Techniques for Anti-Sandbox, Anti-VM, and Anti-Debugging in Loaders
Contents
Timeline: 2023/11/20-2023/11/24
Following the analysis of anti-analysis techniques employed by following loader families, a summary of these techniques have been derived, which may prove beneficial in approaching the debugging of malicious software loaders.
| Family Name |
|---|
| ReZer0 |
| GuLoader |
| SmokeLoader |
| BazarLoader |
| BumblebeeLoader |
| HUILoader |
| ColibriLoader |
| QuantLoader |
| GootLoader |
| BunnyLoader |
1. Anti-Sandbox
| Technique | Description |
|---|---|
| Windows Enums | Uses EnumWindowsWin to count the top-level windows running on the system. If the count is less than 12, it invokes TerminateProcess. It also checks for the presence of specific windows (such as MFC) and considers the sample to be running in a virtual machine if detected. |
| Prolonged Delays | Extends the program’s execution time by making multiple calls to the same function. This aims to deceive sandbox environments that typically operate under time constraints. |
| RTDSC Wrapper | The RDTSC instruction is employed to measure the number of CPU clock cycles since the processor was reset, commonly used for detecting sandbox or virtual machine environments. |
| DLL Check | Uses GetModuleHandleA to search for common DLL files associated with sandboxes, such as sbiedll, aswook, snxhk. |
| Username Check | Verifies the username associated with sandbox software and raises an exception if detected. |
2. Anti-VM
| Technique | Description |
|---|---|
| Scan Memory Pages | Uses NtQueryVirtualMemory or ZwQueryVirtualMemory to perform a memory scan on each memory page in the entire process. Compares the results with pre-calculated string hashes to perform string checks related to VMware. |
| CPUID and RDTSC | Sequentially compares the time taken to execute two rdtsc instructions. |
| Check System Uptime | Uses GetTickCount to obtain the number of milliseconds since system startup. In anti-virtual machine techniques, this function can be used to detect virtual machine environments as virtual machines typically start counting at system boot, which may differ from timing on real hardware. |
| Check Current Processes | Uses NtQuerySystemInformation and SystemProcessInformation to retrieve all running processes and perform string checks to detect files related to virtualization software. Uses CreateToolHelp32Snapshot to capture a process snapshot and match the process names of dynamic and static analysis software. |
| Check Drivers | Uses EnumDeviceDriver and GetDeviceDriverBasename to check if specific drivers (related to VM) are present, triggering an error if found. |
| Check Installed Products | Uses MsiGetProductInfoA to enumerate products and checks if they match a known list of software (virtualization software). |
| Check Current Services | Establishes a connection to the Service Control Manager on the computer, opens the specified Service Control Manager database, and uses EnumServicesStatusA to enumerate the services in the Service Control Manager database. |
| Check Local DLLs and Drivers | Searches file paths to check local DLLs and drivers or uses GetModuleHandleA to check DLL files. |
| Query Registry Information | Uses NtQueryKey and RegOpenKeyExW to query registry information, including \HKLM\System\CurrentControlSet\Enum\IDE and \HKLM\System\CurrentControlSet\Enum\SCSI, comparing with a list of strings associated with virtual machines. Searches and detects specified registry entries related to virtual environments. |
| Query System Information | Uses Windows Management Instrumentation (WMI) queries to collect detailed system information. Various classes in the Win32 namespace are queried to obtain multifaceted information about computer hardware and the operating system. By examining this information, malware may attempt to identify virtual machine environments, as hardware features and information often differ between virtual machines and physical machines. |
Practical examples of making WMI queries (related with anti-VM):
# Get motherboard information:
SELECT * FROM Win32_BaseBoard
# Get bus information:
SELECT * FROM Win32_Bus
# Get computer system information, such as manufacturer and model
SELECT * FROM Win32_ComputerSystem
# Get fan-related information
SELECT * FROM Win32_Fan
# Get NT event log file information:
SELECT * FROM Win32_NTEventlogFile
# Get operating system information, such as version and installation date
SELECT * FROM Win32_OperatingSystem
# Get plug and play device information
SELECT * FROM Win32_PnPDevice
# Get plug and play entity information
SELECT * FROM Win32_PnPEntity
3. Anti-Debugging
| Technique | Description |
|---|---|
| Vectored Exception Handler (VEH) | Disrupts the normal flow of code execution by diverting control flow to incorrect paths, triggering exceptions that jump to other instructions. Adds exceptions using AddVectoredExceptionHandle and performs a series of anti-debugging and anti-disassembly checks to detect the presence of breakpoints. |
| API Call Pre-Breakpoint Detection | Performs breakpoint checks before calling each API. |
| Modify Process Priority | Calls NtSetInformationThread with the second parameter set to 11 (corresponding to ThreadHideFromDebugger), causing the process to crash when run from within a debugger. |
| Check for Debugger | Uses NtQueryInformationProcess with the second parameter ProcessDebugPort set to 7. The loaded program checks for a non-zero return value, determining if the process is being debugged. |
| Modify Virtual Memory Access Rights | Uses NtProtectVirtualMemory to set DbgBreakPoint and DbgUiRemoteBreakin to NOP and random instructions. |
| Run Code Before Traditional Entry Point | Code running before the program’s entry point is easily overlooked. |
| Encrypt Communication with C2 Server | Sends DLL files back to the infected computer’s server via HTTP requests simulated to look like they are coming from a user agent, just like a browser. This method is employed to bypass security solutions, downloading malicious files when communicating with the attacker’s server. Exploiting this technique makes the communication appear legitimate. |
| API Hashing | Uses dynamic API hashing to resolve functions by computing hash values to generate pointers to API calls. |
| Generate Random Internet Traffic | To conceal communication with the C2 server, initializes the WinINet functions by calling InternetOpenA with a specific HTTP user agent string. Then, generates a thread that periodically connects to a random URL, masking primary C2 traffic with randomly generated traffic noise. Uses BCryptGenRandom to generate random bytes, constructs a complete URL, and establishes a connection via InternetOpenURLA to read data. |
| Self-Modifying Code Dynamic Payload | During static analysis, it’s observed that the payload only contains .text (code section) and .reloc (relocation section), indicating that the payload can dynamically resolve other code sections inaccessible through static analysis. |
4. References
https://github.com/LordNoteworthy/al-khaser