Virutal Box는 vboxmanage.exe를 통해 다수의 값을 설정/조회/수정 가능하다.

또한 showvminfo를 통해 전체 설정 값을 확인할 수 있다.


VBoxManage showvminfo 'VM Image name"

디버깅 대상 프로세스에서 접근 위반이 발생하면 디버거가 그것을 처리해야 한다. 

예외가 발생했을 때 디버거는 Stack Frame, Register, 예외를 발생시킨 명령 등 모든 정보를 추적할 수 있다.

이런 정보를 기반으로 취약점 공격 코드를 작성하거나 바이너리 패치를 만들어낼 수 있다.

 - p.97 -

Reference

http://joe4security.blogspot.kr/2012/08/vm-and-sandbox-detections-become-more.html

http://ghostshell.tistory.com/293

https://gitlab.pluribusgames.com/mirrors/metasploit-framework/raw/ddb98715776e6d49443d26816cbc9db54b093e81/modules/post/windows/gather/checkvm.rb

http://thisissecurity.net/2014/08/20/win32atrax-a/


Registry Query

1. "HKLM\HARDWARE\Description\System\\SystemBiosVersion". 
 - vbox 문자열 확인

2. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ProductID" and 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ProductID". 
 
 - Product ID 확인 
 55274-640-2673064-23950 (JoeBox)
 76487-644-3177037-23510 (CWSandBox)
 76487-337-8429955-22614 (Anubis)

3. HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus

0\Target Id 0\Logical Unit Id 0\\Identifier

 - Identifier의 Value가 vmware, vbox 인지 확인


Registry Enum
1. HKLM\SOFTWARE\Microsoft
 - Hyper-V, VirtualMachine 확인

2. HKLM\SYSTEM\ControlSet001\Services
  - vmicheartbeat, vmicvss, vmicshutdown, vmicexchange, vmci, vmdebug, vmmouse, VMTools, VMMEMCTL, vmware, vmx86, vpcbus, vpc-s3, vpcuhub, msvmmouf, VBoxMouse, VBoxGuest, VBoxGuest, VBoxSF, xenevtchn, xennet, xennet6, xensvc, xenvdb, 

3.  "HKLM\HARDWARE\ACPI\DSDT"
"HKLM\HARDWARE\ACPI\FADT"
"HKLM\HARDWARE\ACPI\RSDT"

  - VBOX (VirtualBox)
  - XEN
  - PTLTD(VmWare)
  - AMIBI (Virtual PC)

Process Snapshot
1. 아래의 프로세스 목록 확인
  - vmware, vmount2, vmusrvc, vmsrvc, VBoxService, vboxtray, xenservice, joeboxserver, joeboxcontrol, wireshark, sniff_hit, sysAnalyzer, filemon, procexp, procmon, regmon, autoruns


Files Check
1. 아래의 파일 목록 확인
  - hgfs.sys, vmhgfs.sys, prleth.sys, prlfs.sys, prlmouse.sys, prlvideo.sys, prl_pv32.sys, vpc-s3.sys, vmsrvc.sys, vmx86.sys, vmnet.sys


Modules Check
1. 아래의 모듈 목록 확인 (DLL)
  - dbghelp, SbieDll, api_log, dir_watch, pstorec


Users Check
1. 아래의 사용자 이름 목록 확인
currentuser, sandbox, honey, vmware, nepenthes, snort, andy, roo


Computer Name Check
1. 아래의 컴퓨터 이름 목록 확인
TU-4NH09SMCG1HC







GetThreadContext function

Retrieves the context of the specified thread.

A 64-bit application can retrieve the context of a WOW64 thread using the Wow64GetThreadContextfunction.

Syntax

C++
BOOL WINAPI GetThreadContext(
  _In_    HANDLE    hThread,
  _Inout_ LPCONTEXT lpContext
);

Parameters

hThread [in]

A handle to the thread whose context is to be retrieved. The handle must haveTHREAD_GET_CONTEXT access to the thread. For more information, see Thread Security and Access Rights.

WOW64:  The handle must also have THREAD_QUERY_INFORMATION access.

lpContext [in, out]

A pointer to a CONTEXT structure that receives the appropriate context of the specified thread. The value of the ContextFlags member of this structure specifies which portions of a thread's context are retrieved. The CONTEXT structure is highly processor specific. Refer to the WinNT.h header file for processor-specific definitions of this structures and any alignment requirements.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

https://msdn.microsoft.com/ko-kr/library/windows/desktop/ms679362(v=vs.85).aspx


WinAPI의 GetThreadContext는 Native API의 ZwGetContextThread로 연결된다.

+ Recent posts

티스토리툴바