Circumvention Technology: Registry

Original address ：Evasions: Registry (checkpoint.com)
Original title ：Evasions: Registry Updated date ：2021 year 5 month 17 Late Japanese article ： Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows ： There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in ：RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers：NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples ：/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample ：pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path （registry path） details （ If any ）[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example ： list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks ： It can be uppercase or lowercase . Code samples ：/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample ：pafish project Identification flag if the following function contains a list Registry path Second parameter of ：NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of ：NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string （ Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator （ Registry string from table ） Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address ：Evasions: Registry (checkpoint.com)
Original title ：Evasions: Registry Updated date ：2021 year 5 month 17 Late Japanese article ： Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows ： There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in ：RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers：NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples ：/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample ：pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path （registry path） details （ If any ）[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example ： list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks ： It can be uppercase or lowercase . Code samples ：/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample ：pafish project Identification flag if the following function contains a list Registry path Second parameter of ：NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of ：NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string （ Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator （ Registry string from table ） Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia . Comment on 0 Browse in reverse order, let's comment 00 Come and comment, login | register Simple version of client Comsenz Inc. Original address ：Evasions: Registry (checkpoint.com)
Original title ：Evasions: Registry Updated date ：2021 year 5 month 17 Late Japanese article ： Expand the content according to what you have learned because of your limited technology , We can only do our best to translate foreign technical articles , For everyone to learn , If there is something improper or perfect , I hope it can be pointed out that , Used to jointly improve this article . Directory registry detection method 1. Check whether there is a specific registry path 2. Check whether the specific registry key contains the specified string. The countermeasures are attributed to the registry detection methods. The principles of all registry detection methods are as follows ： There are no such registry keys and values in normal hosts . However , They exist in specific virtual environments . Sometimes , Common systems may cause false positives when applying these checks , Because it installs some virtual machines , Therefore, there are some virtual machine artifacts in the system . Although in all other respects , Such a system is cleaner than a virtual environment . The registry key can be accessed through WinAPI Call query .kernel32.dll Functions used in ：RegOpenKeyRegOpenKeyExRegQueryValueRegQueryValueExRegCloseKeyRegEnumKeyEx The above function is in the following ntdll.dll On top of the function wrappers：NtOpenKeyNtEnumerateKeyNtQueryValueKeyNtClose1. Check whether there is a specific registry path. See the title section , To get the list of functions used . Code samples ：/* sample of usage: see detection of VirtualBox in the table below to check registry path /int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, “HARDWARE\ACPI\FADT\VBOX__”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; / regkey_s == “HARDWARE\ACPI\FADT\VBOX__”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE;} The author of this code sample ：pafish project Identification flag if the following function contains a list Registry path Second parameter of NtOpenKey(…, registry_path, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry path exists : Detect registry path （registry path） details （ If any ）[general]HKLM\Software\Classes\Folder\shell\sandboxHyper-V HKLM\SOFTWARE\Microsoft\Hyper-VHKLM\SOFTWARE\Microsoft\VirtualMachine HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters Usually "HostName " and "VirtualMachineName " The value of is read in this path .HKLM\SYSTEM\ControlSet001\Services\vmicheartbeatHKLM\SYSTEM\ControlSet001\Services\vmicvss HKLM\SYSTEM\ControlSet001\Services\vmicshutdown HKLM\SYSTEM\ControlSet001\Services\vmicexchange Parallels HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8 Subkeys have the following structure VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWSandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrvHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie VirtualBox HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\HARDWARE\ACPI\DSDT\VBOX__HKLM\HARDWARE\ACPI\FADT\VBOX__ HKLM\HARDWARE\ACPI\RSDT\VBOX__ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions HKLM\SYSTEM\ControlSet001\Services\VBoxGuest HKLM\SYSTEM\ControlSet001\Services\VBoxMouse HKLM\SYSTEM\ControlSet001\Services\VBoxService HKLM\SYSTEM\ControlSet001\Services\VBoxSF HKLM\SYSTEM\ControlSet001\Services\VBoxVideo VirtualPC HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333 Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKLM\SYSTEM\ControlSet001\Services\vpcbusHKLM\SYSTEM\ControlSet001\Services\vpc-s3 HKLM\SYSTEM\ControlSet001\Services\vpcuhub HKLM\SYSTEM\ControlSet001\Services\msvmmouf VMware HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD Subkeys have the following structure : VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WWHKCU\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\VMware, Inc.\VMware Tools HKLM\SYSTEM\ControlSet001\Services\vmdebug HKLM\SYSTEM\ControlSet001\Services\vmmouse HKLM\SYSTEM\ControlSet001\Services\VMTools HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL HKLM\SYSTEM\ControlSet001\Services\vmware HKLM\SYSTEM\ControlSet001\Services\vmci HKLM\SYSTEM\ControlSet001\Services\vmx86 HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* Wine HKCU\SOFTWARE\WineHKLM\SOFTWARE\Wine Xen HKLM\HARDWARE\ACPI\DSDT\xenHKLM\HARDWARE\ACPI\FADT\xen HKLM\HARDWARE\ACPI\RSDT\xen HKLM\SYSTEM\ControlSet001\Services\xenevtchn HKLM\SYSTEM\ControlSet001\Services\xennet HKLM\SYSTEM\ControlSet001\Services\xennet6 HKLM\SYSTEM\ControlSet001\Services\xensvc HKLM\SYSTEM\ControlSet001\Services\xenvdb In special circumstances , Malware may enumerate subkeys and check whether the name of the subkey contains some strings , Instead of checking whether the specified key exists . for example ： list "HKLM\SYSTEM\ControlSet001\Services" And search "VBox " character string .2. Check whether the specific registry key contains the specified string. See the title section , To get a list of functions used . Please note that , Case has nothing to do with these checks ： It can be uppercase or lowercase . Code samples ：/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values /int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, “HARDWARE\Description\System”, “SystemBiosVersion”, “VBOX”);}/ code is taken from “pafish” project, see references on the parent page /int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { / regkey_s == “HARDWARE\Description\System”; value_s == “SystemBiosVersion”; lookup == “VBOX”; / HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); / regkey_s == “HARDWARE\Description\System”; / if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey); } if (ret == ERROR_SUCCESS) { / value_s == “SystemBiosVersion”; / ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive / value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { / case-insensitive / lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE;} The author of this code sample ：pafish project Identification flag if the following function contains a list Registry path Second parameter of ：NtOpenKey(…, Registry path , …) Followed by a call to the following function , This function has table columns “ Registry key ” Second parameter of ：NtQueryValueKey(…, registry_item, …) Then this indicates that the application is trying to use evasion Technology . The detection table checks whether the following registry value contains the following string （ Case insensitive :Detect Registry path registry key string [general]HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M IBOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHSHKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHSAnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELSHKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELSQEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMUHKLM\HARDWARE\Description\SystemSystemBiosVersionQEMUHKLM\HARDWARE\Description\SystemVideoBiosVersionQEMUHKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMUVirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOXHKLM\HARDWARE\Description\SystemSystemBiosVersionVBOXHKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUALHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOXHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOXHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOXVMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionVMWAREHKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWAREHKLM\HARDWARE\Description\System\BIOSSystemProductNameVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMwareHKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMwareHKCR\Installer\ProductsProductNamevmware toolsHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware toolsHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32vmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmxHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMwareHKLM\SYSTEM\ControlSet001\Control\Class{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMwareHKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWAREHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevm3dmpHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\VideoServicevmx_svgaHKLM\SYSTEM\CurrentControlSet\Control\Video{GUID}\0000Device DescriptionVMware SVGAXenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen Countermeasures intercept the objective function , If the indicator （ Registry string from table ） Checked , Then the appropriate result is returned . Thanks to open source projects , The code sample is taken from this project .github Upper pafish project Even though Check Point Tools InviZzzible All these functions have been realized , But due to the modular structure of the code , More space is needed to show the code samples of this tool , To achieve the same purpose . That's why we decided to use other great open source projects as examples throughout the encyclopedia