[翻译]规避技术:注册表
本帖最后由 梦幻的彼岸 于 2021-5-17 17:55 编辑备注
原文地址:https://evasions.checkpoint.com/techniques/registry.html
原文标题:Evasions: Registry更新日期:2021年5月17日此文后期:根据自身所学进行内容扩充因自身技术有限,只能尽自身所能翻译国外技术文章,供大家学习,若有不当或可完善的地方,希望可以指出,用于共同完善这篇文章。
static/image/hrline/1.gif
目录
[*]注册表检测方法
[*]1.检查是否存在特定的注册表路径
[*]2. 检查特定的注册表键是否包含指定的字符串
[*]反制措施
[*]归功于
注册表检测方法
所有注册表检测方法的原则如下:在通常的主机中没有这样的注册表键和值。然而,它们存在于特定的虚拟环境中。
有时,通常的系统在应用这些检查时可能会导致误报,因为它安装了一些虚拟机,因此系统中存在一些虚拟机的工件。尽管在所有其他方面,这样的系统与虚拟环境相比是干净的。
注册表键可以通过WinAPI调用查询。
kernel32.dll中使用的函数:
[*]RegOpenKey
[*]RegOpenKeyEx
[*]RegQueryValue
[*]RegQueryValueEx
[*]RegCloseKey
[*]RegEnumKeyEx
上面的函数是在以下ntdll.dll函数之上的wrappers:
[*]NtOpenKey
[*]NtEnumerateKey
[*]NtQueryValueKey
[*]NtClose
1.检查是否存在特定的注册表路径
请看标题部分,以获取使用的函数列表。
代码样本:
/* sample of usage: see detection of VirtualBox in the table below to check registry path */
int vbox_reg_key7() {
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
/* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
}
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
此代码样本的作者:pafish project
识别标志
如果以下函数包含列表`注册表路径`的第二个参数
[*]NtOpenKey(..., registry_path, ...)
那么这就表明应用程序试图使用规避技术。
检测表
检查是否存在以下注册表路径:
检测注册表路径(registry path)细节(如果有的话)
HKLM\Software\Classes\Folder\shell\sandbox
Hyper-VHKLM\SOFTWARE\Microsoft\Hyper-V
HKLM\SOFTWARE\Microsoft\VirtualMachine
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters通常 "HostName "和 "VirtualMachineName "的值是在这个路径下读取的。
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat
HKLM\SYSTEM\ControlSet001\Services\vmicvss
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown
HKLM\SYSTEM\ControlSet001\Services\vmicexchange
ParallelsHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*子键有以下结构 VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
SandboxieHKLM\SYSTEM\CurrentControlSet\Services\SbieDrv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
VirtualBoxHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\HARDWARE\ACPI\FADT\VBOX__
HKLM\HARDWARE\ACPI\RSDT\VBOX__
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse
HKLM\SYSTEM\ControlSet001\Services\VBoxService
HKLM\SYSTEM\ControlSet001\Services\VBoxSF
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo
VirtualPCHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKLM\SYSTEM\ControlSet001\Services\vpcbus
HKLM\SYSTEM\ControlSet001\Services\vpc-s3
HKLM\SYSTEM\ControlSet001\Services\vpcuhub
HKLM\SYSTEM\ControlSet001\Services\msvmmouf
VMwareHKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SYSTEM\ControlSet001\Services\vmdebug
HKLM\SYSTEM\ControlSet001\Services\vmmouse
HKLM\SYSTEM\ControlSet001\Services\VMTools
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL
HKLM\SYSTEM\ControlSet001\Services\vmware
HKLM\SYSTEM\ControlSet001\Services\vmci
HKLM\SYSTEM\ControlSet001\Services\vmx86
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*
WineHKCU\SOFTWARE\Wine
HKLM\SOFTWARE\Wine
XenHKLM\HARDWARE\ACPI\DSDT\xen
HKLM\HARDWARE\ACPI\FADT\xen
HKLM\HARDWARE\ACPI\RSDT\xen
HKLM\SYSTEM\ControlSet001\Services\xenevtchn
HKLM\SYSTEM\ControlSet001\Services\xennet
HKLM\SYSTEM\ControlSet001\Services\xennet6
HKLM\SYSTEM\ControlSet001\Services\xensvc
HKLM\SYSTEM\ControlSet001\Services\xenvdb
在特殊情况下,恶意软件可能会列举子键并检查子键的名称是否包含某些字符串,而不是检查指定的键是否存在。
例如:列举 "HKLM\SYSTEM\ControlSet001\Services\"的子键并搜索 "VBox "字符串。
2. 检查特定的注册表键值是否包含指定的字符串
请看标题部分,以获得所使用的函数列表。请注意,大小写与这些检查无关:它可以是大写或小写。
代码样本:
/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */
int vbox_reg_key2() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
}
/* code is taken from "pafish" project, see references on the parent page */
int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
/*
regkey_s == "HARDWARE\\Description\\System";
value_s == "SystemBiosVersion";
lookup == "VBOX";
*/
HKEY regkey;
LONG ret;
DWORD size;
char value, * lookup_str;
size_t lookup_size;
lookup_size = strlen(lookup);
lookup_str = malloc(lookup_size+sizeof(char));
strncpy(lookup_str, lookup, lookup_size+sizeof(char));
size = sizeof(value);
/* regkey_s == "HARDWARE\\Description\\System"; */
if (pafish_iswow64()) {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key);
}
else {
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key);
}
if (ret == ERROR_SUCCESS) {
/* value_s == "SystemBiosVersion"; */
ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size);
RegCloseKey(regkey);
if (ret == ERROR_SUCCESS) {
size_t i;
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
value = toupper(value);
}
for (i = 0; i < lookup_size; i++) { /* case-insensitive */
lookup_str = toupper(lookup_str);
}
if (strstr(value, lookup_str) != NULL) {
free(lookup_str);
return TRUE;
}
}
}
free(lookup_str);
return FALSE;
}
此代码样本的作者:pafish project
识别标志
[*]如果以下函数包含列表`注册表路径`的第二个参数:
[*]NtOpenKey(..., 注册表路径, ...)
并后跟对以下函数的调用,该函数带有表列“注册表键值”的第二个参数:
[*]NtQueryValueKey(..., registry_item, ...)
那么这就表明应用程序试图使用规避技术。
检测表
检查以下注册表值是否包含以下字符串(不区分大小写:
Detect注册表路径注册表键值字符串
HKLM\HARDWARE\Description\SystemSystemBiosDate06/23/99
HKLM\HARDWARE\Description\System\BIOSSystemProductNameA M I
BOCHSHKLM\HARDWARE\Description\SystemSystemBiosVersionBOCHS
HKLM\HARDWARE\Description\SystemVideoBiosVersionBOCHS
AnubisHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-337-8429955-22614
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-337-8429955-22614
CwSandboxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID76487-644-3177037-23510
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID76487-644-3177037-23510
JoeBoxHKLM\SOFTWARE\Microsoft\Windows\CurrentVersionProductID55274-640-2673064-23950
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionProductID55274-640-2673064-23950
ParallelsHKLM\HARDWARE\Description\SystemSystemBiosVersionPARALLELS
HKLM\HARDWARE\Description\SystemVideoBiosVersionPARALLELS
QEMUHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierQEMU
HKLM\HARDWARE\Description\SystemSystemBiosVersionQEMU
HKLM\HARDWARE\Description\SystemVideoBiosVersionQEMU
HKLM\HARDWARE\Description\System\BIOSSystemManufacturerQEMU
VirtualBoxHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOX
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVBOX
HKLM\HARDWARE\Description\SystemSystemBiosVersionVBOX
HKLM\HARDWARE\Description\SystemVideoBiosVersionVIRTUALBOX
HKLM\HARDWARE\Description\System\BIOSSystemProductNameVIRTUAL
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVBOX
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVBOX
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVBOX
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVBOX
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUAL
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVIRTUALBOX
VMwareHKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARE
HKLM\HARDWARE\Description\SystemSystemBiosVersionVMWARE
HKLM\HARDWARE\Description\SystemSystemBiosVersionINTEL - 6040000
HKLM\HARDWARE\Description\SystemVideoBiosVersionVMWARE
HKLM\HARDWARE\Description\System\BIOSSystemProductNameVMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum0VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum1VMware
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumDeviceDescVMware
HKLM\SYSTEM\ControlSet001\Services\Disk\EnumFriendlyNameVMware
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumDeviceDescVMware
HKLM\SYSTEM\ControlSet002\Services\Disk\EnumFriendlyNameVMware
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumDeviceDescVMware
HKLM\SYSTEM\ControlSet003\Services\Disk\EnumFriendlyNameVMware
HKCR\Installer\ProductsProductNamevmware tools
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware tools
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayNamevmware tools
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000CoInstallers32*vmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescVMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000InfSectionvmx*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000ProviderNameVMware*
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\SettingsDevice DescriptionVMware*
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformationSystemProductNameVMWARE
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\VideoServicevm3dmp
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\VideoServicevmx_svga
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000Device DescriptionVMware SVGA*
XenHKLM\HARDWARE\Description\System\BIOSSystemProductNameXen
反制措施
拦截目标函数,如果指标(来自表格的注册表字符串)被检查,则返回适当的结果。
归功于
归功于开源项目,代码样本取自该项目。
[*]github上的pafish project
尽管Check Point工具InviZzzible已经实现了所有这些功能,但由于代码的模块化结构,需要更多的空间来展示这个工具的代码样本,以达到相同的目的。这就是为什么我们决定在整个百科全书中使用其他伟大的开源项目作为例子。
感谢楼主分享 感谢楼主分享 就不调用你说的这些写程序。。。
页:
[1]