Evasions: Registry
Contents
Registry detection methods
1. Check if particular registry paths exist
2. Check if particular registry keys contain specified strings
Countermeasures
Credits
Registry detection methods
The principle of all the registry detection methods is the following: there are no such registry keys and values in usual host. However they exist in particular virtual environments.
Sometimes usual system may cause false positives when these checks are applied because it has some virtual machines installed and thus some VM artifacts are present in the system. Though in all other aspects such a system is treated clean in comparison with virtual environments.
Registry keys may be queries via WinAPI calls.
Functions used in kernel32.dll:
- RegOpenKey
- RegOpenKeyEx
- RegQueryValue
- RegQueryValueEx
- RegCloseKey
- RegEnumKeyEx
Functions above are wrappers on top of the following ntdll.dll functions:
- NtOpenKey
- NtEnumerateKey
- NtQueryValueKey
- NtClose
1. Check if particular registry paths exist
Take a look at title section to get the list of used functions.
Code sample
/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
}
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}Credits for this code sample: pafish project
Signature recommendations
If the following function contains 2nd argument from the table column `Registry path`:
- NtOpenKey(..., registry_path, ...)
then it’s an indication of application trying to use the evasion technique.
Detections table
| Check if the following registry paths exist: | ||
| Detect | Registry path | Details (if any) |
|---|---|---|
| [general] | HKLM\Software\Classes\Folder\shell\sandbox | |
| Hyper-V | HKLM\SOFTWARE\Microsoft\Hyper-V | |
| HKLM\SOFTWARE\Microsoft\VirtualMachine | ||
| HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters | Usually "HostName" and "VirtualMachineName" values are read under this path | |
| HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat | ||
| HKLM\SYSTEM\ControlSet001\Services\vmicvss | ||
| HKLM\SYSTEM\ControlSet001\Services\vmicshutdown | ||
| HKLM\SYSTEM\ControlSet001\Services\vmicexchange | ||
| Parallels | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
| Sandboxie | HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv | |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie | ||
| VirtualBox | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
| HKLM\HARDWARE\ACPI\DSDT\VBOX__ | ||
| HKLM\HARDWARE\ACPI\FADT\VBOX__ | ||
| HKLM\HARDWARE\ACPI\RSDT\VBOX__ | ||
| HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxGuest | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxMouse | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxService | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxSF | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxVideo | ||
| VirtualPC | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
| HKLM\SYSTEM\ControlSet001\Services\vpcbus | ||
| HKLM\SYSTEM\ControlSet001\Services\vpc-s3 | ||
| HKLM\SYSTEM\ControlSet001\Services\vpcuhub | ||
| HKLM\SYSTEM\ControlSet001\Services\msvmmouf | ||
| VMware | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD* | Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
| HKCU\SOFTWARE\VMware, Inc.\VMware Tools | ||
| HKLM\SOFTWARE\VMware, Inc.\VMware Tools | ||
| HKLM\SYSTEM\ControlSet001\Services\vmdebug | ||
| HKLM\SYSTEM\ControlSet001\Services\vmmouse | ||
| HKLM\SYSTEM\ControlSet001\Services\VMTools | ||
| HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL | ||
| HKLM\SYSTEM\ControlSet001\Services\vmware | ||
| HKLM\SYSTEM\ControlSet001\Services\vmci | ||
| HKLM\SYSTEM\ControlSet001\Services\vmx86 | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD* | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* | ||
| Wine | HKCU\SOFTWARE\Wine | |
| HKLM\SOFTWARE\Wine | ||
| Xen | HKLM\HARDWARE\ACPI\DSDT\xen | |
| HKLM\HARDWARE\ACPI\FADT\xen | ||
| HKLM\HARDWARE\ACPI\RSDT\xen | ||
| HKLM\SYSTEM\ControlSet001\Services\xenevtchn | ||
| HKLM\SYSTEM\ControlSet001\Services\xennet | ||
| HKLM\SYSTEM\ControlSet001\Services\xennet6 | ||
| HKLM\SYSTEM\ControlSet001\Services\xensvc | ||
| HKLM\SYSTEM\ControlSet001\Services\xenvdb | ||
In particular cases malware may enumerate sub-keys and check if a name of the sub-key contain some string instead of checking if the specified key exists.
For example: enumerate sub-keys of "HKLM\SYSTEM\ControlSet001\Services\" and search for "VBox" string.
2. Check if particular registry keys contain specified strings
Take a look at title section to get the list of used functions. Please note that case is irrelevant for these checks: it may be either upper or lower.
Code sample
/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
regkey_s == "HARDWARE\\Description\\System";
value_s == "SystemBiosVersion";
lookup == "VBOX";
*/
HKEY regkey;
LONG ret;
DWORD size;
char value[1024], * lookup_str;
size_t lookup_size;
lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);
/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
}
if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);
if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value[i] = toupper(value[i]);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str[i] = toupper(lookup_str[i]);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}
free(lookup_str);
return FALSE;
}Credits for this code sample: pafish project
Signature recommendations
If the following function contains 2nd argument from the table column `Registry path`:
- NtOpenKey(..., registry_path, ...)
and is followed by the call to the following function with 2nd argument from the table column `Registry key`:
- NtQueryValueKey(..., registry_item, ...)
then it’s an indication of application trying to use the evasion technique.
Detections table
| Check if the following registry values contain the following strings (case insensitive): | |||
| Detect | Registry path | Registry key | String |
|---|---|---|---|
| [general] | HKLM\HARDWARE\Description\System | SystemBiosDate | 06/23/99 |
| HKLM\HARDWARE\Description\System\BIOS | SystemProductName | A M I | |
| BOCHS | HKLM\HARDWARE\Description\System | SystemBiosVersion | BOCHS |
| HKLM\HARDWARE\Description\System | VideoBiosVersion | BOCHS | |
| Anubis | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-337-8429955-22614 |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-337-8429955-22614 | |
| CwSandbox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-644-3177037-23510 |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-644-3177037-23510 | |
| JoeBox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 55274-640-2673064-23950 |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 55274-640-2673064-23950 | |
| Parallels | HKLM\HARDWARE\Description\System | SystemBiosVersion | PARALLELS |
| HKLM\HARDWARE\Description\System | VideoBiosVersion | PARALLELS | |
| QEMU | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | QEMU |
| HKLM\HARDWARE\Description\System | SystemBiosVersion | QEMU | |
| HKLM\HARDWARE\Description\System | VideoBiosVersion | QEMU | |
| HKLM\HARDWARE\Description\System\BIOS | SystemManufacturer | QEMU | |
| VirtualBox | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX |
| HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | |
| HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | |
| HKLM\HARDWARE\Description\System | SystemBiosVersion | VBOX | |
| HKLM\HARDWARE\Description\System | VideoBiosVersion | VIRTUALBOX | |
| HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VIRTUAL | |
| HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VBOX | |
| HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VBOX | |
| HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VBOX | |
| HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VBOX | |
| HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VBOX | |
| HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VBOX | |
| HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUAL | |
| HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUALBOX | |
| VMware | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE |
| HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | |
| HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | |
| HKLM\HARDWARE\Description\System | SystemBiosVersion | VMWARE | |
| HKLM\HARDWARE\Description\System | SystemBiosVersion | INTEL - 6040000 | |
| HKLM\HARDWARE\Description\System | VideoBiosVersion | VMWARE | |
| HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VMware | |
| HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 0 | VMware | |
| HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 1 | VMware | |
| HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VMware | |
| HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VMware | |
| HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VMware | |
| HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VMware | |
| HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VMware | |
| HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VMware | |
| HKCR\Installer\Products | ProductName | vmware tools | |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
| HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | CoInstallers32 | *vmx* | |
| HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | DriverDesc | VMware* | |
| HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | InfSection | vmx* | |
| HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | ProviderName | VMware* | |
| HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings | Device Description | VMware* | |
| HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VMWARE | |
| HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video | Service | vm3dmp | |
| HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video | Service | vmx_svga | |
| HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000 | Device Description | VMware SVGA* | |
| Xen | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | Xen |
Countermeasures
Hook target functions and return appropriate results if indicators (registry strings from tables) are checked.
Credits
Credits go to open-source project from where code samples were taken:
- pafish project on github
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.