Registry H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
The principle of all the registry detection methods is the following: there are no such registry keys and values in usual host. However they exist in particular virtual environments.
Sometimes usual system may cause false positives when these checks are applied because it has some virtual machines installed and thus some VM artifacts are present in the system. Though in all other aspects such a system is treated clean in comparison with virtual environments.
Registry keys may be queries via WinAPI calls.
Functions used in kernel32.dll:
Functions above are wrappers on top of the following ntdll.dll functions:
Take a look at title section to get the list of used functions.
Code sample
Credits for this code sample: pafish project
Signature recommendations
If the following function contains 2nd argument from the table column `Registry path`:
then it’s an indication of application trying to use the evasion technique.
Detections table
Check if the following registry paths exist: | ||
Detect | Registry path | Details (if any) |
---|---|---|
[general] | HKLM\Software\Classes\Folder\shell\sandbox | |
Hyper-V | HKLM\SOFTWARE\Microsoft\Hyper-V | |
HKLM\SOFTWARE\Microsoft\VirtualMachine | ||
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters | Usually "HostName" and "VirtualMachineName" values are read under this path | |
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat | ||
HKLM\SYSTEM\ControlSet001\Services\vmicvss | ||
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown | ||
HKLM\SYSTEM\ControlSet001\Services\vmicexchange | ||
Parallels | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
Sandboxie | HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie | ||
VirtualBox | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
HKLM\HARDWARE\ACPI\DSDT\VBOX__ | ||
HKLM\HARDWARE\ACPI\FADT\VBOX__ | ||
HKLM\HARDWARE\ACPI\RSDT\VBOX__ | ||
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxService | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxSF | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo | ||
VirtualPC | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
HKLM\SYSTEM\ControlSet001\Services\vpcbus | ||
HKLM\SYSTEM\ControlSet001\Services\vpc-s3 | ||
HKLM\SYSTEM\ControlSet001\Services\vpcuhub | ||
HKLM\SYSTEM\ControlSet001\Services\msvmmouf | ||
VMware | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
HKCU\SOFTWARE\VMware, Inc.\VMware Tools | ||
HKLM\SOFTWARE\VMware, Inc.\VMware Tools | ||
HKLM\SYSTEM\ControlSet001\Services\vmdebug | ||
HKLM\SYSTEM\ControlSet001\Services\vmmouse | ||
HKLM\SYSTEM\ControlSet001\Services\VMTools | ||
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL | ||
HKLM\SYSTEM\ControlSet001\Services\vmware | ||
HKLM\SYSTEM\ControlSet001\Services\vmci | ||
HKLM\SYSTEM\ControlSet001\Services\vmx86 | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD* | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* | ||
Wine | HKCU\SOFTWARE\Wine | |
HKLM\SOFTWARE\Wine | ||
Xen | HKLM\HARDWARE\ACPI\DSDT\xen | |
HKLM\HARDWARE\ACPI\FADT\xen | ||
HKLM\HARDWARE\ACPI\RSDT\xen | ||
HKLM\SYSTEM\ControlSet001\Services\xenevtchn | ||
HKLM\SYSTEM\ControlSet001\Services\xennet | ||
HKLM\SYSTEM\ControlSet001\Services\xennet6 | ||
HKLM\SYSTEM\ControlSet001\Services\xensvc | ||
HKLM\SYSTEM\ControlSet001\Services\xenvdb |
In particular cases malware may enumerate sub-keys and check if a name of the sub-key contain some string instead of checking if the specified key exists.
For example: enumerate sub-keys of "HKLM\SYSTEM\ControlSet001\Services\" and search for "VBox" string.
Take a look at title section to get the list of used functions. Please note that case is irrelevant for these checks: it may be either upper or lower.
Code sample
Credits for this code sample: pafish project
Signature recommendations
If the following function contains 2nd argument from the table column `Registry path`:
and is followed by the call to the following function with 2nd argument from the table column `Registry key`:
then it’s an indication of application trying to use the evasion technique.
Detections table
Check if the following registry values contain the following strings (case insensitive): | |||
Detect | Registry path | Registry key | String |
---|---|---|---|
[general] | HKLM\HARDWARE\Description\System | SystemBiosDate | 06/23/99 |
HKLM\HARDWARE\Description\System\BIOS | SystemProductName | A M I | |
BOCHS | HKLM\HARDWARE\Description\System | SystemBiosVersion | BOCHS |
HKLM\HARDWARE\Description\System | VideoBiosVersion | BOCHS | |
Anubis | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-337-8429955-22614 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-337-8429955-22614 | |
CwSandbox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-644-3177037-23510 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-644-3177037-23510 | |
JoeBox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 55274-640-2673064-23950 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 55274-640-2673064-23950 | |
Parallels | HKLM\HARDWARE\Description\System | SystemBiosVersion | PARALLELS |
HKLM\HARDWARE\Description\System | VideoBiosVersion | PARALLELS | |
QEMU | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | QEMU |
HKLM\HARDWARE\Description\System | SystemBiosVersion | QEMU | |
HKLM\HARDWARE\Description\System | VideoBiosVersion | QEMU | |
HKLM\HARDWARE\Description\System\BIOS | SystemManufacturer | QEMU | |
VirtualBox | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | |
HKLM\HARDWARE\Description\System | SystemBiosVersion | VBOX | |
HKLM\HARDWARE\Description\System | VideoBiosVersion | VIRTUALBOX | |
HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VIRTUAL | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VBOX | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VBOX | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VBOX | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VBOX | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VBOX | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VBOX | |
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUAL | |
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUALBOX | |
VMware | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | |
HKLM\HARDWARE\Description\System | SystemBiosVersion | VMWARE | |
HKLM\HARDWARE\Description\System | SystemBiosVersion | INTEL - 6040000 | |
HKLM\HARDWARE\Description\System | VideoBiosVersion | VMWARE | |
HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 0 | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 1 | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VMware | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VMware | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VMware | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VMware | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VMware | |
HKCR\Installer\Products | ProductName | vmware tools | |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | CoInstallers32 | *vmx* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | DriverDesc | VMware* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | InfSection | vmx* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | ProviderName | VMware* | |
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VMWARE | |
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video | Service | vm3dmp | |
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video | Service | vmx_svga | |
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000 | Device Description | VMware SVGA* | |
Xen | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | Xen |
Hook target functions and return appropriate results if indicators (registry strings from tables) are checked.
Credits go to open-source project from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.