Difference between revisions of "Sandbox Evasion"

From Unprotect Project
Jump to: navigation, search
(Techniques)
(Techniques)
Line 59: Line 59:
 
|CPUID
 
|CPUID
 
|-
 
|-
IN
+
|IN
 
|-
 
|-
 
|Onset delay
 
|Onset delay

Revision as of 22:33, 20 October 2016

Technique Description

Sandboxing is one of the most useful security solution, however the best practices are not always followed and malware can easily detect the sandbox environment. Sandbox are often misconfigured. With simple trick like hostname detection, mac address or process detection, malware can detect the environment.

Sandbox evasion capabilities allow malware to stay undetected during sandbox analysis.

Techniques

Below is a list of all the sandbox evasion techniques in Unprotect Project:

Anti-Sandbox Techniques
Techniques Description
VMprotect Tarte
Buns
VMware artifacts Checking for memory artifacts
Vmware artifacts searching
Mac address detection
Cuckoo detection
Qemu detection
Virtualbox artifacts
Red Pill
No Pill
Querying the I/O Communication Port
Anti-VM x86 Instruction SIDT
SGDT
SLDT
SMSW
STR
CPUID
IN
Onset delay
Stalling code
Extended sleep code
Timing base
User interaction

References