UI artifackts

UI artifacts H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS

UI artifacts detection methods

Techniques described in this group abuse the fact that some windows’ names are only present in virtual environment and not is usual host OS. Even more, host OS contains a lot of windows while VM and sandboxes prefer keeping opened windows at the minimum. Their quantity is checked and the conclusion is drawn whether it is a VM or not.

1. Check if windows with certain class names are present in the OS

Detections table

Detect	Class name
Check if windows with the following class names are present in the OS:
VirtualBox	VBoxTrayToolWndClass
VirtualBox	VBoxTrayToolWnd

Code sample

BOOL vbox_window_class()
{
HWND hClass = FindWindow(_T("VBoxTrayToolWndClass"), NULL);
HWND hWindow = FindWindow(NULL, _T("VBoxTrayToolWnd"));

if (hClass || hWindow)
return TRUE;
else
return FALSE;
}

Credits for this code sample: al-khaser project

2. Check if top level windows' number is too small

As it was stated above, host OS contains a lot of windows while VMs and sandboxes strive to keep opened windows at possible minimum. Windows count is measured and the conclusion is drawn on whether it’s a VM or not.
In case there are too few windows in the OS, it could be an indication of virtual environment. Typical hosts have a lot (>10) top level windows.

Code sample

BOOL CALLBACK enumProc(HWND, LPARAM lParam)
{
if (LPDWORD pCnt = reinterpret_cast<LPDWORD>(lParam))
*pCnt++;
return TRUE;
}

bool enumWindowsCheck(bool& detected)
{
DWORD winCnt = 0;

if (!EnumWindows(enumProc,LPARAM(&winCnt))) {
std::cerr << "EnumWindows() failed\n";
return false;
}

return winCnt < 10;
}

Signature recommendations

No signature recommendations are provided for this evasion group as it’s hard to tell that code aims to perform some evasion technique and not “legal” action.

Countermeasures

versus windows with certain class names: Exclude windows with particular names from enumeration or modify these names.
versus checking top level windows' number: Create fake windows in the system so that their number will not be small or equal to the predefined numbers.

Credits

Credits go to open-source project from where code samples were taken:

al-khaser project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.