Evasions: Global OS Objects
Contents
Global objects detection methods
1. Check for specific global mutexes
2. Check for specific virtual devices
3. Check for specific global pipes
4. Check for specific global objects
5. Check for specific object directory (Sandboxie only)
6. Check if virtual registry is present in system (Sandboxie only)
Countermeasures
Credits
Global objects detection methods
The principle of all the global objects detection methods is the following: there are no such objects in usual host; however they exist in particular virtual environments and sandboxes. Virtual environment may be detected if such an artifact is present.
1. Check for specific global mutexes
This method checks for particular mutexes which are present in virtual environments but not in usual host systems.
Functions used:
- CreateMutexA/W
- OpenMutexA/W
Code sample
Credits for this code sample: VMDE project
Signature recommendations
If the following function contains 3rd argument from the table column `Name`:
- CreateMutexA/W(..., ..., registry_path)
- OpenMutexA/W(..., ..., registry_path)
then it’s an indication of application trying to use the evasion technique.
Detections table
Check if the following global mutexes exist: | |
Detect | Name |
---|---|
DeepFreeze | Frz_State |
Sandboxie | Sandboxie_SingleInstanceMutex_Control |
SBIE_BOXED_ServiceInitComplete_Mutex1 | |
VirtualPC | MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex |
Note: DeepFreeze is an application restoring the system on each reboot.
2. Check for specific virtual devices
This method checks for particular virtual devices which are present in virtual environments but not in usual host systems.
Function used:
- NtCreateFile
Code sample
Credits for this code sample: VMDE project
Signature recommendations
If the following function contains 3rd argument with its field `ObjectName->Buffer` from the table column `Name`:
- NtCreateFile(..., ..., attr, ...)
then it’s an indication of application trying to use the evasion technique.
3rd argument is of the following type:
Detections table
Check if the following virtual devices exist: | ||
Detect | Path | |
---|---|---|
VirtualBox | \\.\VBoxMiniRdDN | |
\\.\VBoxMiniRdrDN | ||
\\.\VBoxGuest | ||
\\.\VBoxTrayIPC | ||
\\.\VBoxMouse | ||
\\.\VBoxVideo | ||
VMware | \\.\HGFS | |
\\.\vmci |
3. Check for specific global pipes
Pipes are just a particular case of virtual devices, please refer to the previous section for code sample and signature recommendations.
Detections table
Check if the following global pipes exist: | |
Detect | String |
---|---|
VirtualBox | \\.\pipe\VBoxMiniRdDN |
\\.\pipe\VBoxTrayIPC |
4. Check for global objects
This method checks for particular global objects which are present in virtual environments but not in usual host systems.
Functions used:
- NtOpenDirectoryObject
- NtQueryDirectoryObject
Code sample
Credits for this code sample: VMDE project
Detections table
Check if the following global objects exist: | ||
Detect | Path | Object |
---|---|---|
Hyper-V | VmGenerationCounter | \Device |
Parallels | prl_pv | \Device |
prl_tg | \Device | |
prl_time | \Device | |
Sandboxie | SandboxieDriverApi | \Device |
SbieDrv | \Driver | |
SbieSvcPort | \RPC Control | |
VirtualBox | VBoxGuest | \Device |
VBoxMiniRdr | \Device | |
VBoxVideo | \Driver | |
VBoxMouse | \Driver | |
VirtualPC | VirtualMachineServices | \Device |
1-driver-vmsrvc | \Driver | |
VMware | vmmemctl | \Device |
5. Check for object directory (Sandboxie only)
This method checks for particular object directory which is present in Sandboxie virtual environment but not in usual host systems.
Function used:
- GetFileAttributes
Code sample
Credits for this code sample: VMDE project
Signature recommendations
If the following function contains 3rd argument with its field "ObjectName->Buffer" from the table column `Name`:
- NtOpenDirectoryObject(..., ..., attr, ...)
then it’s an indication of application trying to use the evasion technique.
3rd argument is of the following type:
Detections table
Check if the following object directory exists: | |
Detect | Path |
---|---|
Sandboxie | \Sandbox |
6. Check if virtual registry is present in OS (Sandboxie only)
This method checks for virtual registry which is present in Sandboxie virtual environment but not in usual host systems.
Application opens registry key \REGISTRY\USER. It uses the following function in order to check real object name:
If received OBJECT_NAME_INFORMATION object name does not equal to the "\REGISTRY\USER", then application assumes that it runs inside Sandboxie environment.
Signature recommendations
If the following function is used for opening \REGISTRY\USER:
- NtOpenKey
and is followed by the call of the following function with its 1st argument being the handle of \REGISTRY\USER key:
- NtQueryObject(hUserKey, ...)
then it’s an indication of application trying to use the evasion technique.
Countermeasures
Hook target functions and return appropriate results if indicators (objects from tables) are triggered. In some cases stopping appropriate device may help — but it’s not a universal counter-action: not all global objects are devices.
Credits
Credits go to open-source project from where code samples were taken:
- VMDE project on github
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.