UI artifacts H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
Techniques described in this group abuse the fact that some windows’ names are only present in virtual environment and not is usual host OS. Even more, host OS contains a lot of windows while VM and sandboxes prefer keeping opened windows at the minimum. Their quantity is checked and the conclusion is drawn whether it is a VM or not.
Detections table
Check if windows with the following class names are present in the OS: | |
Detect | Class name |
---|---|
VirtualBox | VBoxTrayToolWndClass |
VBoxTrayToolWnd |
Code sample
Credits for this code sample: al-khaser project
As it was stated above, host OS contains a lot of windows while VMs and sandboxes strive to keep opened windows at possible minimum. Windows count is measured and the conclusion is drawn on whether it’s a VM or not.
In case there are too few windows in the OS, it could be an indication of virtual environment. Typical hosts have a lot (>10) top level windows.
Code sample
No signature recommendations are provided for this evasion group as it’s hard to tell that code aims to perform some evasion technique and not “legal” action.
Credits go to open-source project from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.