2015-10-10 蔡东赟
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum
或者直接检测IDE\DISK 会有QEMU,vbox,vmware,virtualhd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum
0 SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&5fcaafc&0&000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\Enum
遍历的虚拟机进程有:
"VBoxTray.exe"
"VBoxService.exe"
"VMwareUser.exe"
"VMwareTray.exe"
"VMUpgradeHelper.exe"
"vmtoolsd.exe"
"vmacthlp.exe"
各种驱动文件
c:\windows\system32\drivers\winmouse.sys
The packer checks for the existence of the following fi les.
%system32%\drivers\vmmouse.sys
%system32%\drivers\vmhgfs.sys
%system32%\drivers\VBoxMouse.sys
%system32%\drivers\VBoxGuest.sys
The fi rst two are used by VMware; the latter
%System32\drivers\目录下是否存在hgfs.sys、prleth.sys、vmhgfs.sys驱动文件,其中hgfs.sys驱动文件为VMware Tools的驱动文件
虚拟机硬件信息
虚拟机的网卡信息会有固定指纹
MAC地址:
00:05:69:xx:xx:xx VMware
00:0C:29:xx:xx:xx VMware
00:1C:14:xx:xx:xx VMware
00:50:56:xx:xx:xx VMware
00:15:5D:xx:xx:xx Hyper V
00:16:3e:xx:xx:xx Xen
安装的系统环境信息,比如卷信息
比如有病毒样本就会通过kernel32.getvolumeinformationA查询系统卷信息,因为虚拟机的各个操作系统分区是从宿主机复制过来的,就存在各个卷信息相同的情况,而且如果黑客掌握了某款沙箱产品固有操作系统的卷信息指纹,也就很容易逃避过去。
(手工可以在cmd下用wmic.exe volume查看)
opens hard drive ‘\\.\PhysicalDrive0’ and sends
control code 0x2D1400 to it (see Figure 2). It then checks
whether the output buffer contains any of the following
strings:
trings:
‘vbox’
‘qemu’
‘vmware’
‘virtual’
‘qm00001’
‘array’
‘00000000000000000001’
其他 code 参考 https://github.com/David-Reguera-Garcia-Dreg/anticuckoo
https://github.com/David-Reguera-Garcia-Dreg/anticuckoo
posted on 2015-10-10 11:00
爬 阅读(18535)
评论(0) 编辑 收藏 引用 所属分类:
个人框架设计