Go back

Contents

Registry detection methods
1. Check if particular registry paths exist
2. Check if particular registry keys contain specified strings
3. Check if VBAWarnings enabled
Countermeasures
Credits

Registry detection methods

The principle of all the registry detection methods is the following: there are no such registry keys and values in usual host. However they exist in particular virtual environments.

Sometimes usual system may cause false positives when these checks are applied because it has some virtual machines installed and thus some VM artifacts are present in the system. Though in all other aspects such a system is treated clean in comparison with virtual environments.

Registry keys may be queries via WinAPI calls.

Functions used in kernel32.dll:

  • RegOpenKey
  • RegOpenKeyEx
  • RegQueryValue
  • RegQueryValueEx
  • RegCloseKey
  • RegEnumKeyEx

Functions above are wrappers on top of the following ntdll.dll functions:

  • NtOpenKey
  • NtEnumerateKey
  • NtQueryValueKey
  • NtClose


1. Check if particular registry paths exist

Take a look at title section to get the list of used functions.


Code sample

/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
    return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
    HKEY regkey;
    LONG ret;

    /* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
    if (pafish_iswow64()) {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
    }
    else {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
    }

    if (ret == ERROR_SUCCESS) {
        RegCloseKey(regkey);
        return TRUE;
    }
    else
        return FALSE;
}

Credits for this code sample: pafish project


Signature recommendations

If the following function contains 2nd argument from the table column `Registry path`:

  • NtOpenKey(..., registry_path, ...)

then it’s an indication of application trying to use the evasion technique.


Detections table

Check if the following registry paths exist:
Detect Registry path Details (if any)
[general] HKLM\Software\Classes\Folder\shell\sandbox
Hyper-V HKLM\SOFTWARE\Microsoft\Hyper-V
HKLM\SOFTWARE\Microsoft\VirtualMachine
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName" and "VirtualMachineName" values are read under this path
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat
HKLM\SYSTEM\ControlSet001\Services\vmicvss
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown
HKLM\SYSTEM\ControlSet001\Services\vmicexchange
Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8* Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
Sandboxie HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE* Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\HARDWARE\ACPI\FADT\VBOX__
HKLM\HARDWARE\ACPI\RSDT\VBOX__
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse
HKLM\SYSTEM\ControlSet001\Services\VBoxService
HKLM\SYSTEM\ControlSet001\Services\VBoxSF
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo
VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333* Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\SYSTEM\ControlSet001\Services\vpcbus
HKLM\SYSTEM\ControlSet001\Services\vpc-s3
HKLM\SYSTEM\ControlSet001\Services\vpcuhub
HKLM\SYSTEM\ControlSet001\Services\msvmmouf
VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD* Subkey has the following structure: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SYSTEM\ControlSet001\Services\vmdebug
HKLM\SYSTEM\ControlSet001\Services\vmmouse
HKLM\SYSTEM\ControlSet001\Services\VMTools
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL
HKLM\SYSTEM\ControlSet001\Services\vmware
HKLM\SYSTEM\ControlSet001\Services\vmci
HKLM\SYSTEM\ControlSet001\Services\vmx86
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*
Wine HKCU\SOFTWARE\Wine
HKLM\SOFTWARE\Wine
Xen HKLM\HARDWARE\ACPI\DSDT\xen
HKLM\HARDWARE\ACPI\FADT\xen
HKLM\HARDWARE\ACPI\RSDT\xen
HKLM\SYSTEM\ControlSet001\Services\xenevtchn
HKLM\SYSTEM\ControlSet001\Services\xennet
HKLM\SYSTEM\ControlSet001\Services\xennet6
HKLM\SYSTEM\ControlSet001\Services\xensvc
HKLM\SYSTEM\ControlSet001\Services\xenvdb


In particular cases malware may enumerate sub-keys and check if a name of the sub-key contain some string instead of checking if the specified key exists.

For example: enumerate sub-keys of "HKLM\SYSTEM\ControlSet001\Services\" and search for "VBox" string.


2. Check if particular registry keys contain specified strings

Take a look at title section to get the list of used functions. Please note that case is irrelevant for these checks: it may be either upper or lower.


Code sample

/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
    return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}

/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
    /*
        regkey_s == "HARDWARE\\Description\\System";
        value_s == "SystemBiosVersion";
        lookup == "VBOX";
    */

    HKEY regkey;
    LONG ret;
    DWORD size;
    char value[1024], * lookup_str;
    size_t lookup_size;

    lookup_size = strlen(lookup);
    lookup_str = malloc(lookup_size+sizeof(char));
    strncpy(lookup_str, lookup, lookup_size+sizeof(char));
    size = sizeof(value);

    /* regkey_s == "HARDWARE\\Description\\System"; */
    if (pafish_iswow64()) {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
    }
    else {
        ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
    }

    if (ret == ERROR_SUCCESS) {
        /* value_s == "SystemBiosVersion"; */
        ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
        RegCloseKey(regkey);

        if (ret == ERROR_SUCCESS) {
            size_t i;
            for (i = 0; i < strlen(value); i++) { /* case-insensitive */
                value[i] = toupper(value[i]);
            }
            for (i = 0; i < lookup_size; i++) { /* case-insensitive */
                lookup_str[i] = toupper(lookup_str[i]);
            }
            if (strstr(value, lookup_str) != NULL) {
                free(lookup_str);
                return TRUE;
            }
        }
    }

    free(lookup_str);
    return FALSE;
}

Credits for this code sample: pafish project


Signature recommendations

If the following function contains 2nd argument from the table column `Registry path`:

  • NtOpenKey(..., registry_path, ...)

and is followed by the call to the following function with 2nd argument from the table column `Registry key`:

  • NtQueryValueKey(..., registry_item, ...)

then it’s an indication of application trying to use the evasion technique.


Detections table

Check if the following registry values contain the following strings (case insensitive):
Detect Registry path Registry key String
[general] HKLM\HARDWARE\Description\System SystemBiosDate 06/23/99
HKLM\HARDWARE\Description\System\BIOS SystemProductName A M I
BOCHS HKLM\HARDWARE\Description\System SystemBiosVersion BOCHS
HKLM\HARDWARE\Description\System VideoBiosVersion BOCHS
Anubis HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion ProductID 76487-337-8429955-22614
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID 76487-337-8429955-22614
CwSandbox HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion ProductID 76487-644-3177037-23510
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID 76487-644-3177037-23510
JoeBox HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion ProductID 55274-640-2673064-23950
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID 55274-640-2673064-23950
Parallels HKLM\HARDWARE\Description\System SystemBiosVersion PARALLELS
HKLM\HARDWARE\Description\System VideoBiosVersion PARALLELS
QEMU HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier QEMU
HKLM\HARDWARE\Description\System SystemBiosVersion QEMU
HKLM\HARDWARE\Description\System VideoBiosVersion QEMU
HKLM\HARDWARE\Description\System\BIOS SystemManufacturer QEMU
VirtualBox HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier VBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier VBOX
HKLM\HARDWARE\Description\System SystemBiosVersion VBOX
HKLM\HARDWARE\Description\System VideoBiosVersion VIRTUALBOX
HKLM\HARDWARE\Description\System\BIOS SystemProductName VIRTUAL
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum DeviceDesc VBOX
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum FriendlyName VBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum DeviceDesc VBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum FriendlyName VBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum DeviceDesc VBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum FriendlyName VBOX
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation SystemProductName VIRTUAL
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation SystemProductName VIRTUALBOX
VMware HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier VMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier VMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier VMWARE
HKLM\HARDWARE\Description\System SystemBiosVersion VMWARE
HKLM\HARDWARE\Description\System SystemBiosVersion INTEL - 6040000
HKLM\HARDWARE\Description\System VideoBiosVersion VMWARE
HKLM\HARDWARE\Description\System\BIOS SystemProductName VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum 0 VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum 1 VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum DeviceDesc VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum FriendlyName VMware
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum DeviceDesc VMware
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum FriendlyName VMware
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum DeviceDesc VMware
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum FriendlyName VMware
HKCR\Installer\Products ProductName vmware tools
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName vmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName vmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName vmware tools
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 CoInstallers32 *vmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 DriverDesc VMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 InfSection vmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 ProviderName VMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings Device Description VMware*
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation SystemProductName VMWARE
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video Service vm3dmp
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video Service vmx_svga
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000 Device Description VMware SVGA*
Xen HKLM\HARDWARE\Description\System\BIOS SystemProductName Xen


3. Check if VBAWarnings enabled

“Enable all macros” prompt in Office documents means the macros can be executed without any user interaction. This behavior is common for sandboxes. A malware can use that in order to check if it is running on a sandbox checking the flag in the registry keys SOFTWARE\Microsoft\Office<version>\Word\Security\VBAWarnings while the version is between 12.0 to 19.0.


Code sample

// Function to check if VBScript warnings are enabled in Office
bool IsVBScriptWarningEnabled() {
    HKEY hKey;
    LPCWSTR keyPath = L"SOFTWARE\\Microsoft\\Office\\<Office_Version>\\Common\\Security";
    LPCWSTR valueName = L"VBAScriptWarnings";

    // Open the registry key
    LONG result = RegOpenKeyEx(HKEY_CURRENT_USER, keyPath, 0, KEY_READ, &hKey);
    if (result == ERROR_SUCCESS) {
        DWORD dwType;
        DWORD dwValue;
        DWORD dwSize = sizeof(DWORD);

        // Query the value of VBAScriptWarnings
        result = RegQueryValueEx(hKey, valueName, NULL, &dwType, reinterpret_cast<LPBYTE>(&dwValue), &dwSize);
        if (result == ERROR_SUCCESS && dwType == REG_DWORD && dwValue == 1) {
            // VBScript warnings are enabled
            RegCloseKey(hKey);
            return true;
        }
        RegCloseKey(hKey);
    }
    return false;
}

int main() {
    if (IsVBScriptWarningEnabled()) {
        std::cout << "VBScript warnings are enabled in Office." << std::endl;
    } else {
        std::cout << "VBScript warnings are not enabled in Office." << std::endl;
    }

    return 0;
}


Countermeasures

Hook target functions and return appropriate results if indicators (registry strings from tables) are checked.


Credits

Credits go to open-source project from where code samples were taken:

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.


Go back