Registry  H  FileSystem  Registry  Generic OS Queries  Global OS object  UI artifacts  OS Features  Processes  Network  CPU  Hardware  Firmware tables  Hooks  Timing  WMI  Human-like behavior  macOS


Registry detection methods

The principle of all the registry detection methods is the following: there are no such registry keys and values in usual host. However they exist in particular virtual environments.

Sometimes usual system may cause false positives when these checks are applied because it has some virtual machines installed and thus some VM artifacts are present in the system. Though in all other aspects such a system is treated clean in comparison with virtual environments.

Registry keys may be queries via WinAPI calls.

Functions used in kernel32.dll:

Functions above are wrappers on top of the following ntdll.dll functions:


 

1. Check if particular registry paths exist

Take a look at title section to get the list of used functions.

Code sample

 

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;

/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}

if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}

Credits for this code sample: pafish project

Signature recommendations

 

If the following function contains 2nd argument from the table column `Registry path`:

 

then it’s an indication of application trying to use the evasion technique.

Detections table

Check if the following registry paths exist:
DetectRegistry pathDetails (if any)
[general]HKLM\Software\Classes\Folder\shell\sandbox 
Hyper-VHKLM\SOFTWARE\Microsoft\Hyper-V 
HKLM\SOFTWARE\Microsoft\VirtualMachine 
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\ParametersUsually "HostName" and "VirtualMachineName" values are read under this path
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat 
HKLM\SYSTEM\ControlSet001\Services\vmicvss 
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown 
HKLM\SYSTEM\ControlSet001\Services\vmicexchange 
ParallelsHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
SandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrv 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie 
VirtualBoxHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\HARDWARE\ACPI\DSDT\VBOX__ 
HKLM\HARDWARE\ACPI\FADT\VBOX__ 
HKLM\HARDWARE\ACPI\RSDT\VBOX__ 
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions 
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest 
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse 
HKLM\SYSTEM\ControlSet001\Services\VBoxService 
HKLM\SYSTEM\ControlSet001\Services\VBoxSF 
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo 
VirtualPCHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\SYSTEM\ControlSet001\Services\vpcbus 
HKLM\SYSTEM\ControlSet001\Services\vpc-s3 
HKLM\SYSTEM\ControlSet001\Services\vpcuhub 
HKLM\SYSTEM\ControlSet001\Services\msvmmouf 
VMwareHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKCU\SOFTWARE\VMware, Inc.\VMware Tools 
HKLM\SOFTWARE\VMware, Inc.\VMware Tools 
HKLM\SYSTEM\ControlSet001\Services\vmdebug 
HKLM\SYSTEM\ControlSet001\Services\vmmouse 
HKLM\SYSTEM\ControlSet001\Services\VMTools 
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL 
HKLM\SYSTEM\ControlSet001\Services\vmware 
HKLM\SYSTEM\ControlSet001\Services\vmci 
HKLM\SYSTEM\ControlSet001\Services\vmx86 
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD* 
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* 
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* 
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* 
WineHKCU\SOFTWARE\Wine 
HKLM\SOFTWARE\Wine 
XenHKLM\HARDWARE\ACPI\DSDT\xen 
HKLM\HARDWARE\ACPI\FADT\xen 
HKLM\HARDWARE\ACPI\RSDT\xen 
HKLM\SYSTEM\ControlSet001\Services\xenevtchn 
HKLM\SYSTEM\ControlSet001\Services\xennet 
HKLM\SYSTEM\ControlSet001\Services\xennet6 
HKLM\SYSTEM\ControlSet001\Services\xensvc 
HKLM\SYSTEM\ControlSet001\Services\xenvdb 


In particular cases malware may enumerate sub-keys and check if a name of the sub-key contain some string instead of checking if the specified key exists.

 

For example: enumerate sub-keys of "HKLM\SYSTEM\ControlSet001\Services\" and search for "VBox" string.


 

2. Check if particular registry keys contain specified strings

Take a look at title section to get the list of used functions. Please note that case is irrelevant for these checks: it may be either upper or lower.

Code sample

 

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
        regkey_s == "HARDWARE\\Description\\System";
        value_s == "SystemBiosVersion";
        lookup == "VBOX";
    */

HKEY regkey;
LONG ret;
DWORD size;
char value[1024], * lookup_str;
size_t lookup_size;

lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);

/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
}

if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);

if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value[i] = toupper(value[i]);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str[i] = toupper(lookup_str[i]);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}

free(lookup_str);
return FALSE;
}

Credits for this code sample: pafish project

Signature recommendations

 

If the following function contains 2nd argument from the table column `Registry path`:

 

and is followed by the call to the following function with 2nd argument from the table column `Registry key`:

then it’s an indication of application trying to use the evasion technique.

Detections table

Check if the following registry values contain the following strings (case insensitive):
DetectRegistry pathRegistry keyString
[general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99
HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M I
BOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHS
HKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHS
AnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614
CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510
JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950
ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELS
HKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELS
QEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMU
HKLM\HARDWARE\Description\SystemSystemBiosVersionQEMU
HKLM\HARDWARE\Description\SystemVideoBiosVersionQEMU
HKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMU
VirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOX
HKLM\HARDWARE\Description\SystemSystemBiosVersionVBOX
HKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOX
HKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUAL
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOX
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOX
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUAL
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOX
VMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE
HKLM\HARDWARE\Description\SystemSystemBiosVersionVMWARE
HKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000
HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWARE
HKLM\HARDWARE\Description\System\BIOSSystemProductNameVMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMware
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMware
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMware
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMware
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMware
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMware
HKCR\Installer\ProductsProductNamevmware tools
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware tools
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32*vmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMware*
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWARE
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\VideoServicevm3dmp
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\VideoServicevmx_svga
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000Device DescriptionVMware SVGA*
XenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen


 

Countermeasures

Hook target functions and return appropriate results if indicators (registry strings from tables) are checked.


 

Credits

Credits go to open-source project from where code samples were taken:

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.