Processes H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
Virtual environment launches some specific helper processes which are not being executed in usual host OS. There are also some specific modules which are loaded into processes address spaces.
Functions used:
CreateToolhelp32Snapshot psapi.EnumProcesses (WinXP, Vista) kernel32.EnumProcesses (Win7+) Code sample
check_process_is_running ( "vmtoolsd.exe" ); // sample value from the table
bool check_process_is_running ( const std :: string & proc_name ) {
HANDLE hSnapshot ;
PROCESSENTRY32 pe = {};
pe . dwSize = sizeof ( pe );
bool present = false ;
hSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPPROCESS , 0 );
if ( hSnapshot == INVALID_HANDLE_VALUE )
return false ;
if ( Process32First ( hSnapshot , & pe )) {
do {
if ( ! StrCmpI ( pe . szExeFile , proc_name . c_str ())) {
present = true ;
break ;
}
} while ( Process32Next ( hSnapshot , & pe ));
}
CloseHandle ( hSnapshot );
return present ;
}
Signature recommendations
Signature recommendations are not provided as it’s hard to say what exactly is queried in the processes’ snapshot.
Detections table
Check if the following processes are running: Detect Process JoeBox joeboxserver.exe joeboxcontrol.exe Parallels prl_cc.exe prl_tools.exe VirtualBox vboxservice.exe vboxtray.exe VirtualPC vmsrvc.exe vmusrvc.exe VMWare vmtoolsd.exe vmacthlp.exe vmwaretray.exe vmwareuser.exe vmware.exe vmount2.exe Xen xenservice.exe xsvc_depriv.exe WPE Pro WPE Pro.exe
Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.
Functions used:
Code sample
VOID loaded_dlls ()
{
/* Some vars */
HMODULE hDll ;
/* Array of strings of blacklisted dlls */
TCHAR * szDlls [] = {
_T ( "sbiedll.dll" ),
_T ( "dbghelp.dll" ),
_T ( "api_log.dll" ),
_T ( "dir_watch.dll" ),
_T ( "pstorec.dll" ),
_T ( "vmcheck.dll" ),
_T ( "wpespy.dll" ),
};
WORD dwlength = sizeof ( szDlls ) / sizeof ( szDlls [ 0 ]);
for ( int i = 0 ; i < dwlength ; i ++ )
{
TCHAR msg [ 256 ] = _T ( "" );
_stprintf_s ( msg , sizeof ( msg ) / sizeof ( TCHAR ), _T ( "Checking if process loaded modules contains: %s " ),
szDlls [ i ]);
/* Check if process loaded modules contains the blacklisted dll */
hDll = GetModuleHandle ( szDlls [ i ]);
if ( hDll == NULL )
print_results ( FALSE , msg );
else
print_results ( TRUE , msg );
}
}
Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Library` :
GetModuleHandle(module_name) then it’s an indication of application trying to use this evasion technique.
Detections table
Check if the following libraries are loaded in the process address space: Detect Library CWSandbox api_log.dll dir_watch.dll pstorec.dll Sandboxie sbiedll.dll ThreatExpert dbghelp.dll VirtualPC vmcheck.dll WPE Pro wpespy.dll
Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.
Functions used (see note about native functions):
kernel32.GetProcAddress kernel32.LdrGetProcedureAddress (called internally) ntdll.LdrGetProcedureAddress ntdll.LdrpGetProcedureAddress (called internally) Code sample
BOOL wine_exports ()
{
/* Some vars */
HMODULE hKernel32 ;
/* Get kernel32 module handle */
hKernel32 = GetModuleHandle ( _T ( "kernel32.dll" ));
if ( hKernel32 == NULL ) {
print_last_error ( _T ( "GetModuleHandle" ));
return FALSE ;
}
/* Check if wine_get_unix_file_name is exported by this dll */
if ( GetProcAddress ( hKernel32 , "wine_get_unix_file_name" ) == NULL ) // sample value from the table
return FALSE ;
else
return TRUE ;
}
Credits for this code sample: al-khaser project
Signature recommendations
If the following functions contain 2nd argument from the table column “Function” and the 1st argument is the address of matching “Library” name from the table:
kernel32.GetProcAddress(lib_handle, func_name) kernel32.LdrGetProcedureAddress(lib_handle, func_name) ntdll.LdrGetProcedureAddress(lib_handle, func_name) ntdll.LdrpGetProcedureAddress(lib_handle, func_name) then it’s an indication of application trying to use this evasion technique.
Detections table
Check if the following functions are present in the following libraries: Detect Library Function Wine kernel32.dll wine_get_unix_file_name ntdll.dll wine_get_version
for processes: exclude target processes from enumeration or terminate them;for libraries: exclude them from enumeration lists in PEB ;for functions in libraries: hook appropriate functions and compare their arguments against target ones.
Functions used:
Code sample
BOOL AmISandboxied ( LPVOID lpMinimumApplicationAddress , LPVOID lpMaximumApplicationAddress )
{
BOOL IsSB = FALSE ;
MEMORY_BASIC_INFORMATION RegionInfo ;
ULONG_PTR i , k ;
SIZE_T Length = 0L ;
i = ( ULONG_PTR ) lpMinimumApplicationAddress ;
do {
NTSTATUS Status = NtQueryVirtualMemory ( GetCurrentProcess (),
( PVOID ) i ,
MemoryBasicInformation ,
& RegionInfo ,
sizeof ( MEMORY_BASIC_INFORMATION ),
& Length );
if ( NT_SUCCESS ( Status )) {
// Check if executable code
if ((( RegionInfo . AllocationProtect & PAGE_EXECUTE_READWRITE ) == PAGE_EXECUTE_READWRITE ) &&
(( RegionInfo . State & MEM_COMMIT ) == MEM_COMMIT )) {
for ( k = i ; k < i + RegionInfo . RegionSize ; k += sizeof ( DWORD )) {
if (
( * ( PDWORD ) k == ' kuzt ' ) ||
( * ( PDWORD ) k == ' xobs ' )
)
{
IsSB = TRUE ;
break ;
}
}
}
i += RegionInfo . RegionSize ;
}
else {
i += 0x1000 ;
}
} while ( i < ( ULONG_PTR ) lpMaximumApplicationAddress );
return IsSB ;
}
Take a look at VMDE project sources .
Signature recommendations
Signature recommendations are not provided as it’s hard to say what exactly is queried when memory buffer is being examined.
Erase present artifacts from memory.
Credits go to open-source project from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.