Evasions: UI artifacts
Techniques described in this group abuse the fact that some windows’ names are only present in virtual environment and not is usual host OS. Even more, host OS contains a lot of windows while VM and sandboxes prefer keeping opened windows at the minimum. Their quantity is checked and the conclusion is drawn whether it is a VM or not.
|Check if windows with the following class names are present in the OS:|
Credits for this code sample: al-khaser project
As it was stated above, host OS contains a lot of windows while VMs and sandboxes strive to keep opened windows at possible minimum. Windows count is measured and the conclusion is drawn on whether it’s a VM or not.
In case there are too few windows in the OS, it could be an indication of virtual environment. Typical hosts have a lot (>10) top level windows.
No signature recommendations are provided for this evasion group as it’s hard to tell that code aims to perform some evasion technique and not “legal” action.
- versus windows with certain class names: Exclude windows with particular names from enumeration or modify these names.
- versus checking top level windows' number: Create fake windows in the system so that their number will not be small or equal to the predefined numbers.
Credits go to open-source project from where code samples were taken:
- al-khaser project on github
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.