GET /api/techniques/?page=4
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 157,
    "next": null,
    "previous": "https://search.unprotect.it/api/techniques/?page=3",
    "results": [
        {
            "name": "Checking Specific Folder Name",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "Special path like C:\\\\Cuckoo can be used on the guest system. A malware could be able to detect this folder to evade the sandbox.",
            "resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "name": "Detecting Virtual Environment Artefacts",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\\\\Description\\\\System with a value of SystemBiosVersion and data of QEMU.\r\n\r\nThe Virtualbox Guest addition leaves many artifacts in the registry. A search for VBOX in the registry might find some keys.\r\n\r\nThe VMware installation directory C:\\\\Program Files\\\\VMware\\\\VMware Tools may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.\r\n\r\nVMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.",
            "resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet\r\nhttps://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/\r\nhttp://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/2/",
                    "technique": "https://search.unprotect.it/api/techniques/12/",
                    "description": "This is a snippet to detect most common registry keys created by virtual machines.",
                    "plain_code": "#include <iostream>\r\n#include<Windows.h>\r\n#include<stdio.h>\r\n\r\nusing namespace std;\r\n\r\nint reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {\r\n\tHKEY regkey;\r\n\tLONG ret;\r\n\tDWORD size;\r\n\tchar value[1024];\r\n\r\n\r\n\tif (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey))\r\n    {\r\n        if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n        {\r\n            cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n        }\r\n        else\r\n        {\r\n            cout << \" [*] Reg value exist: \" << (value) << endl;\r\n        }\r\n\t}\r\n\r\n    else\r\n    {\r\n        if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))\r\n        {\r\n            cout << \" [-] Reg value doesn't exist: \" << (regkey) << endl;\r\n        }\r\n        else\r\n        {\r\n            cout << \" [*] Reg value exist: \" << (value) << endl;\r\n        }\r\n    }\r\n}\r\n\r\nint RegistryArtifacts()\r\n{\r\n    HKEY hKey;\r\n\r\n    // list of registry key related virutal machines\r\n    LPCTSTR RegValuePath[] = { \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n                               \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n                               \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\",\r\n                               \"SOFTWARE\\\\VMware, Inc.\\\\VMware Tools\",\r\n                               \"HARDWARE\\\\Description\\\\System\",\r\n                               \"SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum\",\r\n                               \"HARDWARE\\\\ACPI\\\\DSDT\\\\VBOX__\",\r\n                               \"HARDWARE\\\\ACPI\\\\FADT\\\\VBOX__\",\r\n                               \"HARDWARE\\\\ACPI\\\\RSDT\\\\VBOX__\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxGuest\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxMouse\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxService\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxSF\",\r\n                               \"SYSTEM\\\\ControlSet001\\\\Services\\\\VBoxVideo\",\r\n                               };\r\n\r\n\r\n    for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)\r\n    {\r\n\r\n        if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))\r\n        {\r\n            cout << \" [-] Reg key doesn't exist: \" << (RegValuePath[i]) << endl;\r\n        }\r\n        else\r\n        {\r\n            cout << \" [*] Reg key exist: \" << (RegValuePath[i]) << endl;\r\n        }\r\n\r\n    }\r\n\r\n    // Check for registry Value\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 1\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 2\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VMware\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"VBOX\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"VBOX\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"VideoBiosVersion\", \"VIRTUALBOX\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DESCRIPTION\\\\System\", \"SystemBiosDate\", \"06/23/99\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0\", \"Identifier\", \"QEMU\");\r\n    reg_value_exist(HKEY_LOCAL_MACHINE, \"HARDWARE\\\\Description\\\\System\", \"SystemBiosVersion\", \"QEMU\");\r\n}\r\n\r\nint main()\r\n{\r\n    RegistryArtifacts();\r\n    return 0;\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "detect_vm_process",
                    "rule": "rule:\r\n  meta:\r\n    name: check for windows sandbox via process name\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: \"@_re_fox\"\r\n    scope: function\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LloydLabs/wsb-detect\r\n    examples:\r\n      - 773290480d5445f11d3dc1b800728966:0x140001140\r\n  features:\r\n    - and:\r\n      - match: enumerate processes\r\n      - string: CExecSvc.exe"
                },
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "vm_artefact",
                    "rule": "rule:\r\n  meta:\r\n    name: reference anti-VM strings targeting VMWare\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_\r\n  features:\r\n    - or:\r\n      - string: /VMWare/i\r\n      - string: /VMTools/i\r\n      - string: /SOFTWARE\\\\VMware, Inc\\.\\\\VMware Tools/i\r\n      - string: /vmnet.sys/i\r\n      - string: /vmmouse.sys/i\r\n      - string: /vmusb.sys/i\r\n      - string: /vm3dmp.sys/i\r\n      - string: /vmci.sys/i\r\n      - string: /vmhgfs.sys/i\r\n      - string: /vmmemctl.sys/i\r\n      - string: /vmx86.sys/i\r\n      - string: /vmrawdsk.sys/i\r\n      - string: /vmusbmouse.sys/i\r\n      - string: /vmkdb.sys/i\r\n      - string: /vmnetuserif.sys/i\r\n      - string: /vmnetadapter.sys/i\r\n      - string: /\\\\\\\\.\\\\HGFS/i\r\n      - string: /\\\\\\\\.\\\\vmci/i\r\n      - string: /vmtoolsd.exe/i\r\n      - string: /vmwaretray.exe/i\r\n      - string: /vmwareuser.exe/i\r\n      - string: /VGAuthService.exe/i\r\n      - string: /vmacthlp.exe/i\r\n      - string: /vmci/i\r\n        description: VMWare VMCI Bus Driver\r\n      - string: /vmhgfs/i\r\n        description: VMWare Host Guest Control Redirector\r\n      - string: /vmmouse/i\r\n      - string: /vmmemctl/i\r\n        description: VMWare Guest Memory Controller Driver\r\n      - string: /vmusb/i\r\n      - string: /vmusbmouse/i\r\n      - string: /vmx_svga/i\r\n      - string: /vmxnet/i\r\n      - string: /vmx86/i\r\n      - string: /VMwareVMware/i\r\n      - string: /vmGuestLib.dll/i"
                },
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "vm_artefact2",
                    "rule": "rule:\r\n  meta:\r\n    name: reference anti-VM strings\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: moritz.raabe@fireeye.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp\r\n    examples:\r\n      - Practical Malware Analysis Lab 17-02.dll_\r\n  features:\r\n    - or:\r\n      - string: /HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS/i\r\n      - string: /HARDWARE\\\\DESCRIPTION\\\\System\\\\(SystemBiosVersion|VideoBiosVersion)/i\r\n      - string: /HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*ProcessorNameString/i\r\n      - string: /HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0/i\r\n      - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE/i\r\n      - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\Disk\\\\Enum\\\\/i\r\n      - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer/i\r\n      - string: /A M I/i\r\n      - string: /Hyper-V/i\r\n      - string: /Kernel-VMDetection-Private/i\r\n      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699\r\n      - string: /KVMKVMKVM/i\r\n        description: KVM\r\n      - string: /Microsoft Hv/i\r\n        description: Microsoft Hyper-V or Windows Virtual PC\r\n      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8\r\n      - string: /avghookx.dll/i\r\n        description: AVG\r\n      - string: /avghooka.dll/i\r\n        description: AVG\r\n      - string: /snxhk.dll/i\r\n        description: Avast\r\n      - string: /pstorec.dll/i\r\n        description: SunBelt Sandbox\r\n      - string: /vmcheck.dll/i\r\n        description: Virtual PC\r\n      - string: /wpespy.dll/i\r\n        description: WPE Pro\r\n      - string: /cmdvrt64.dll/i\r\n        description: Comodo Container\r\n      - string: /cmdvrt32.dll/i\r\n        description: Comodo Container\r\n      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46\r\n      - string: /sample.exe/i\r\n      - string: /bot.exe/i\r\n      - string: /sandbox.exe/i\r\n      - string: /malware.exe/i\r\n      - string: /test.exe/i\r\n      - string: /klavme.exe/i\r\n      - string: /myapp.exe/i\r\n      - string: /testapp.exe/i"
                }
            ]
        },
        {
            "name": "Detecting Virtual Environment Files",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "Some files are created by Virtualbox and VMware on the system. \r\n\r\nMalware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.\r\n\r\nMalware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.\r\n\r\n### Some Files Example\r\nBelow is a list of files that can be detected on virtual machines:\r\n\r\n- \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n-  \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n- \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\"",
            "resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/2/",
                    "technique": "https://search.unprotect.it/api/techniques/11/",
                    "description": "",
                    "plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nusing namespace std;\r\n\r\n\r\nBOOL FileExists(TCHAR* szPath)\r\n{\r\n\tDWORD dwAttrib = GetFileAttributes(szPath);\r\n\treturn (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY);\r\n}\r\n\r\n// Check if file related to sandbox exist\r\nint CheckFile()\r\n{\r\n    bool hAppend;\r\n    LPSTR fname[] = {\"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\agent.pyw\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmmouse.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\vmhgfs.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxMouse.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxGuest.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxSF.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\drivers\\\\VBoxVideo.sys\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxdisp.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxhook.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxmrxnp.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxogl.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglarrayspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglcrutil.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglerrorspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglfeedbackspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpackspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxoglpassthroughspu.dll\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxservice.exe\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\vboxtray.exe\",\r\n                     \"C:\\\\WINDOWS\\\\system32\\\\VBoxControl.exe\",\r\n                     // ADD YOUR FILE HERE!\r\n                    };\r\n\r\n    for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)\r\n    {\r\n\r\n        if (FileExists(fname[i]))\r\n            cout << \" [+] File exist: \" << (fname[i]) << endl;\r\n\t\telse\r\n            cout << \" [-] File doesn't exist: \" << (fname[i]) << endl;\r\n\r\n    }\r\n\r\n    return 0;\r\n}\r\n\r\n\r\nint main()\r\n{\r\n    CheckFile();\r\n    return 0;\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "vm_artefact",
                    "rule": "rule:\r\n  meta:\r\n    name: reference anti-VM strings targeting VMWare\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_\r\n  features:\r\n    - or:\r\n      - string: /VMWare/i\r\n      - string: /VMTools/i\r\n      - string: /SOFTWARE\\\\VMware, Inc\\.\\\\VMware Tools/i\r\n      - string: /vmnet.sys/i\r\n      - string: /vmmouse.sys/i\r\n      - string: /vmusb.sys/i\r\n      - string: /vm3dmp.sys/i\r\n      - string: /vmci.sys/i\r\n      - string: /vmhgfs.sys/i\r\n      - string: /vmmemctl.sys/i\r\n      - string: /vmx86.sys/i\r\n      - string: /vmrawdsk.sys/i\r\n      - string: /vmusbmouse.sys/i\r\n      - string: /vmkdb.sys/i\r\n      - string: /vmnetuserif.sys/i\r\n      - string: /vmnetadapter.sys/i\r\n      - string: /\\\\\\\\.\\\\HGFS/i\r\n      - string: /\\\\\\\\.\\\\vmci/i\r\n      - string: /vmtoolsd.exe/i\r\n      - string: /vmwaretray.exe/i\r\n      - string: /vmwareuser.exe/i\r\n      - string: /VGAuthService.exe/i\r\n      - string: /vmacthlp.exe/i\r\n      - string: /vmci/i\r\n        description: VMWare VMCI Bus Driver\r\n      - string: /vmhgfs/i\r\n        description: VMWare Host Guest Control Redirector\r\n      - string: /vmmouse/i\r\n      - string: /vmmemctl/i\r\n        description: VMWare Guest Memory Controller Driver\r\n      - string: /vmusb/i\r\n      - string: /vmusbmouse/i\r\n      - string: /vmx_svga/i\r\n      - string: /vmxnet/i\r\n      - string: /vmx86/i\r\n      - string: /VMwareVMware/i\r\n      - string: /vmGuestLib.dll/i"
                }
            ]
        },
        {
            "name": "Detecting Virtual Environment Process",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "Process related to Virtualbox can be detected by malware by query the process list.\r\n\r\nThe VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.",
            "resources": "https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/\r\nhttp://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
                    "name": "detect_vm_process",
                    "rule": "rule:\r\n  meta:\r\n    name: check for windows sandbox via process name\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: \"@_re_fox\"\r\n    scope: function\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LloydLabs/wsb-detect\r\n    examples:\r\n      - 773290480d5445f11d3dc1b800728966:0x140001140\r\n  features:\r\n    - and:\r\n      - match: enumerate processes\r\n      - string: CExecSvc.exe"
                }
            ]
        },
        {
            "name": "Detecting Mac Address",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.\r\n\r\n* The usual mac address used by Virtualbox starts with the following number: 08:00:27.\r\n\r\n* The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.",
            "resources": "https://securingtomorrow.mcafee.com/mcafee-labs/overview-malware-self-defense-protection/\r\nhttp://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/4/",
                    "author": "https://search.unprotect.it/api/snippet_authors/2/",
                    "technique": "https://search.unprotect.it/api/techniques/8/",
                    "description": "",
                    "plain_code": "package main\r\n\r\nimport (\r\n    \"fmt\"\r\n    \"log\"\r\n    \"net\"\r\n    \"strings\"\r\n)\r\n\r\nfunc getMacAddr() ([]string, error) {\r\n    ifas, err := net.Interfaces()\r\n    if err != nil {\r\n        return nil, err\r\n    }\r\n    var as []string\r\n    for _, ifa := range ifas {\r\n        a := ifa.HardwareAddr.String()\r\n        if a != \"\" {\r\n            as = append(as, a)\r\n        }\r\n    }\r\n    return as, nil\r\n}\r\n\r\nfunc main() {\r\n    // Blacklist VM mac address\r\n    var macvm = []string{\"08:00:27\", \"00:0C:29\", \"00:1C:14\", \"00:50:56\", \"00:05:69\"}\r\n\r\n    as, err := getMacAddr()\r\n    if err != nil {\r\n        log.Fatal(err)\r\n    }\r\n\r\n    for i, s:= range macvm {\r\n        for _, a := range as {\r\n            str := strings.ToUpper(a)\r\n            if str[0:8] == s[0:8] {\r\n                fmt.Println(\"VM detected!\")\r\n\t\tfmt.Println(i, s)\r\n            } \r\n         }\r\n    }\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Querying the I/O Communication Port",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.",
            "resources": "https://www.aldeid.com/wiki/VMXh-Magic-Value",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/2/",
                    "author": "https://search.unprotect.it/api/snippet_authors/3/",
                    "technique": "https://search.unprotect.it/api/techniques/7/",
                    "description": "Source: https://gist.github.com/kooroshh/e4a303368555ea57f04f87e5630147b5",
                    "plain_code": "void CheckVM(void)\r\n{\r\n\tunsigned int    a, b;\r\n\r\n\t__try {\r\n\t\t__asm {\r\n\r\n\t\t\t// save register values on the stack\r\n\t\t\tpush eax\r\n\t\t\tpush ebx\r\n\t\t\tpush ecx\r\n\t\t\tpush edx\r\n\r\n\t\t\t// perform fingerprint\r\n\t\t\tmov eax, 'VMXh' // VMware magic value (0x564D5868)\r\n\t\t\tmov ecx, 0Ah // special version cmd (0x0a)\r\n\t\t\tmov dx, 'VX' // special VMware I/O port (0x5658)\r\n\r\n\t\t\tin eax, dx // special I/O cmd\r\n\r\n\t\t\tmov a, ebx // data \r\n\t\t\tmov b, ecx // data (eax gets also modified\r\n\r\n\t\t\t// restore register values from the stack\r\n\t\t\tpop edx\r\n\t\t\tpop ecx\r\n\t\t\tpop ebx\r\n\t\t\tpop eax\r\n\t\t}\r\n\t}\r\n\t__except (EXCEPTION_EXECUTE_HANDLER) {}\r\n\r\n\tif (a == 'VMXh') { // is the value equal to the VMware magic value?\r\n\t\tprintf(\"Result  : VMware detected\\nVersion : \");\r\n\t\tif (b == 1)\r\n\t\t\tprintf(\"Express\\n\\n\");\r\n\t\telse if (b == 2)\r\n\t\t\tprintf(\"ESX\\n\\n\");\r\n\t\telse if (b == 3)\r\n\t\t\tprintf(\"GSX\\n\\n\");\r\n\t\telse if (b == 4)\r\n\t\t\tprintf(\"Workstation\\n\\n\");\r\n\t\telse\r\n\t\t\tprintf(\"unknown version\\n\\n\");\r\n\t}\r\n\telse\r\n\t\tprintf(\"Result  : Not Detected\\n\\n\");\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "name": "Detecting Active Services",
            "category": [
                "https://search.unprotect.it/api/categories/1/"
            ],
            "description": "VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.",
            "resources": "http://resources.infosecinstitute.com/how-malware-detects-virtualized-environment-and-its-countermeasures-an-overview/",
            "tags": "",
            "snippets": [
                {
                    "language": "https://search.unprotect.it/api/snippet_languages/1/",
                    "author": "https://search.unprotect.it/api/snippet_authors/1/",
                    "technique": "https://search.unprotect.it/api/techniques/6/",
                    "description": "Two methods are demonstrated in this example (Windows Registry and Windows Service Manager API).",
                    "plain_code": "program AntiSandboxScanService;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n  System.SysUtils,\r\n  WinAPI.Windows,\r\n  WinAPI.WinSvc;\r\n\r\n\r\nconst ANTI_LIST : array[0..4-1] of String = (\r\n      // VMWare\r\n      'VGAuthService',\r\n      'vmvss',\r\n      'vm3dservice',\r\n      'VMTools' \r\n      // ...\r\n);\r\n\r\n{\r\n  Using Service Manager WinAPI + OpenService()\r\n\r\n  * https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagerw\r\n  * https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicew\r\n}\r\nfunction CheckService_WinSvc() : Boolean;\r\nvar AServiceManager : SC_HANDLE;\r\n    I               : Cardinal;\r\nbegin\r\n  result := False;\r\n  ///\r\n\r\n  AServiceManager := OpenSCManagerW(nil, nil, SC_MANAGER_ENUMERATE_SERVICE);\r\n  if AServiceManager = 0 then\r\n  raise Exception.Create(\r\n      Format('Could not open service manager with error=[%s]', [GetLastError()])\r\n  );\r\n  try\r\n    for I := 0 to Length(ANTI_LIST) -1 do begin\r\n      if (OpenServiceW(AServiceManager, PWideChar(ANTI_LIST[I]), READ_CONTROL) <> 0) then begin\r\n        WriteLn(Format('[*] \"%s\" service found.', [ANTI_LIST[I]]));\r\n\r\n        ///\r\n        result := true;\r\n      end;\r\n    end;\r\n  finally\r\n    CloseServiceHandle(AServiceManager);\r\n  end;\r\nend;\r\n\r\n{\r\n  Using Microsoft Windows Registry + RegOpenKeyExW\r\n\r\n  * https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexw\r\n}\r\nfunction CheckService_Registry() : Boolean;\r\nconst HIVE : HKEY = HKEY_LOCAL_MACHINE;\r\n      PATH = 'SYSTEM\\CurrentControlSet\\Services\\%s';\r\nvar AStatus : Longint;\r\n    AKey    : HKEY;\r\n    I       : Cardinal;\r\n    APath   : String;\r\nbegin\r\n  for I := 0 to Length(ANTI_LIST) -1 do begin\r\n    APath := Format(PATH, [ANTI_LIST[i]]);\r\n    if RegOpenKeyExW(HIVE, PWideChar(APath), 0, KEY_READ, AKey) <> ERROR_SUCCESS then\r\n      continue;\r\n    try\r\n        WriteLn(Format('[*] \"%s\" service found.', [ANTI_LIST[I]]));\r\n\r\n        ///\r\n        result := true;\r\n    finally\r\n      RegCloseKey(AKey);\r\n    end;\r\n  end;\r\nend;\r\n\r\nprocedure Header(ACaption : String);\r\nbegin\r\n  WriteLn(StringOfChar('-', 50));\r\n  WriteLn(ACaption);\r\n  WriteLn(StringOfChar('-', 50));\r\nend;\r\n\r\nbegin\r\n  try\r\n    Header('Check Service (WinSvc):');\r\n    if not CheckService_WinSvc() then\r\n      WriteLn('Nothing found so far...');\r\n\r\n    WriteLn;\r\n\r\n    Header('Check Service (Registry):');\r\n    if not CheckService_Registry() then\r\n      WriteLn('Nothing found so far...');\r\n\r\n    readln;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
                }
            ],
            "detection_rules": []
        }
    ]
}