Evasions: UI artifacts
Contents
UI artifacts detection methods
1. Check if windows with certain class names are present in the OS
2. Check if top level windows’ number is too small
Signature recommendations
Countermeasures
Credits
UI artifacts detection methods
Techniques described in this group abuse the fact that some windows’ names are only present in virtual environment and not is usual host OS. Even more, host OS contains a lot of windows while VM and sandboxes prefer keeping opened windows at the minimum. Their quantity is checked and the conclusion is drawn whether it is a VM or not.
1. Check if windows with certain class names are present in the OS
Detections table
| Check if windows with the following class names are present in the OS: | |
| Detect | Class name |
|---|---|
| VirtualBox | VBoxTrayToolWndClass |
| VBoxTrayToolWnd | |
Code sample
BOOL vbox_window_class()
{
HWND hClass = FindWindow(_T("VBoxTrayToolWndClass"), NULL);
HWND hWindow = FindWindow(NULL, _T("VBoxTrayToolWnd"));
if (hClass || hWindow)
return TRUE;
else
return FALSE;
}Credits for this code sample: al-khaser project
2. Check if top level windows' number is too small
As it was stated above, host OS contains a lot of windows while VMs and sandboxes strive to keep opened windows at possible minimum. Windows count is measured and the conclusion is drawn on whether it’s a VM or not.
In case there are too few windows in the OS, it could be an indication of virtual environment. Typical hosts have a lot (>10) top level windows.
Code sample
BOOL CALLBACK enumProc(HWND, LPARAM lParam)
{
if (LPDWORD pCnt = reinterpret_cast<LPDWORD>(lParam))
*pCnt++;
return TRUE;
}
bool enumWindowsCheck(bool& detected)
{
DWORD winCnt = 0;
if (!EnumWindows(enumProc,LPARAM(&winCnt))) {
std::cerr << "EnumWindows() failed\n";
return false;
}
return winCnt < 10;
}Signature recommendations
No signature recommendations are provided for this evasion group as it’s hard to tell that code aims to perform some evasion technique and not “legal” action.
Countermeasures
- versus windows with certain class names: Exclude windows with particular names from enumeration or modify these names.
- versus checking top level windows' number: Create fake windows in the system so that their number will not be small or equal to the predefined numbers.
Credits
Credits go to open-source project from where code samples were taken:
- al-khaser project on github
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.