[Tigzy]

Hello

I would query some information about anti-VM technos used by malware.
My aim is to develop a sort of rootkit technology able to hide everything malware with anti-VM will check, in order to allow their execution on a VM.

So is anybody's familiar with anti-VM reversing? What do they check?

[Xylitol]

usually most of malware i see just look for specifics registry entries, but there is better way, cf the pdf in attach.

[Tigzy]

Salut Xylitol ;)

Thanks for the info, will read this right now.

[EP_X0FF]

http://www.kernelmode.info/forum/viewto ... =99&p=6804

+ this script-kiddie code which shows most of principles.

Code: Select all

unit AntiUnit;

// Information ~
// This unit is officially made by SaTaX
// You can contact me at satax@live.be
// August 2009 - > Thanks for some Opensc.ws Snippets (like the Assembler codes ^^.
// Please leave credits here if you use this unit.
// Thank You.
// Credits: SaTaX ~ Opensc.Ws !

interface

Uses
Windows,TlHelp32,SysUtils,Classes;

function processExists(exeFileName: string): Boolean;
function IsUsername(username: string): Boolean;
function ModuleCheck(comp: string) :Boolean;
function DebuggerPresent : boolean;
function InVMware: Boolean;
function IsInVPC: boolean; assembler;
Function CheckAnti: Boolean;

implementation


function processExists(exeFileName: string): Boolean;
var
  ContinueLoop: BOOL;
  FSnapshotHandle: THandle;
  FProcessEntry32: TProcessEntry32;
begin
  FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  FProcessEntry32.dwSize := SizeOf(FProcessEntry32);
  ContinueLoop := Process32First(FSnapshotHandle, FProcessEntry32);
  Result := False;
  while Integer(ContinueLoop) <> 0 do
  begin
    if ((UpperCase(ExtractFileName(FProcessEntry32.szExeFile)) =
      UpperCase(ExeFileName)) or (UpperCase(FProcessEntry32.szExeFile) =
      UpperCase(ExeFileName))) then
    begin
      Result := True;
    end;
    ContinueLoop := Process32Next(FSnapshotHandle, FProcessEntry32);
  end;
  CloseHandle(FSnapshotHandle);
end;


  function IsUsername(username: string): Boolean;
var
  szUserName : PChar;
  dwUserNameSize : DWORD;
begin
  szUserName := AllocMem(MAX_PATH);
  dwUserNameSize := MAX_PATH;
  GetUserName(szUserName,dwUserNameSize);
  Result := false;
  If szUserName = username Then
    begin
    Result := true;
  end;
end;

  function ModuleCheck(comp: string) :Boolean;
var
i:integer;
begin
result:=false;
for i:= 0 to 3 do
begin
if (GetModuleHandle(PChar(comp))<>0) then
result:=true;
end;
end;

    function DebuggerPresent : boolean;
type
  TDebugProc = function : boolean;
    stdcall;
var
  Kernel32: HMODULE;
  DebugProc: TDebugProc;
begin
  Result := False;
  Kernel32 := GetModuleHandle('kernel32');
  if Kernel32<>0 then
  begin
    @DebugProc := GetProcAddress(Kernel32, 'IsDebuggerPresent');
    if Assigned(DebugProc) then
      Result := DebugProc
  end;
end;

function InVMware: Boolean;
asm
    XOR     EAX, EAX

    PUSH    OFFSET @@Handler
    PUSH    DWORD PTR FS:[EAX]
    MOV     DWORD PTR FS:[EAX], ESP
    MOV     EAX, 564D5868h
    MOV     EBX, 3c6cf712h
    MOV     ECX, 0Ah
    MOV     DX, 5658h
    IN      EAX, DX
    MOV     EAX, True
    JMP     @@NotHandle
@@Handler:
    MOV     EAX, [ESP+$C]
    MOV     TContext(EAX).EIP, OFFSET @@Handled
    XOR     EAX, EAX
    RET
@@Handled:
    XOR     EAX, EAX
@@NotHandle:
    XOR     EBX, EBX
    POP     DWORD PTR FS:[EBX]
    ADD     ESP, 4
end;




 function IsInVPC: boolean; assembler;
asm
  push ebp

  mov  ecx, offset @@exception_handler
  mov  ebp, esp

  push ebx
  push ecx
  push dword ptr fs:[0]
  mov  dword ptr fs:[0], esp

  mov  ebx, 0
  mov  eax, 1
  db 00Fh, 03Fh, 007h, 00Bh

  mov eax, dword ptr ss:[esp]
  mov dword ptr fs:[0], eax
  add esp, 8

  test ebx, ebx
  setz al
  lea esp, dword ptr ss:[ebp-4]
  mov ebx, dword ptr ss:[esp]
  mov ebp, dword ptr ss:[esp+4]
  add esp, 8
  jmp @@ret
  @@exception_handler:
  mov ecx, [esp+0Ch]
  mov dword ptr [ecx+0A4h], -1
  add dword ptr [ecx+0B8h], 4
  xor eax, eax
  ret
  @@ret:
end;


  Function CheckAnti: Boolean;
  Var
  Path:String;
  begin
  result:=false;
  Path := ExtractFilePath(ParamStr(0));
  if (processexists('joeboxcontrol.exe')) //JoeBox
  or (processexists('joeboxserver.exe'))  //Joebox 2
  or (processexists('wireshark.exe'))     // WireShark
  or (processexists('regmon.exe'))        //Regmon
  or (processexists('filemon.exe'))       //FileMon
  or (processexists('procmon.exe'))      //ProcMon
  or (processexists('VBoxService.exe'))  //Vbox

  or (modulecheck('SbieDll.dll'))         //Sandboxie
  or (modulecheck('api_log.dll'))         //SunBelt
  or (modulecheck('dir_watch.dll'))       //Sulbelt's Sandbox

  or (IsUsername('username'))           //ThreadExpert
  or (IsUsername('USER'))              //Sandbox
  or (IsUsername('user'))              //Sandbox 2
  or (IsUsername('currentuser'))       //Normal

  or (Pos('c:\insidetm',Path)<> 0) //Anubis
  or (DirEctoryExists('C:\analysis')) // Sunbelt 3
  or (DeBuggerPresent=true)            //Debuggers
  or (InVmWare=True)                  //VmWare
  or (IsInVPC=True)
  then
  result:=true
  end;

end.

Properly configured VM's with hardware support can't be detected by 99.9% ITW malware, so your developing has no sense. Everything already in a place.

[Tigzy]

Properly configured VM's with hardware support can't be detected by 99.9% ITW malware, so your developing has no sense. Everything already in a place.

Can you explain more about that?
Hardware support can't replace Vbox guest additions for example?

[EP_X0FF]

Remove all kind of Tools/Additions etc, remove them completely. They are perfect flags for malware. Turn on VT-x. Forget about methods described 5 years ago - they do not work anymore. Malware may detect specific tools by their windows names, classes names, processes name (for example some Sysinternals tools, Wireshark, debuggers), so you need to hide them well too. Usually HideToolz + debugger plugins are enough for this.

[Tigzy]

And what about structure adress shifting? They aren't as used as that?
In the PDF given by Xylitol, there's a whole f**king lot of techniques to detect COM channels, SCSI devices, ...
We can also inject specific processor instructions, ....

-----

I agree additions are gifts for anti-VM, but tell me you don't want to use shared folders or debug your favorite malware with fullscreen? :mrgreen:
I guess this is easily hideable with RK technos.

--

My aim is to hide everything with one tool, without taking care of each tool I want to launch
EDIT: Any sample of malware with basic anti-VM embedded?

[EP_X0FF]

My aim is to hide everything with one tool

How do you suppose to do that?

This is program A. It detects by malware. This is program B. It detects by malware. A and B all the different and all GUI based. How do you planning to protect them from detection in a generic way? It's impossible.

Any sample of malware with basic anti-VM embedded?

take this ransom as primitive example

http://www.kernelmode.info/forum/viewto ... 8976#p8976

And what about structure adress shifting? They aren't as used as that?
In the PDF given by Xylitol, there's a whole f**king lot of techniques to detect COM channels, SCSI devices, ...
We can also inject specific processor instructions, ....

Take a look on year of this PDF. And then try some of these tricks with current VM's.

but tell me you don't want to use shared folders or debug your favorite malware with fullscreen?

Usually I dont care and don't need anything you listed.

[frank_boldewin]

read also this stuff here:

http://www.symantec.com/avcenter/refere ... hreats.pdf

http://ivanlef0u.fr/repo/windoz/attacks2.pdf

http://sip.cs.princeton.edu/pub/memerr.pdf

This should give you a very good overview of what's possible.

[Tigzy]

This is program A. It detects by malware. This is program B. It detects by malware. A and B all the different and all GUI based. How do you planning to protect them from detection in a generic way? It's impossible.

I mean every program often targeted (process exp , ollyDbg, etc...). Malware have generic ways to detect them, so I only need to act as well.

@frank: Thanks for sharing this ;)