GET /api/techniques/6/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "Detecting Active Services",
    "category": [
        "https://search.unprotect.it/api/categories/1/"
    ],
    "description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.",
    "resources": "http://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/",
    "tags": "",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/1/",
            "author": "https://search.unprotect.it/api/snippet_authors/1/",
            "technique": "https://search.unprotect.it/api/techniques/6/",
            "description": "Two methods are demonstrated in this example (Windows Registry and Windows Service Manager API).",
            "plain_code": "program AntiSandboxScanService;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n  System.SysUtils,\r\n  WinAPI.Windows,\r\n  WinAPI.WinSvc;\r\n\r\n\r\nconst ANTI_LIST : array[0..4-1] of String = (\r\n      // VMWare\r\n      'VGAuthService',\r\n      'vmvss',\r\n      'vm3dservice',\r\n      'VMTools' \r\n      // ...\r\n);\r\n\r\n{\r\n  Using Service Manager WinAPI + OpenService()\r\n\r\n  * https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagerw\r\n  * https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicew\r\n}\r\nfunction CheckService_WinSvc() : Boolean;\r\nvar AServiceManager : SC_HANDLE;\r\n    I               : Cardinal;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  AServiceManager := OpenSCManagerW(nil, nil, SC_MANAGER_ENUMERATE_SERVICE);\r\n  if AServiceManager = 0 then\r\n  raise Exception.Create(\r\n      Format('Could not open service manager with error=[%s]', [GetLastError()])\r\n  );\r\n  try\r\n    for I := 0 to Length(ANTI_LIST) -1 do begin\r\n      if (OpenServiceW(AServiceManager, PWideChar(ANTI_LIST[I]), READ_CONTROL) <> 0) then begin\r\n        WriteLn(Format('[*] \"%s\" service found.', [ANTI_LIST[I]]));\r\n\r\n        ///\r\n        result := true;\r\n      end;\r\n    end;\r\n  finally\r\n    CloseServiceHandle(AServiceManager);\r\n  end;\r\nend;\r\n\r\n{\r\n  Using Microsoft Windows Registry + RegOpenKeyExW\r\n\r\n  * https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexw\r\n}\r\nfunction CheckService_Registry() : Boolean;\r\nconst HIVE : HKEY = HKEY_LOCAL_MACHINE;\r\n      PATH = 'SYSTEM\\CurrentControlSet\\Services\\%s';\r\nvar AStatus : Longint;\r\n    AKey    : HKEY;\r\n    I       : Cardinal;\r\n    APath   : String;\r\nbegin\r\n  for I := 0 to Length(ANTI_LIST) -1 do begin\r\n    APath := Format(PATH, [ANTI_LIST[i]]);\r\n    if RegOpenKeyExW(HIVE, PWideChar(APath), 0, KEY_READ, AKey) <> ERROR_SUCCESS then\r\n      continue;\r\n    try\r\n        WriteLn(Format('[*] \"%s\" service found.', [ANTI_LIST[I]]));\r\n\r\n        ///\r\n        result := true;\r\n    finally\r\n      RegCloseKey(AKey);\r\n    end;\r\n  end;\r\nend;\r\n\r\nprocedure Header(ACaption : String);\r\nbegin\r\n  WriteLn(StringOfChar('-', 50));\r\n  WriteLn(ACaption);\r\n  WriteLn(StringOfChar('-', 50));\r\nend;\r\n\r\nbegin\r\n  try\r\n    Header('Check Service (WinSvc):');\r\n    if not CheckService_WinSvc() then\r\n      WriteLn('Nothing found so far...');\r\n\r\n    WriteLn;\r\n\r\n    Header('Check Service (Registry):');\r\n    if not CheckService_Registry() then\r\n      WriteLn('Nothing found so far...');\r\n\r\n    readln;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
        }
    ],
    "detection_rules": []
}