Processes H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
Virtual environment launches some specific helper processes which are not being executed in usual host OS. There are also some specific modules which are loaded into processes address spaces.
Functions used:
Code sample
check_process_is_running("vmtoolsd.exe"); // sample value from the table
bool check_process_is_running(const std::string &proc_name) {
HANDLE hSnapshot;
PROCESSENTRY32 pe = {};
pe.dwSize = sizeof(pe);
bool present = false;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return false;
if (Process32First(hSnapshot, &pe)) {
do {
if (!StrCmpI(pe.szExeFile, proc_name.c_str())) {
present = true;
break;
}
} while (Process32Next(hSnapshot, &pe));
}
CloseHandle(hSnapshot);
return present;
}Signature recommendations
Signature recommendations are not provided as it’s hard to say what exactly is queried in the processes’ snapshot.
Detections table
| Check if the following processes are running: | |
| Detect | Process |
|---|---|
| JoeBox | joeboxserver.exe |
| joeboxcontrol.exe | |
| Parallels | prl_cc.exe |
| prl_tools.exe | |
| VirtualBox | vboxservice.exe |
| vboxtray.exe | |
| VirtualPC | vmsrvc.exe |
| vmusrvc.exe | |
| VMWare | vmtoolsd.exe |
| vmacthlp.exe | |
| vmwaretray.exe | |
| vmwareuser.exe | |
| vmware.exe | |
| vmount2.exe | |
| Xen | xenservice.exe |
| xsvc_depriv.exe | |
| WPE Pro | WPE Pro.exe |
Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.
Functions used:
Code sample
VOID loaded_dlls()
{
/* Some vars */
HMODULE hDll;
/* Array of strings of blacklisted dlls */
TCHAR* szDlls[] = {
_T("sbiedll.dll"),
_T("dbghelp.dll"),
_T("api_log.dll"),
_T("dir_watch.dll"),
_T("pstorec.dll"),
_T("vmcheck.dll"),
_T("wpespy.dll"),
};
WORD dwlength = sizeof(szDlls) / sizeof(szDlls[0]);
for (int i = 0; i < dwlength; i++)
{
TCHAR msg[256] = _T("");
_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking if process loaded modules contains: %s "),
szDlls[i]);
/* Check if process loaded modules contains the blacklisted dll */
hDll = GetModuleHandle(szDlls[i]);
if (hDll == NULL)
print_results(FALSE, msg);
else
print_results(TRUE, msg);
}
}Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Library`:
then it’s an indication of application trying to use this evasion technique.
Detections table
| Check if the following libraries are loaded in the process address space: | |
| Detect | Library |
|---|---|
| CWSandbox | api_log.dll |
| dir_watch.dll | |
| pstorec.dll | |
| Sandboxie | sbiedll.dll |
| ThreatExpert | dbghelp.dll |
| VirtualPC | vmcheck.dll |
| WPE Pro | wpespy.dll |
Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.
Functions used (see note about native functions):
Code sample
BOOL wine_exports()
{
/* Some vars */
HMODULE hKernel32;
/* Get kernel32 module handle */
hKernel32 = GetModuleHandle(_T("kernel32.dll"));
if (hKernel32 == NULL) {
print_last_error(_T("GetModuleHandle"));
return FALSE;
}
/* Check if wine_get_unix_file_name is exported by this dll */
if (GetProcAddress(hKernel32, "wine_get_unix_file_name") == NULL) // sample value from the table
return FALSE;
else
return TRUE;
}Credits for this code sample: al-khaser project
Signature recommendations
If the following functions contain 2nd argument from the table column “Function” and the 1st argument is the address of matching “Library” name from the table:
then it’s an indication of application trying to use this evasion technique.
Detections table
| Check if the following functions are present in the following libraries: | ||
| Detect | Library | Function |
|---|---|---|
| Wine | kernel32.dll | wine_get_unix_file_name |
| ntdll.dll | wine_get_version | |
Functions used:
Code sample
BOOL AmISandboxied(LPVOID lpMinimumApplicationAddress, LPVOID lpMaximumApplicationAddress)
{
BOOL IsSB = FALSE;
MEMORY_BASIC_INFORMATION RegionInfo;
ULONG_PTR i, k;
SIZE_T Length = 0L;
i = (ULONG_PTR)lpMinimumApplicationAddress;
do {
NTSTATUS Status = NtQueryVirtualMemory(GetCurrentProcess(),
(PVOID)i,
MemoryBasicInformation,
&RegionInfo,
sizeof(MEMORY_BASIC_INFORMATION),
&Length);
if (NT_SUCCESS(Status)) {
// Check if executable code
if (((RegionInfo.AllocationProtect & PAGE_EXECUTE_READWRITE) == PAGE_EXECUTE_READWRITE) &&
((RegionInfo.State & MEM_COMMIT) == MEM_COMMIT)) {
for (k = i; k < i + RegionInfo.RegionSize; k += sizeof(DWORD)) {
if (
(*(PDWORD)k == 'kuzt') ||
(*(PDWORD)k == 'xobs')
)
{
IsSB = TRUE;
break;
}
}
}
i += RegionInfo.RegionSize;
}
else {
i += 0x1000;
}
} while (i < (ULONG_PTR)lpMaximumApplicationAddress);
return IsSB;
}Take a look at VMDE project sources.
Signature recommendations
Signature recommendations are not provided as it’s hard to say what exactly is queried when memory buffer is being examined.
Erase present artifacts from memory.
Credits go to open-source project from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.