VMWare Detect using OEMString
Tuesday, December 10, 2013 | Author: Deep Flash
The usage of anti VM/Sandbox detection tricks is becoming more common nowadays. These are used by malwares to detect that they are running inside a sandbox.

However, most of the tricks used in malwares make it evident that they are trying to detect VM. For instance, they look up Registry Keys/Process Names for strings like "vmware", "virtual", "qemu", "xen". If the reverser is stepping through the code of a virus, they can easily make out that this malware is VM-Aware.

I am more interested in methods which detect the VM using assembly language instructions only. There are certain assembly language instructions for which there is a different behavior exhibited by VMWare guest than host operating systems. Tricks that use SIDT, SLDT, SGDT, backdoor interface of virtual machine (VMXh) and others are known.

I was working on finding a new way to detect that we are running inside VMWare. At the same time, I did not want this method to rely on evident strings as mentioned above. After exploring the memory address space of the *.vmem file of my Virtual Machine, I developed a good method.

VMWare has a specific OEM String that looks like: MS_VM_CERT/SHA1/

This OEMString will be present in the SMBIOS. On operating systems like Linux you can view it using dmidecode which is able to extract information from the SMBIOS structures.

On Windows, you can get some information from the SMBIOS using wmic (Windows Management Instrumentation Console).

I noticed that you can also get the same information from the process address space of csrss.exe. Below you can see the result of scanning the process address space of Windows XP SP3 Virtual Machine using the yarascan plugin of volatility framework. It shows that OEMString was found in csrss.exe's address space:

So, we can detect the presence of VMWare by scanning csrss.exe's process address space and looking for the string, MS_VM_CERT. I wrote the following code in C to do this:



Here is the output of the code:


Advantages:

1. We are not scanning for an evident string like "vmware", "virtual" and so on which would give away the trick to the reverser.
2. Currently my code scans for MS_VM_CERT. However, it is also possible to scan for the SHA-1 hash. I have observed that the SHA-1 hash is consistent on most VMWare Virtual Machine instances. This would need to be tested further.
3. Scanning in the memory is much more effective than checking the Windows Registry, Processes or File System artifacts for strings related to VMWare. These can be modified easily by the malware analysts in the VM to prevent basic VM detection tricks from working. However, modifying the OEM String in memory is not that easy.

To test:

1. On different products of VMWare like VMWare Fusion, different versions of VMWare Workstation.
2. By setting the option, SMBIOS.reflectHost = True in the VMWare configuration file.

c0d3inj3cT
Anti Debugging tricks and Control Flow obfuscations
Saturday, December 07, 2013 | Author: Deep Flash
Recently while analyzing a virus, I came across an interesting sample. It is a package of several anti debugging, anti sandbox and control flow obfuscations tricks. All these are used to deter the reverse engineering.

Let us discuss them one by one:

It invokes certain subroutines by triggering an exception. It first registers an exception handler. Then it decrypts the code of that exception handler. Once this is done, it triggers an exception by executing a privileged instruction like CLI and STI (both these instructions are privileged in the protected mode).

Since an exception is triggered, the corresponding exception handler from the SEH chain will be invoked. This is a control flow obfuscation trick. Below screenshot shows an exception triggered after executing the CLI instruction. On the stack we can see the exception handler address as: 0x00401610. To continue the analysis in Olly Debugger, we can press, Shift + F9 and pass the exception to the exception handler or we can just set the EIP to 0x00401610.


Inside this handler, it uses a well known anti debugging trick. It checks the value of BeingDebugged field of PEB (Process Environment Block), at offset 0x2. If the program is being debugged, then this field is set to 0x1. There are Olly Debugger plugins available which will patch this value in the PEB structure to protect from such anti debugging tricks. If you do not have the plugin, you can just patch the conditional jump after the comparison.


The below screenshot shows the encrypted code of the exception handler at address, 0x00401577. The decryption routine is an easy single byte XOR decryption routine. Once decrypted, we find an INT 2D instruction after the LOOPD instruction.


INT 2D has a special behavior in Olly Debugger. Olly will skip the next byte in execution as a result of which the control flow is obfuscated. We need to manually set the EIP to the exception handler code at: 0x00401577.


Inside the second exception handler, it again uses a well known anti debugging trick by checking the value of NtGlobalFlags inside the PEB at offset 0x68. If this value is set to 0x70, then the program is being debugged. Once again, there are plugins available to patch these fields in the PEB structure.


Now, it decrypts the code of the third exception handler which is invoked using another privileged instruction, STI.


Inside the third exception handler, it uses the strstr() function to find the substring, "sample" inside the full path name of the virus.

Though this trick is simple, it can be effective since many malware analysts set the name of the virus or the folder in which they store it, as "sample". If it finds this substring, it exits the process using ExitProcess().

The next trick checks the volume serial number of C: Logical Drive by calling GetVolumeInformation(). It compares the volume serial number with: 0x0CD1A40 and 0x70144646. If either of these matches are true, it exits the process.

00401160   817D 00 401ACD00 CMP DWORD PTR SS:[EBP],0CD1A40
00401167   74 09            JE SHORT gvtfifjh.00401172
00401169   817D 00 46461470 CMP DWORD PTR SS:[EBP],70144646
00401170   75 05            JNZ SHORT gvtfifjh.00401177


Next, it queries the following registry key to get information about the Disk.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum

For example, in the case of VMWare the value of the subkey, "0" is set to:

IDE\DiskVMware_Virtual_IDE_Hard_Drive___________00000001\3030303030303030303030303030303030303130

This string is converted to lowercase and then using the strstr() function, it checks for the presence of following substrings inside the above string:

1. xen
2. vmware
3. virtual
4. qemu


If it finds any match, then it exits the process.

In the next trick, it tries to get the module handle for dbghelp.dll and sbiedll.dll files using GetModuleHandleA. If the module handle is returned, then it exits the process. These DLL files are used by common sandboxes like Sandboxie and ThreatExpert.


It also uses a recently discovered bug in Olly Debugger where it does not break at the exception handler when we trigger an exception by calling RaiseException() with the exception code, 0x80000003.

It first registers an exception handler which has the malicious subroutine code and then triggers the exception by calling RaiseException.

  
In this case, we can manually set the EIP to 0x0040126D as shown below and continue debugging from there: