Reference
http://joe4security.blogspot.kr/2012/08/vm-and-sandbox-detections-become-more.html
http://ghostshell.tistory.com/293
https://gitlab.pluribusgames.com/mirrors/metasploit-framework/raw/ddb98715776e6d49443d26816cbc9db54b093e81/modules/post/windows/gather/checkvm.rb
http://thisissecurity.net/2014/08/20/win32atrax-a/
Registry Query
1. "HKLM\HARDWARE\Description\System\\SystemBiosVersion".
- vbox 문자열 확인
2. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ProductID" and "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ProductID".
- Product ID 확인 55274-640-2673064-23950 (JoeBox) 76487-644-3177037-23510 (CWSandBox) 76487-337-8429955-22614 (Anubis)
3. HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus
0\Target Id 0\Logical Unit Id 0\\Identifier
- Identifier의 Value가 vmware, vbox 인지 확인
Registry Enum
1. HKLM\SOFTWARE\Microsoft
- Hyper-V, VirtualMachine 확인
2. HKLM\SYSTEM\ControlSet001\Services
- vmicheartbeat, vmicvss, vmicshutdown, vmicexchange, vmci, vmdebug, vmmouse, VMTools, VMMEMCTL, vmware, vmx86, vpcbus, vpc-s3, vpcuhub, msvmmouf, VBoxMouse, VBoxGuest, VBoxGuest, VBoxSF, xenevtchn, xennet, xennet6, xensvc, xenvdb,
3. "HKLM\HARDWARE\ACPI\DSDT"
"HKLM\HARDWARE\ACPI\FADT" "HKLM\HARDWARE\ACPI\RSDT"- VBOX (VirtualBox)
- XEN
- PTLTD(VmWare)
- AMIBI (Virtual PC)
Process Snapshot
1. 아래의 프로세스 목록 확인
- vmware, vmount2, vmusrvc, vmsrvc, VBoxService, vboxtray, xenservice, joeboxserver, joeboxcontrol, wireshark, sniff_hit, sysAnalyzer, filemon, procexp, procmon, regmon, autoruns
Files Check
1. 아래의 파일 목록 확인
- hgfs.sys, vmhgfs.sys, prleth.sys, prlfs.sys, prlmouse.sys, prlvideo.sys, prl_pv32.sys, vpc-s3.sys, vmsrvc.sys, vmx86.sys, vmnet.sys
Modules Check
1. 아래의 모듈 목록 확인 (DLL)
- dbghelp, SbieDll, api_log, dir_watch, pstorec
Users Check
1. 아래의 사용자 이름 목록 확인
- currentuser, sandbox, honey, vmware, nepenthes, snort, andy, roo
Computer Name Check
1. 아래의 컴퓨터 이름 목록 확인
- TU-4NH09SMCG1HC
