Contents

Firmware tables detection methods
1. Check if specific strings are present in Raw Firmware Table
1.1. Windows Vista+
1.2. Windows XP
2. Check if specific strings are present in Raw SMBIOS Firmware Table
2.1. Windows Vista+
2.2. Windows XP
Countermeasures
Credits

Firmware tables detection methods

There are special memory areas used by OS which contain specific artifacts if OS is run under virtual environment. These memory areas may be dumped using different methods depending on the OS version.

Firmware tables are retrieved via SYSTEM_FIRMWARE_TABLE_INFORMATION object. It’s defined the following way:

typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
    ULONG ProviderSignature;
    SYSTEM_FIRMWARE_TABLE_ACTION Action;
    ULONG TableID;
    ULONG TableBufferLength;
    UCHAR TableBuffer[ANYSIZE_ARRAY];  // <- the result will reside in this field
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;

// helper enum
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
    SystemFirmwareTable_Enumerate,
    SystemFirmwareTable_Get
} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;

1. Check if specific strings are present in Raw Firmware Table

Retrieved firmware table is scanned for the presence of particular strings.

Depending on Windows version different functions are used for this check. See code samples below.

1.1. Windows Vista+

Code sample

// First, SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
    (PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get;  // 1
sfti->ProviderSignature = 'FIRM';
sfti->TableID = 0xC0000;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
    SystemFirmwareTableInformation,  // 76 
    sfti,
    Length,
    &Length);

Credits for this code sample: VMDE project

Signature recommendations

If the function

• NtQuerySystemInformation

contains:

• 1st argument equal to 76 (SystemFirmwareTableInformation)
• 2nd argument has sfti->ProviderSignature field initialized to 'FIRM' and sfti->Action field initialized to 1

then it’s an indication of application trying to use this evasion technique.

1.2. Windows XP

Code sample

// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
     hCSRSS, 
     0xC0000,
     sfti, 
     RegionSize, 
     &memIO);

Signature recommendations

If the following function contains PID of csrss.exe process as its 3rd argument:

• HANDLE hCSRSS = OpenProcess(..., csrss_pid)

and is followed by the call to the following function:

• NtReadVirtualMemory(hCSRSS, 0xC0000, ...)

which contains:

• 1st argument equal to csrss.exe handle
• 2nd argument equal to 0xC0000

then it’s an indication of application trying to use this evasion technique.

Detections table

2. Check if specific strings are present in Raw SMBIOS Firmware Table

Retrieved firmware table is scanned for the presence of particular strings.

Depending on Windows version different functions are used for this check. See code samples below.

2.1. Windows Vista+

Code sample

// SYSTEM_FIRMWARE_TABLE_INFORMATION object is initialized in the following way:
SYSTEM_FIRMWARE_TABLE_INFORMATION *sfti = 
    (PSYSTEM_FIRMWARE_TABLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Length);
sfti->Action = SystemFirmwareTable_Get; // 1
sfti->ProviderSignature = 'RSMB';
sfti->TableID = 0;
sfti->TableBufferLength = Length;

// Then initialized SYSTEM_FIRMWARE_TABLE_INFORMATION object is used as an argument for
// the system information call in the following way in order to dump raw firmware table:
NtQuerySystemInformation(
    SystemFirmwareTableInformation,  // 76 
    sfti,
    Length,
    &Length);

Credits for this code sample: VMDE project

Signature recommendations

If the following function:

• NtQuerySystemInformation

contains:

• 1st argument equal to 76 (SystemFirmwareTableInformation)
• 2nd argument has sfti->ProviderSignature field initialized to 'RSMB' and sfti->Action field initialized to 1

then it’s an indication of application trying to use this evasion technique.

2.2. Windows XP

Code sample

// In case if OS version is Vista+ csrss.exe memory space is read in order to dump raw firmware table:
hCSRSS = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, csrss_pid);

NtReadVirtualMemory( 
     hCSRSS, 
     0xE0000,
     sfti, 
     RegionSize, 
     &memIO);

Signature recommendations

If the following function contains PID of csrss.exe process as its 3rd argument:

• HANDLE hCSRSS = OpenProcess(..., csrss_pid)

and is followed by the call to the following function:

• NtReadVirtualMemory(hCSRSS, 0xE0000, ...)

which contains:

• 1st argument equal to csrss.exe handle
• 2nd argument equal to 0xE0000

then it’s an indication of application trying to use this evasion technique.

Detections table

Countermeasures

• On systems older than Vista change memory content of csrss.exe at given addresses.
• On Vista+ OS hook NtQuerySystemInformation for retrieving SystemFirmwareTableInformation class and parse SFTI structure for provided field values.

Credits

Credits go to open-source project from where code samples were taken:

• VMDE project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.