Go back

Contents

Filesystem detection methods
1. Check if specific files exist
2. Check if specific directories are present
3. Check if full path to the executable contains one of specific strings
4. Check if the executable is run from specific directory
5. Check if the executable files with specific names are present in physical disk drives root
Countermeasures
Credits

Filesystem detection methods

The principle of all the filesystem detection methods is the following: there are no such files and directories in usual host; however they exist in particular virtual environments and sandboxes. Virtual environment may be detected if such an artifact is present.


1. Check if specific files exist

This method uses the difference in files which are present in usual host system and virtual environments. There are quite a few file artifacts present in virtual environments which are specific for such kinds of systems. These files are not present on usual host systems where no virtual environment is installed.

Function used:

  • GetFileAttributes // if attributes are invalid then no file exists

Code sample

BOOL is_FileExists(TCHAR* szPath)
{
    DWORD dwAttrib = GetFileAttributes(szPath);
    return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

/*
Check against some of VMware blacklisted files
*/
VOID vmware_files()
{
    /* Array of strings of blacklisted paths */
    TCHAR* szPaths[] = {
        _T("system32\\drivers\\vmmouse.sys"),
        _T("system32\\drivers\\vmhgfs.sys"),
    };
    
    /* Getting Windows Directory */
    WORD dwlength = sizeof(szPaths) / sizeof(szPaths[0]);
    TCHAR szWinDir[MAX_PATH] = _T("");
    TCHAR szPath[MAX_PATH] = _T("");
    GetWindowsDirectory(szWinDir, MAX_PATH);
    
    /* Check one by one */
    for (int i = 0; i < dwlength; i++)
    {
        PathCombine(szPath, szWinDir, szPaths[i]);
        TCHAR msg[256] = _T("");
        _stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking file %s: "), szPath);
        if (is_FileExists(szPath))
            print_results(TRUE, msg);
        else
            print_results(FALSE, msg);
    }
}

Credits for this code sample: al-khaser project


Signature recommendations

If the following function contains its only argument from the table column `Path`:

  • GetFileAttributes(path)

then it’s an indication of application trying to use the evasion technique.


Detections table

Check if the following files exist:
Detect Path Details (if any)
[general] c:\[60 random hex symbols] file unique to the PC used for encoding
c:\take_screenshot.ps1
c:\loaddll.exe
c:\email.doc
c:\email.htm
c:\123\email.doc
c:\123\email.docx
c:\a\foobar.bmp
c:\a\foobar.doc
c:\a\foobar.gif
c:\symbols\aagmmc.pdb
Parallels c:\windows\system32\drivers\prleth.sys Network Adapter
c:\windows\system32\drivers\prlfs.sys
c:\windows\system32\drivers\prlmouse.sys Mouse Synchronization Tool
c:\windows\system32\drivers\prlvideo.sys
c:\windows\system32\drivers\prltime.sys Time Synchronization Driver
c:\windows\system32\drivers\prl_pv32.sys Paravirtualization Driver
c:\windows\system32\drivers\prl_paravirt_32.sys Paravirtualization Driver
VirtualBox c:\windows\system32\drivers\VBoxMouse.sys
c:\windows\system32\drivers\VBoxGuest.sys
c:\windows\system32\drivers\VBoxSF.sys
c:\windows\system32\drivers\VBoxVideo.sys
c:\windows\system32\vboxdisp.dll
c:\windows\system32\vboxhook.dll
c:\windows\system32\vboxmrxnp.dll
c:\windows\system32\vboxogl.dll
c:\windows\system32\vboxoglarrayspu.dll
c:\windows\system32\vboxoglcrutil.dll
c:\windows\system32\vboxoglerrorspu.dll
c:\windows\system32\vboxoglfeedbackspu.dll
c:\windows\system32\vboxoglpackspu.dll
c:\windows\system32\vboxoglpassthroughspu.dll
c:\windows\system32\vboxservice.exe
c:\windows\system32\vboxtray.exe
c:\windows\system32\VBoxControl.exe
VirtualPC c:\windows\system32\drivers\vmsrvc.sys
c:\windows\system32\drivers\vpc-s3.sys
VMware c:\windows\system32\drivers\vmmouse.sys Pointing PS/2 Device Driver
c:\windows\system32\drivers\vmnet.sys
c:\windows\system32\drivers\vmxnet.sys PCI Ethernet Adapter
c:\windows\system32\drivers\vmhgfs.sys HGFS Filesystem Driver
c:\windows\system32\drivers\vmx86.sys
c:\windows\system32\drivers\hgfs.sys


2. Check if specific directories are present

This method uses the difference in directories which are present in usual host system and virtual environments. There are quite a few directory artifacts present in virtual environments which are specific for such kinds of systems. These directories are not present on usual host systems where no virtual environment is installed.

Function used:

  • GetFileAttributes // if attributes are invalid then no file exists

Code sample

BOOL is_DirectoryExists(TCHAR* szPath)
{
    DWORD dwAttrib = GetFileAttributes(szPath);
    return (dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}

/*
Check against VMware blacklisted directory
*/
BOOL vmware_dir()
{
    TCHAR szProgramFile[MAX_PATH];
    TCHAR szPath[MAX_PATH] = _T("");
    TCHAR szTarget[MAX_PATH] = _T("VMware\\");
    if (IsWoW64())
        ExpandEnvironmentStrings(_T("%ProgramW6432%"), szProgramFile, ARRAYSIZE(szProgramFile));
    else
        SHGetSpecialFolderPath(NULL, szProgramFile, CSIDL_PROGRAM_FILES, FALSE);
    PathCombine(szPath, szProgramFile, szTarget);
    return is_DirectoryExists(szPath);
}

Credits for this code sample: al-khaser project


Signature recommendations

If the following function contains its only argument from the table column `Path`:

  • GetFileAttributes(path)

then it’s an indication of application trying to use the evasion technique.


Detections table

Check if the following files exist:
Detect Path
CWSandbox c:\analysis
VirtualBox %PROGRAMFILES%\oracle\virtualbox guest additions\
VMware %PROGRAMFILES%\VMware\


3. Check if full path to the executable contains one of the specific strings

This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific paths - and malware samples check these paths.

Functions used to get executable path:

  • GetModuleFileName
  • GetProcessImageFileNameA/W
  • QueryFullProcessImageName

Code sample (function GetModuleFileName)

int gensandbox_path() {
    char path[500];
    size_t i;
    DWORD pathsize = sizeof(path);

    GetModuleFileName(NULL, path, pathsize);

    for (i = 0; i < strlen(path); i++) { /* case-insensitive */
        path[i] = toupper(path[i]);
    }

    // some sample values from the table
    if (strstr(path, "\\SAMPLE") != NULL) {
        return TRUE;
    }
    if (strstr(path, "\\VIRUS") != NULL) {
        return TRUE;
    }
    if (strstr(path, "SANDBOX") != NULL) {
        return TRUE;
    }

    return FALSE;
}

Credits for this code sample: pafish project


Code sample (function QueryFullProcessImageName)

DWORD PID = 1337; // process ID of the target process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, PID);
DWORD value = MAX_PATH;
char buffer[MAX_PATH];
QueryFullProcessImageName(hProcess, 0, buffer, &value);
printf("EXE Path: %s\n", buffer);

No signature recommendations

Signature recommendations are not provided as it’s hard to say why exactly application wants to get its full path. Function calls may be hooked - and that’s it, just general recommendation.


Detections table

Check if full path to the executable contains one of the following strings:
Detect String
[general] \sample
\virus
sandbox


4. Check if the executable is run from specific directory

This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific directories - and malware samples check these directories.

It’s just a particular case of checking presence of specific strings in full application path, please refer to the section above for code sample and signature recommendations.

As this very method is pretty old and is not commonly used, the links to external sources are provided for the reference on this method:


Detections table

Check if the executable is run from the following directories:
Detect Path
Anubis c:\insidetm


5. Check if the executable files with specific names are present in physical disk drives' root

This method relies on peculiarities of virtual environments, in this case it’s presence of specific files in disk root root directories.

Function used:

  • GetFileAttributes // if attributes are invalid then no file exists

Code sample (function GetModuleFileName)

int pafish_exists_file(char * filename) {
    DWORD res = INVALID_FILE_ATTRIBUTES;
    if (pafish_iswow64() == TRUE) {
        void *old = NULL;
        // Disable redirection immediately prior to calling GetFileAttributes.
        if (pafish_disable_wow64_fs_redirection(&old) ) {
            res = GetFileAttributes(filename);
            // Ignoring MSDN recommendation of exiting if this call fails.
            pafish_revert_wow64_fs_redirection(old);
        }
    }
    else {
        res = GetFileAttributes(filename);
    }
    return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
}

int gensandbox_common_names() {
    DWORD dwSize = MAX_PATH;
    char szLogicalDrives[MAX_PATH] = {0};
    DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
    BOOL exists;

    if (dwResult > 0 && dwResult <= MAX_PATH)
    {
        char* szSingleDrive = szLogicalDrives;
        char filename[MAX_PATH] = {0};
        while(*szSingleDrive)
        {
            if (GetDriveType(szSingleDrive) != DRIVE_REMOVABLE ) {
                snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
                exists = pafish_exists_file(filename);
                if (exists) return TRUE;
                
                snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
                exists = pafish_exists_file(filename);
                if (exists) return TRUE;
            }

            szSingleDrive += strlen(szSingleDrive) + 1;
        }
    }

    return FALSE;
}

Credits for this code sample: pafish project


Signature recommendations

If the following function contains its only argument from the table column `Path`:

  • GetFileAttributes(path)

then it’s an indication of application trying to use the evasion technique.


Detections table

Check if the executables with particular names are present in disk root:
Detect Path
[general] malware.exe
sample.exe


Countermeasures

Hook target functions and return appropriate results if indicators (files from tables) are checked.


Credits

Credits go to open-source projects from where code samples were taken:

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.


Go back