Registry  H  FileSystem  Registry  Generic OS Queries  Global OS object  UI artifacts  OS Features  Processes  Network  CPU  Hardware  Firmware tables  Hooks  Timing  WMI  Human-like behavior  macOS

Registry detection methods

The principle of all the registry detection methods is the following: there are no such registry keys and values in usual host. However they exist in particular virtual environments.

Sometimes usual system may cause false positives when these checks are applied because it has some virtual machines installed and thus some VM artifacts are present in the system. Though in all other aspects such a system is treated clean in comparison with virtual environments.

Registry keys may be queries via WinAPI calls.

Functions used in kernel32.dll:

• RegOpenKey
• RegOpenKeyEx
• RegQueryValue
• RegQueryValueEx
• RegCloseKey
• RegEnumKeyEx

Functions above are wrappers on top of the following ntdll.dll functions:

• NtOpenKey
• NtEnumerateKey
• NtQueryValueKey
• NtClose

1. Check if particular registry paths exist

Take a look at title section to get the list of used functions.

Code sample

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;

/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}

if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}

Credits for this code sample: pafish project

Signature recommendations

If the following function contains 2nd argument from the table column `Registry path`:

• NtOpenKey(..., registry_path, ...)

then it’s an indication of application trying to use the evasion technique.

Detections table

In particular cases malware may enumerate sub-keys and check if a name of the sub-key contain some string instead of checking if the specified key exists.

For example: enumerate sub-keys of "HKLM\SYSTEM\ControlSet001\Services\" and search for "VBox" string.

2. Check if particular registry keys contain specified strings

Take a look at title section to get the list of used functions. Please note that case is irrelevant for these checks: it may be either upper or lower.

Code sample

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
        regkey_s == "HARDWARE\\Description\\System";
        value_s == "SystemBiosVersion";
        lookup == "VBOX";
    */

HKEY regkey;
LONG ret;
DWORD size;
char value[1024], * lookup_str;
size_t lookup_size;

lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);

/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}

if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);

if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value[i] = toupper(value[i]);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str[i] = toupper(lookup_str[i]);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}

free(lookup_str);
return FALSE;
}

Credits for this code sample: pafish project

Signature recommendations

If the following function contains 2nd argument from the table column `Registry path`:

• NtOpenKey(..., registry_path, ...)

and is followed by the call to the following function with 2nd argument from the table column `Registry key`:

• NtQueryValueKey(..., registry_item, ...)

then it’s an indication of application trying to use the evasion technique.

Detections table

Countermeasures

Hook target functions and return appropriate results if indicators (registry strings from tables) are checked.

Credits

Credits go to open-source project from where code samples were taken:

• pafish project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.