present in Raw SMBIOS Firmware Table

Retrieved firmware table is scanned for the presence of particular strings.

Depending on Windows version different functions are used for this check. See code samples below.


 

2.1. Windows XP

Code sample

 

// SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
(PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get; // 1
sfti->ProviderSignature = 'RSMB';
sfti->TableID = 0;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
SystemFirmwareTableInformation,  // 76 
sfti,
Length,
&Length);

Credits for this code sample: VMDE project

Signature recommendations

 

If the following function:

contains:

then it’s an indication of application trying to use this evasion technique.


 

2.2. Windows Vista+

Code sample

 

// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
hCSRSS, 
0xE0000,
sfti, 
RegionSize, 
&memIO);

Signature recommendations

 

If the following function contains PID of csrss.exe process as its 3rd argument:

and is followed by the call to the following function:

which contains:

then it’s an indication of application trying to use this evasion technique.

Detections table

Check if the following strings are present in Raw SMBIOS Firmware Table:
DetectString
ParallelsParallels Software International
VirtualBoxInnotek
Oracle
VirtualBox
VirtualPCVS2005R2
VMWareVMware, Inc.
VMware


 

Countermeasures


 

Credits

Credits go to open-source project from where code samples were taken:

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.