Difference between revisions of "Sandbox Evasion"

From Unprotect Project
Jump to: navigation, search
(Techniques)
(Techniques)
Line 19: Line 19:
 
|VMProtect is a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult.
 
|VMProtect is a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult.
 
|-
 
|-
|rowspan=7"|VMware artifacts
+
|rowspan="7"|VMware artifacts
 
|Checking for memory artifacts
 
|Checking for memory artifacts
 
|VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings "VMware", commonly used to detect memory artifacts.
 
|VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings "VMware", commonly used to detect memory artifacts.
Line 42: Line 42:
 
|VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number to identify the use of VMware.
 
|VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number to identify the use of VMware.
 
|-
 
|-
|Virtualbox artifacts
+
|rowspan="2"|Virtualbox artifacts
 
|
 
|
 
|-
 
|-

Revision as of 11:35, 21 October 2016

Technique Description

Sandboxing is one of the most useful security solution, however the best practices are not always followed and malware can easily detect the sandbox environment. Sandbox are often misconfigured. With simple trick like hostname detection, mac address or process detection, malware can detect the environment.

Sandbox evasion capabilities allow malware to stay undetected during sandbox analysis.

Techniques

Below is a list of all the sandbox evasion techniques in Unprotect Project:

Anti-Sandbox Techniques
Techniques Description
VMprotect VMProtect is a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult.
VMware artifacts Checking for memory artifacts VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings "VMware", commonly used to detect memory artifacts.
Mac address detection VMware uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: "00:0C:29", "00:1C:14", "00:50:56", "00:05:69".
Registry keys The VMware installation directory C:\Program Files\VMware\VMware Tools may also contain artifacts, as can the registry. A search for "VMware" in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.
Checking process The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string.
Files Some files are created by VMware on the system. Malware can check the different folder to find VMware artifacts.
Running services VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.
Querying the I/O Communication Port VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number to identify the use of VMware.
Virtualbox artifacts
Qemu detection
Cuckoo detection
Red Pill
No Pill
Anti-VM x86 Instruction SIDT
SGDT
SLDT
SMSW
STR
CPUID
IN
Onset delay
Stalling code
Extended sleep code
Timing base
RDTSC
User interaction
Office RecentFiles property
Screen resolution
Installed software
Memory size
Hostname
USB drive
Printer

References