Home Penetration Testing Tools Al-Khaser v0.72 – Public malware techniques used in the wild (Virtual Machine,...

Al-Khaser v0.72 – Public malware techniques used in the wild (Virtual Machine, Emulation, Debuggers, Sandbox detection)

38
0
SHARE

al-khaser is a PoC “malware” application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.

Features

Anti-debugging attacks

  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environement Block (BeingDebugged)
  • Process Environement Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • SetHandleInformation (Protected Handle)
  • UnhandledExceptionFilter
  • OutputDebugString (GetLastError())
  • Hardware Breakpoints (SEH / GetThreadContext)
  • Software Breakpoints (INT3 / 0xCC)
  • Memory Breakpoints (PAGE_GUARD)
  • Interrupt 0x2d
  • Interrupt 1
  • Parent Process (Explorer.exe)
  • SeDebugPrivilege (Csrss.exe)
  • NtYieldExecution / SwitchToThread
  • TLS callbacks
  • Process jobs


Anti-Dumping

  • Erase PE header from memory
  • SizeOfImage

Timing Attacks [Anti-Sandbox]

  • RDTSC (with CPUID to force a VM Exit)
  • RDTSC (Locky version with GetProcessHeap & CloseHandle)
  • Sleep -> SleepEx -> NtDelayExecution
  • Sleep (in a loop a small delay)
  • Sleep and check if time was accelerated (GetTickCount)
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)
  • WaitForSingleObject -> WaitForSingleObjectEx -> NtWaitForSingleObject
  • WaitForMultipleObjects -> WaitForMultipleObjectsEx -> NtWaitForMultipleObjects (todo)
  • IcmpSendEcho (CCleaner Malware)
  • CreateWaitableTimer (todo)
  • CreateTimerQueueTimer (todo)
  • Big crypto loops (todo)

Human Interaction / Generic [Anti-Sandbox]

  • Mouse movement
  • Total Physical memory (GlobalMemoryStatusEx)
  • Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
  • Disk size using GetDiskFreeSpaceEx (TotalNumberOfBytes)
  • Mouse (Single click / Double click) (todo)
  • DialogBox (todo)
  • Scrolling (todo)
  • Execution after reboot (todo)
  • Count of processors (Win32/Tinba – Win32/Dyre)
  • Sandbox known product IDs (todo)
  • Color of background pixel (todo)
  • Keyboard layout (Win32/Banload) (todo)

Anti-Virtualization / Full-System Emulation

  • Registry key value artifacts

    • HARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0 (Identifier) (VBOX)
    • HARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0 (Identifier) (QEMU)
    • HARDWAREDescriptionSystem (SystemBiosVersion) (VBOX)
    • HARDWAREDescriptionSystem (SystemBiosVersion) (QEMU)
    • HARDWAREDescriptionSystem (VideoBiosVersion) (VIRTUALBOX)
    • HARDWAREDescriptionSystem (SystemBiosDate) (06/23/99)
    • HARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0 (Identifier) (VMWARE)
    • HARDWAREDEVICEMAPScsiScsi Port 1Scsi Bus 0Target Id 0Logical Unit Id 0 (Identifier) (VMWARE)
    • HARDWAREDEVICEMAPScsiScsi Port 2Scsi Bus 0Target Id 0Logical Unit Id 0 (Identifier) (VMWARE)
  • Registry Keys artifacts

    • “HARDWAREACPIDSDTVBOX__”
    • “HARDWAREACPIFADTVBOX__”
    • “HARDWAREACPIRSDTVBOX__”
    • “SOFTWAREOracleVirtualBox Guest Additions”
    • “SYSTEMControlSet001ServicesVBoxGuest”
    • “SYSTEMControlSet001ServicesVBoxMouse”
    • “SYSTEMControlSet001ServicesVBoxService”
    • “SYSTEMControlSet001ServicesVBoxSF”
    • “SYSTEMControlSet001ServicesVBoxVideo”
    • SOFTWAREVMware, Inc.VMware Tools
    • SOFTWAREWine
  • File system artifacts

    • “system32driversVBoxMouse.sys”
    • “system32driversVBoxGuest.sys”
    • “system32driversVBoxSF.sys”
    • “system32driversVBoxVideo.sys”
    • “system32vboxdisp.dll”
    • “system32vboxhook.dll”
    • “system32vboxmrxnp.dll”
    • “system32vboxogl.dll”
    • “system32vboxoglarrayspu.dll”
    • “system32vboxoglcrutil.dll”
    • “system32vboxoglerrorspu.dll”
    • “system32vboxoglfeedbackspu.dll”
    • “system32vboxoglpackspu.dll”
    • “system32vboxoglpassthroughspu.dll”
    • “system32vboxservice.exe”
    • “system32vboxtray.exe”
    • “system32VBoxControl.exe”
    • “system32driversvmmouse.sys”
    • “system32driversvmhgfs.sys”
  • Directories artifacts

    • “%PROGRAMFILES%oraclevirtualbox guest additions”
    • “%PROGRAMFILES%VMWare”
  • Memory artifacts

    • Interupt Descriptor Table (IDT) location
    • Local Descriptor Table (LDT) location
    • Global Descriptor Table (GDT) location
    • Task state segment trick with STR
  • MAC Address

    • “x08x00x27” (VBOX)
    • “x00x05x69” (VMWARE)
    • “x00x0Cx29” (VMWARE)
    • “x00x1Cx14” (VMWARE)
    • “x00x50x56” (VMWARE)
  • Virtual devices

    • “\.VBoxMiniRdrDN”
    • “\.VBoxGuest”
    • “\.pipeVBoxMiniRdDN”
    • “\.VBoxTrayIPC”
    • “\.pipeVBoxTrayIPC”)
    • “\.HGFS”
    • “\.vmci”
  • Hardware Device information

    • SetupAPI SetupDiEnumDeviceInfo (GUID_DEVCLASS_DISKDRIVE)
      • QEMU
      • VMWare
      • VBOX
      • VIRTUAL HD
  • System Firmware Tables

    • SMBIOS string checks (VirtualBox)
    • ACPI string checks (VirtualBox)
  • Adapter name

    • VMWare
  • Windows Class

    • VBoxTrayToolWndClass
    • VBoxTrayToolWnd
  • Network shares

    • VirtualBox Shared Folders
  • Processes

    • vboxservice.exe (VBOX)
      • vboxtray.exe (VBOX)
        • vmtoolsd.exe(VMWARE)
      • vmwaretray.exe(VMWARE)
        • vmwareuser(VMWARE)
        • vmsrvc.exe(VirtualPC)
        • vmusrvc.exe(VirtualPC)
        • prl_cc.exe(Parallels)
        • prl_tools.exe(Parallels)
      • xenservice.exe(Citrix Xen)
  • WMI

    • SELECT * FROM Win32_Bios (SerialNumber) (VMWARE)
    • SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)
    • SELECT * FROM Win32_NetworkAdapterConfiguration (MACAddress) (VBOX)
    • SELECT * FROM Win32_NTEventlogFile (VBOX)
    • SELECT * FROM Win32_Processor (NumberOfCores) (GENERIC)
    • SELECT * FROM Win32_LogicalDisk (Size) (GENERIC)
  • DLL Exports and Loaded DLLs

    • kernel32.dll!wine_get_unix_file_nameWine (Wine)
    • sbiedll.dll (Sandboxie)
    • dbghelp.dll (MS debugging support routines)
    • api_log.dll (iDefense Labs)
    • dir_watch.dll (iDefense Labs)
    • pstorec.dll (SunBelt Sandbox)
    • vmcheck.dll (Virtual PC)
    • wpespy.dll (WPE Pro)
  • CPU

    • Hypervisor presence using (EAX=0x1)
    • Hypervisor vendor using (EAX=0x40000000)
      • “KVMKVMKVM” (KVM)
        • “Microsoft Hv”(Microsoft Hyper-V or Windows Virtual PC)
        • “VMwareVMware”(VMware)
        • “XenVMMXenVMM”(Xen)
        • “prl hyperv “( Parallels) -“VBoxVBoxVBox”( VirtualBox)

Anti-Analysis

  • Processes
    • OllyDBG / ImmunityDebugger / WinDbg / IDA Pro
    • SysInternals Suite Tools (Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns)
    • Wireshark / Dumpcap
    • ProcessHacker / SysAnalyzer / HookExplorer / SysInspector
    • ImportREC / PETools / LordPE
    • JoeBox Sandbox

Macro malware attacks

  • Document_Close / Auto_Close.
  • Application.RecentFiles.Count

Code/DLL Injections techniques

  • CreateRemoteThread
  • SetWindowsHooksEx
  • NtCreateThreadEx
  • RtlCreateUserThread
  • APC (QueueUserAPC / NtQueueApcThread)
  • RunPE (GetThreadContext / SetThreadContext)

Contributors

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here