Evasions: WMI
Contents
WMI detection methods
Background
1. Generic WMI queries
2. Escape from tracking using WMI
2.1. Start process using WMI
2.2. Start process using Task Scheduler via WMI
3. Check the last boot time
4. Check the network adapter last reset time
Signature recommendations
Countermeasures
Credits
WMI detection methods
Windows Management Interface (WMI) queries are another way to get OS and hardware information. WMI uses COM interfaces and their methods.
Background
Standard COM functions are used to process queries. They are called in the sequence described below and can be split into 6 steps.
1. COM initialization:
- CoInitialize/CoInitializeEx
2. Create the required interface instance:
- CoCreateInstance/CoCreateInstanceEx
3. Connect to the particular services via the interface instance with the following function:
- ConnectServer
4. Get methods of the services and set their arguments with these functions:
- Method (to get methods)
- Put (to set arguments)
5. Retrieve information from the services and execute the methods of the services with the functions below. The functions on the left are proxies for the functions on the right - which are called internally:
- ExecQuery -> IWbemServices_ExecQuery (retrieve information)
- ExecMethod -> IWbemServices_ExecMethod (execute method)
- ExecMethodAsync -> IWbemServices_ExecMethodAsync (execute method)
6. Examine the result of the query with the following functions:
- [enumerator]->Next
- [object]->Get
To see how the described theory is applied to practice, please check the examples below.
1. Generic WMI queries
As WMI provides another way to collect system information, it can be used to perform evasion techniques described in other articles, for example:
- Check if the number of processors is low
- Check if the hard disk size is small
- Check if the MAC address is specific
- Check if the CPU temperature information is available
Code sample
Credits for this code sample: al-khaser project
Code sample (PowerShell)
Signature recommendations
If the following function contains a 3rd argument from the table column "Query":
- IWbemServices_ExecQuery(..., query, ...)
then it’s an indicator of the application trying to use the evasion technique.
Detections table
The following WMI queries may be used to detect virtual environment: | ||||
Query | Field | Value | Detect | Comments |
---|---|---|---|---|
SELECT * FROM Win32_Processor | NumberOfCores | < 2 | [general] | |
ProcessorId | [empty] | |||
SELECT * FROM Win32_LogicalDisk | Size | < 60GB | ||
SELECT * FROM Win32_BaseBoard | SerialNumber | None | ||
Version | None | |||
SELECT * FROM MSAcpi_ThermalZoneTemperature | CurrentTemperature | "Not supported" | ||
SELECT * FROM Win32_PnPEntity | DeviceId | PCI\VEN_80EE&DEV_CAFE | VirtualBox | |
IDE\CDROOMVBOX | ||||
IDE\DISKVBOX* | ||||
VEN_VMWARE | VMware | |||
PROD_VMWARE_VIRTUAL | ||||
SELECT * FROM Win32_NetworkAdapterConfiguration | MACAddress | 08:00:27 | VirtualBox | See "Check if MAC address is specific" section in "Network" chapter |
00:1C:42 | Parallels | |||
00:05:69 | VMware | |||
00:0C:29 | ||||
00:1C:14 | ||||
00:50:56 | ||||
00:16:E3 | XEN | |||
SELECT * FROM Win32_Bios | Serial Number | VMware- | VMware | |
0 | VirtualBox | |||
Version | INTEL - 6040000 | VMware | See "SystemBiosVersion" in "Check if particular registry keys contain specified strings" section in "Registry" chapter | |
BOCHS | BOCHS | |||
PARALLELS | Parallels | |||
QEMU | QEMU | |||
VBOX | VirtualBox | |||
SELECT * FROM Win32_ComputerSystem | Model | VMware | VMware | |
VirtualBox | VirtualBox | |||
Manufacturer | VMware | VMware | ||
innotek GmbH | VirtualBox | |||
SELECT * FROM Win32_VideoController | AdapterCompatibility | VMware | VMware | |
Oracle Corporation | VirtualBox | |||
Caption | VMware | VMware | ||
VirtualBox | VirtualBox | |||
Description | VMware | VMware | ||
VirtualBox | VirtualBox | |||
Name | VMware | VMware | ||
VirtualBox | VirtualBox | |||
SELECT * FROM Win32_PointingDevice | Description | VMware | VMware |
Queries listed in the table are not the only ones possible, and are presented to give an idea of how they work and what information can be retrieved with these calls.
Countermeasures
Countermeasures depend on the particular checks implemented via the WMI method and they are the same as for the corresponding methods described in the relevant articles. Additionally, you must restart the “winmgmt” service.
2. Escape from tracking using WMI
WMI provides a way to create new processes and to schedule tasks. Sandboxes usually use the CreateProcessInternalW function hooking to track child processes. However, when you create the process using WMI the function CreateProcessInternalW is not called in the parent process. Therefore, the processes created using WMI may not be tracked by a sandbox and their behavior will not be recorded.
2.1. Start process using WMI
You can create a new process with WMI using the “Win32_Process” class with the method “Create”.
Code sample
Code sample is taken from InviZzzible tool
Signature recommendations
If one of the following functions is called with the 2nd argument “Win32_Process” and the 3rd argument “Create”:
- IWbemServices_ExecMethod(..., BSTR("Win32_Process"), BSTR("Create"), ...)
- IWbemServices_ExecMethodAsync(..., BSTR("Win32_Process"), BSTR("Create"), ...)
then it’s an indicator of the application trying to use the evasion technique.
Countermeasures
If you use a kernel-mode monitor, hook target functions or register callback on the process creation with PsSetCreateProcessNotifyRoutineEx.
2.2. Start process using Task Scheduler via WMI (Windows 7)
The technique is essentially the same as described in the “Deferred execution using Task Scheduler” section in the “Timing” chapter. WMI just provides another way to schedule a task.
You can create a new task with WMI using the “Win32_ScheduledJob” class with the method “Create”.
However, the “Win32_ScheduledJob” WMI class was designed to work with the AT command, which is deprecated since Windows 8.
In Windows 8 and higher, you can only create scheduled jobs with WMI if the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration” has a value “EnableAt”=”1” of type REG_DWORD. Therefore, this technique is unlikely to be found in the wild.
Code sample (VB)
Signature recommendations
If one of the following functions is called with the 2nd argument “Win32_ScheduledJob” and the 3rd argument “Create”:
- IWbemServices_ExecMethod(..., BSTR("Win32_ScheduledJob"), BSTR("Create"), ...)
- IWbemServices_ExecMethodAsync(..., BSTR("Win32_ScheduledJob"), BSTR("Create"), ...)
then it’s an indicator of the application trying to use the evasion technique.
Countermeasures
Use a kernel-mode monitor, and register callback on the process creation with PsSetCreateProcessNotifyRoutineEx.
3. Check the last boot time
If the last boot time is queried immediately after restoring a VM from a snapshot, the WMI database may contain the value saved at the moment the VM snapshot was created. If the snapshot was created a year ago, the calculated system uptime will be a year as well even if a sandbox updates the last boot time.
This fact can be used to detect a virtual machine restored from a snapshot. Also, any anomalies in the last boot time can be used as sandbox indicators:
- The system uptime is too big (months or even years)
- The system uptime is to small (less than several minutes)
- The last boot time obtained using other methods differs from the last boot time obtained using WMI
Code sample (VB)
Code sample is taken from Microsoft Docs
Signature recommendations
If the following function is called with the 3rd argument BSTR(“Win32_OperatingSystem”):
- IWbemServices_ExecQuery(..., BSTR("Win32_OperatingSystem"), ...)
then it’s a possible indicator of the application trying to use the evasion technique.
Countermeasures
- Adjust the KeBootTime value
- Reset the WMI repository or restart the "winmgmt" service after you adjust the KeBootTime value
4. Check the network adapters last reset time
We need to check if there are any adapters that were last reset a long time ago. This may indicate the application is running in a virtual machine restored from a snapshot.
Code sample (VB)
Signature recommendations
If the following function is called with the 3rd argument BSTR(“Win32_OperatingSystem”):
- IWbemServices_ExecQuery(..., BSTR("Win32_NetworkAdapter"), ...)
then it’s a possible indicator of the application trying to use the evasion technique.
Countermeasures
- Ensure an adequate last reset time for the network adapters
- Reset the WMI repository or restart the "winmgmt" service
Countermeasures
Countermeasures are presented in the appropriate sub-sections above.
Credits
- al-khaser project on GitHub
- Microsoft Docs - WMI Tasks: Desktop Management