目录
-
注册表检测方法
-
1.检查是否存在特定的注册表路径
-
2. 检查特定的注册表键是否包含指定的字符串
-
反制措施
-
归功于
注册表检测方法
所有注册表检测方法的原则如下:在通常的主机中没有这样的注册表键和值。然而,它们存在于特定的虚拟环境中。
有时,通常的系统在应用这些检查时可能会导致误报,因为它安装了一些虚拟机,因此系统中存在一些虚拟机的工件。尽管在所有其他方面,这样的系统与虚拟环境相比是干净的。
注册表键可以通过WinAPI调用查询。
kernel32.dll中使用的函数:
- RegOpenKey
- RegOpenKeyEx
- RegQueryValue
- RegQueryValueEx
- RegCloseKey
- RegEnumKeyEx
上面的函数是在以下ntdll.dll函数之上的wrappers:
- NtOpenKey
- NtEnumerateKey
- NtQueryValueKey
- NtClose
1.检查是否存在特定的注册表路径
请看标题部分,以获取使用的函数列表。
代码样本:
/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
}
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
此代码样本的作者:pafish project
识别标志
如果以下函数包含列表`注册表路径`的第二个参数
- NtOpenKey(…, registry_path, …)
那么这就表明应用程序试图使用规避技术。
检测表
|
检查是否存在以下注册表路径: |
||
|
检测 |
注册表路径(registry path) |
细节(如果有的话) |
|
[general] |
HKLM\Software\Classes\Folder\shell\sandbox |
|
| Hyper-V |
HKLM\SOFTWARE\Microsoft\Hyper-V |
|
| HKLM\SOFTWARE\Microsoft\VirtualMachine | ||
| HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters |
通常 “HostName “和 “VirtualMachineName “的值是在这个路径下读取的。 |
|
|
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat |
||
| HKLM\SYSTEM\ControlSet001\Services\vmicvss | ||
| HKLM\SYSTEM\ControlSet001\Services\vmicshutdown | ||
| HKLM\SYSTEM\ControlSet001\Services\vmicexchange | ||
| Parallels |
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8* |
子键有以下结构 VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
|
Sandboxie |
HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv |
|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie | ||
| VirtualBox |
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE* |
子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
|
HKLM\HARDWARE\ACPI\DSDT\VBOX__ |
||
| HKLM\HARDWARE\ACPI\FADT\VBOX__ | ||
| HKLM\HARDWARE\ACPI\RSDT\VBOX__ | ||
| HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxGuest | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxMouse | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxService | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxSF | ||
| HKLM\SYSTEM\ControlSet001\Services\VBoxVideo | ||
| VirtualPC |
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333* |
子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
|
HKLM\SYSTEM\ControlSet001\Services\vpcbus |
||
| HKLM\SYSTEM\ControlSet001\Services\vpc-s3 | ||
| HKLM\SYSTEM\ControlSet001\Services\vpcuhub | ||
| HKLM\SYSTEM\ControlSet001\Services\msvmmouf | ||
| VMware |
HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD* |
子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
|
HKCU\SOFTWARE\VMware, Inc.\VMware Tools |
||
| HKLM\SOFTWARE\VMware, Inc.\VMware Tools | ||
| HKLM\SYSTEM\ControlSet001\Services\vmdebug | ||
| HKLM\SYSTEM\ControlSet001\Services\vmmouse | ||
| HKLM\SYSTEM\ControlSet001\Services\VMTools | ||
| HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL | ||
| HKLM\SYSTEM\ControlSet001\Services\vmware | ||
| HKLM\SYSTEM\ControlSet001\Services\vmci | ||
| HKLM\SYSTEM\ControlSet001\Services\vmx86 | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD* | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* | ||
| HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* | ||
| Wine |
HKCU\SOFTWARE\Wine |
|
| HKLM\SOFTWARE\Wine | ||
| Xen |
HKLM\HARDWARE\ACPI\DSDT\xen |
|
| HKLM\HARDWARE\ACPI\FADT\xen | ||
| HKLM\HARDWARE\ACPI\RSDT\xen | ||
| HKLM\SYSTEM\ControlSet001\Services\xenevtchn | ||
| HKLM\SYSTEM\ControlSet001\Services\xennet | ||
| HKLM\SYSTEM\ControlSet001\Services\xennet6 | ||
| HKLM\SYSTEM\ControlSet001\Services\xensvc | ||
| HKLM\SYSTEM\ControlSet001\Services\xenvdb | ||
在特殊情况下,恶意软件可能会列举子键并检查子键的名称是否包含某些字符串,而不是检查指定的键是否存在。
例如:列举 “HKLM\SYSTEM\ControlSet001\Services\”的子键并搜索 “VBox “字符串。
2. 检查特定的注册表键值是否包含指定的字符串
请看标题部分,以获得所使用的函数列表。请注意,大小写与这些检查无关:它可以是大写或小写。
代码样本:
/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
regkey_s == "HARDWARE\\Description\\System";
value_s == "SystemBiosVersion";
lookup == "VBOX";
*/
HKEY regkey;
LONG ret;
DWORD size;
char value[1024], * lookup_str;
size_t lookup_size;
lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);
/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
}
if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);
if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value[i] = toupper(value[i]);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str[i] = toupper(lookup_str[i]);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}
free(lookup_str);
return FALSE;
}
此代码样本的作者:pafish project
识别标志
如果以下函数包含列表`注册表路径`的第二个参数:
-
NtOpenKey(…, 注册表路径, …)
并后跟对以下函数的调用,该函数带有表列“注册表键值”的第二个参数:
- NtQueryValueKey(…, registry_item, …)
那么这就表明应用程序试图使用规避技术。
检测表
|
检查以下注册表值是否包含以下字符串(不区分大小写: |
|||
|
Detect |
注册表路径 |
注册表键值 |
字符串 |
|
[general] |
HKLM\HARDWARE\Description\System |
SystemBiosDate |
06/23/99 |
|
HKLM\HARDWARE\Description\System\BIOS |
SystemProductName |
A M I |
|
|
BOCHS |
HKLM\HARDWARE\Description\System |
SystemBiosVersion |
BOCHS |
|
HKLM\HARDWARE\Description\System |
VideoBiosVersion |
BOCHS |
|
|
Anubis |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion |
ProductID |
76487-337-8429955-22614 |
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
ProductID |
76487-337-8429955-22614 |
|
|
CwSandbox |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion |
ProductID |
76487-644-3177037-23510 |
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
ProductID |
76487-644-3177037-23510 |
|
|
JoeBox |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion |
ProductID |
55274-640-2673064-23950 |
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
ProductID |
55274-640-2673064-23950 |
|
|
Parallels |
HKLM\HARDWARE\Description\System |
SystemBiosVersion |
PARALLELS |
|
HKLM\HARDWARE\Description\System |
VideoBiosVersion |
PARALLELS |
|
|
QEMU |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
QEMU |
|
HKLM\HARDWARE\Description\System |
SystemBiosVersion |
QEMU |
|
|
HKLM\HARDWARE\Description\System |
VideoBiosVersion |
QEMU |
|
|
HKLM\HARDWARE\Description\System\BIOS |
SystemManufacturer |
QEMU |
|
|
VirtualBox |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
VBOX |
|
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
VBOX |
|
|
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
VBOX |
|
|
HKLM\HARDWARE\Description\System |
SystemBiosVersion |
VBOX |
|
|
HKLM\HARDWARE\Description\System |
VideoBiosVersion |
VIRTUALBOX |
|
|
HKLM\HARDWARE\Description\System\BIOS |
SystemProductName |
VIRTUAL |
|
|
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum |
DeviceDesc |
VBOX |
|
|
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum |
FriendlyName |
VBOX |
|
|
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum |
DeviceDesc |
VBOX |
|
|
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum |
FriendlyName |
VBOX |
|
|
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum |
DeviceDesc |
VBOX |
|
|
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum |
FriendlyName |
VBOX |
|
|
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation |
SystemProductName |
VIRTUAL |
|
|
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation |
SystemProductName |
VIRTUALBOX |
|
|
VMware |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
VMWARE |
|
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
VMWARE |
|
|
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 |
Identifier |
VMWARE |
|
|
HKLM\HARDWARE\Description\System |
SystemBiosVersion |
VMWARE |
|
|
HKLM\HARDWARE\Description\System |
SystemBiosVersion |
INTEL – 6040000 |
|
|
HKLM\HARDWARE\Description\System |
VideoBiosVersion |
VMWARE |
|
|
HKLM\HARDWARE\Description\System\BIOS |
SystemProductName |
VMware |
|
|
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum |
0 |
VMware |
|
|
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum |
1 |
VMware |
|
|
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum |
DeviceDesc |
VMware |
|
|
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum |
FriendlyName |
VMware |
|
|
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum |
DeviceDesc |
VMware |
|
|
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum |
FriendlyName |
VMware |
|
|
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum |
DeviceDesc |
VMware |
|
|
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum |
FriendlyName |
VMware |
|
|
HKCR\Installer\Products |
ProductName |
vmware tools |
|
|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
DisplayName |
vmware tools |
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
DisplayName |
vmware tools |
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
DisplayName |
vmware tools |
|
|
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
CoInstallers32 |
*vmx* |
|
|
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
DriverDesc |
VMware* |
|
|
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
InfSection |
vmx* |
|
|
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
ProviderName |
VMware* |
|
|
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings |
Device Description |
VMware* |
|
|
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation |
SystemProductName |
VMWARE |
|
|
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video |
Service |
vm3dmp |
|
|
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video |
Service |
vmx_svga |
|
|
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000 |
Device Description |
VMware SVGA* |
|
|
Xen |
HKLM\HARDWARE\Description\System\BIOS |
SystemProductName |
Xen |
反制措施
拦截目标函数,如果指标(来自表格的注册表字符串)被检查,则返回适当的结果。
暂无评论内容