UI artifacts  H  FileSystem  Registry  Generic OS Queries  Global OS object  UI artifacts  OS Features  Processes  Network  CPU  Hardware  Firmware tables  Hooks  Timing  WMI  Human-like behavior  macOS


UI artifacts detection methods

Techniques described in this group abuse the fact that some windows’ names are only present in virtual environment and not is usual host OS. Even more, host OS contains a lot of windows while VM and sandboxes prefer keeping opened windows at the minimum. Their quantity is checked and the conclusion is drawn whether it is a VM or not.


 

1. Check if windows with certain class names are present in the OS

Detections table

Check if windows with the following class names are present in the OS:
DetectClass name
VirtualBoxVBoxTrayToolWndClass
VBoxTrayToolWnd

Code sample

 

BOOL vbox_window_class()
{
HWND hClass = FindWindow(_T("VBoxTrayToolWndClass"), NULL);
HWND hWindow = FindWindow(NULL, _T("VBoxTrayToolWnd"));

if (hClass || hWindow)
return TRUE;
else
return FALSE;
}

Credits for this code sample: al-khaser project


 

2. Check if top level windows' number is too small

As it was stated above, host OS contains a lot of windows while VMs and sandboxes strive to keep opened windows at possible minimum. Windows count is measured and the conclusion is drawn on whether it’s a VM or not.
In case there are too few windows in the OS, it could be an indication of virtual environment. Typical hosts have a lot (>10) top level windows.

Code sample

 

BOOL CALLBACK enumProc(HWND, LPARAM lParam)
{
if (LPDWORD pCnt = reinterpret_cast<LPDWORD>(lParam))
*pCnt++;
return TRUE;
}

bool enumWindowsCheck(bool& detected)
{
DWORD winCnt = 0;

if (!EnumWindows(enumProc,LPARAM(&winCnt))) {
std::cerr << "EnumWindows() failed\n";
return false;
}

return winCnt < 10;
}


 

Signature recommendations

No signature recommendations are provided for this evasion group as it’s hard to tell that code aims to perform some evasion technique and not “legal” action.


 

Countermeasures


 

Credits

Credits go to open-source project from where code samples were taken:

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.