Evasions: Filesystem
Contents
Filesystem detection methods
1. Check if specific files exist
2. Check if specific directories are present
3. Check if full path to the executable contains one of specific strings
4. Check if the executable is run from specific directory
5. Check if the executable files with specific names are present in physical disk drives root
Countermeasures
Credits
Filesystem detection methods
The principle of all the filesystem detection methods is the following: there are no such files and directories in usual host; however they exist in particular virtual environments and sandboxes. Virtual environment may be detected if such an artifact is present.
1. Check if specific files exist
This method uses the difference in files which are present in usual host system and virtual environments. There are quite a few file artifacts present in virtual environments which are specific for such kinds of systems. These files are not present on usual host systems where no virtual environment is installed.
Function used:
- GetFileAttributes // if attributes are invalid then no file exists
Code sample
BOOL is_FileExists(TCHAR* szPath)
{
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}
/*
Check against some of VMware blacklisted files
*/
VOID vmware_files()
{
/* Array of strings of blacklisted paths */
TCHAR* szPaths[] = {
_T("system32\\drivers\\vmmouse.sys"),
_T("system32\\drivers\\vmhgfs.sys"),
};
/* Getting Windows Directory */
WORD dwlength = sizeof(szPaths) / sizeof(szPaths[0]);
TCHAR szWinDir[MAX_PATH] = _T("");
TCHAR szPath[MAX_PATH] = _T("");
GetWindowsDirectory(szWinDir, MAX_PATH);
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
PathCombine(szPath, szWinDir, szPaths[i]);
TCHAR msg[256] = _T("");
_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking file %s: "), szPath);
if (is_FileExists(szPath))
print_results(TRUE, msg);
else
print_results(FALSE, msg);
}
}Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Path`:
- GetFileAttributes(path)
then it’s an indication of application trying to use the evasion technique.
Detections table
| Check if the following files exist: | ||
| Detect | Path | Details (if any) |
|---|---|---|
| [general] | c:\[60 random hex symbols] | file unique to the PC used for encoding |
| c:\take_screenshot.ps1 | ||
| c:\loaddll.exe | ||
| c:\email.doc | ||
| c:\email.htm | ||
| c:\123\email.doc | ||
| c:\123\email.docx | ||
| c:\a\foobar.bmp | ||
| c:\a\foobar.doc | ||
| c:\a\foobar.gif | ||
| c:\symbols\aagmmc.pdb | ||
| Parallels | c:\windows\system32\drivers\prleth.sys | Network Adapter |
| c:\windows\system32\drivers\prlfs.sys | ||
| c:\windows\system32\drivers\prlmouse.sys | Mouse Synchronization Tool | |
| c:\windows\system32\drivers\prlvideo.sys | ||
| c:\windows\system32\drivers\prltime.sys | Time Synchronization Driver | |
| c:\windows\system32\drivers\prl_pv32.sys | Paravirtualization Driver | |
| c:\windows\system32\drivers\prl_paravirt_32.sys | Paravirtualization Driver | |
| VirtualBox | c:\windows\system32\drivers\VBoxMouse.sys | |
| c:\windows\system32\drivers\VBoxGuest.sys | ||
| c:\windows\system32\drivers\VBoxSF.sys | ||
| c:\windows\system32\drivers\VBoxVideo.sys | ||
| c:\windows\system32\vboxdisp.dll | ||
| c:\windows\system32\vboxhook.dll | ||
| c:\windows\system32\vboxmrxnp.dll | ||
| c:\windows\system32\vboxogl.dll | ||
| c:\windows\system32\vboxoglarrayspu.dll | ||
| c:\windows\system32\vboxoglcrutil.dll | ||
| c:\windows\system32\vboxoglerrorspu.dll | ||
| c:\windows\system32\vboxoglfeedbackspu.dll | ||
| c:\windows\system32\vboxoglpackspu.dll | ||
| c:\windows\system32\vboxoglpassthroughspu.dll | ||
| c:\windows\system32\vboxservice.exe | ||
| c:\windows\system32\vboxtray.exe | ||
| c:\windows\system32\VBoxControl.exe | ||
| VirtualPC | c:\windows\system32\drivers\vmsrvc.sys | |
| c:\windows\system32\drivers\vpc-s3.sys | ||
| VMware | c:\windows\system32\drivers\vmmouse.sys | Pointing PS/2 Device Driver |
| c:\windows\system32\drivers\vmnet.sys | ||
| c:\windows\system32\drivers\vmxnet.sys | PCI Ethernet Adapter | |
| c:\windows\system32\drivers\vmhgfs.sys | HGFS Filesystem Driver | |
| c:\windows\system32\drivers\vmx86.sys | ||
| c:\windows\system32\drivers\hgfs.sys | ||
2. Check if specific directories are present
This method uses the difference in directories which are present in usual host system and virtual environments. There are quite a few directory artifacts present in virtual environments which are specific for such kinds of systems. These directories are not present on usual host systems where no virtual environment is installed.
Function used:
- GetFileAttributes // if attributes are invalid then no file exists
Code sample
BOOL is_DirectoryExists(TCHAR* szPath)
{
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES) && (dwAttrib & FILE_ATTRIBUTE_DIRECTORY);
}
/*
Check against VMware blacklisted directory
*/
BOOL vmware_dir()
{
TCHAR szProgramFile[MAX_PATH];
TCHAR szPath[MAX_PATH] = _T("");
TCHAR szTarget[MAX_PATH] = _T("VMware\\");
if (IsWoW64())
ExpandEnvironmentStrings(_T("%ProgramW6432%"), szProgramFile, ARRAYSIZE(szProgramFile));
else
SHGetSpecialFolderPath(NULL, szProgramFile, CSIDL_PROGRAM_FILES, FALSE);
PathCombine(szPath, szProgramFile, szTarget);
return is_DirectoryExists(szPath);
}Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Path`:
- GetFileAttributes(path)
then it’s an indication of application trying to use the evasion technique.
Detections table
| Check if the following files exist: | ||
| Detect | Path | |
|---|---|---|
| CWSandbox | c:\analysis | |
| VirtualBox | %PROGRAMFILES%\oracle\virtualbox guest additions\ | |
| VMware | %PROGRAMFILES%\VMware\ | |
3. Check if full path to the executable contains one of the specific strings
This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific paths - and malware samples check these paths.
Functions used to get executable path:
- GetModuleFileName
- GetProcessImageFileNameA/W
- QueryFullProcessImageName
Code sample (function GetModuleFileName)
int gensandbox_path() {
char path[500];
size_t i;
DWORD pathsize = sizeof(path);
GetModuleFileName(NULL, path, pathsize);
for (i = 0; i < strlen(path); i++) { /* case-insensitive */
path[i] = toupper(path[i]);
}
// some sample values from the table
if (strstr(path, "\\SAMPLE") != NULL) {
return TRUE;
}
if (strstr(path, "\\VIRUS") != NULL) {
return TRUE;
}
if (strstr(path, "SANDBOX") != NULL) {
return TRUE;
}
return FALSE;
}Credits for this code sample: pafish project
Code sample (function QueryFullProcessImageName)
DWORD PID = 1337; // process ID of the target process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, PID);
DWORD value = MAX_PATH;
char buffer[MAX_PATH];
QueryFullProcessImageName(hProcess, 0, buffer, &value);
printf("EXE Path: %s\n", buffer);No signature recommendations
Signature recommendations are not provided as it’s hard to say why exactly application wants to get its full path. Function calls may be hooked - and that’s it, just general recommendation.
Detections table
| Check if full path to the executable contains one of the following strings: | ||
| Detect | String | |
|---|---|---|
| [general] | \sample | |
| \virus | ||
| sandbox | ||
4. Check if the executable is run from specific directory
This method relies on peculiarities of launching executables inside virtual environments. Some environments launch executables from specific directories - and malware samples check these directories.
It’s just a particular case of checking presence of specific strings in full application path, please refer to the section above for code sample and signature recommendations.
As this very method is pretty old and is not commonly used, the links to external sources are provided for the reference on this method:
- VB code sample
- python code sample
- anti-emulation tricks
- stub for C code
Detections table
| Check if the executable is run from the following directories: | ||
| Detect | Path | |
|---|---|---|
| Anubis | c:\insidetm | |
5. Check if the executable files with specific names are present in physical disk drives' root
This method relies on peculiarities of virtual environments, in this case it’s presence of specific files in disk root root directories.
Function used:
- GetFileAttributes // if attributes are invalid then no file exists
Code sample (function GetModuleFileName)
int pafish_exists_file(char * filename) {
DWORD res = INVALID_FILE_ATTRIBUTES;
if (pafish_iswow64() == TRUE) {
void *old = NULL;
// Disable redirection immediately prior to calling GetFileAttributes.
if (pafish_disable_wow64_fs_redirection(&old) ) {
res = GetFileAttributes(filename);
// Ignoring MSDN recommendation of exiting if this call fails.
pafish_revert_wow64_fs_redirection(old);
}
}
else {
res = GetFileAttributes(filename);
}
return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
}
int gensandbox_common_names() {
DWORD dwSize = MAX_PATH;
char szLogicalDrives[MAX_PATH] = {0};
DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
BOOL exists;
if (dwResult > 0 && dwResult <= MAX_PATH)
{
char* szSingleDrive = szLogicalDrives;
char filename[MAX_PATH] = {0};
while(*szSingleDrive)
{
if (GetDriveType(szSingleDrive) != DRIVE_REMOVABLE ) {
snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
exists = pafish_exists_file(filename);
if (exists) return TRUE;
snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
exists = pafish_exists_file(filename);
if (exists) return TRUE;
}
szSingleDrive += strlen(szSingleDrive) + 1;
}
}
return FALSE;
}Credits for this code sample: pafish project
Signature recommendations
If the following function contains its only argument from the table column `Path`:
- GetFileAttributes(path)
then it’s an indication of application trying to use the evasion technique.
Detections table
| Check if the executables with particular names are present in disk root: | |
| Detect | Path |
|---|---|
| [general] | malware.exe |
| sample.exe | |
Countermeasures
Hook target functions and return appropriate results if indicators (files from tables) are checked.
Credits
Credits go to open-source projects from where code samples were taken:
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.