November 25, 2012 in Malware Analysis
Seasoned malware analysts/reversers/crackers move along – you already know this stuff
Analyzing malware is always challenging as there are a few dozen if not hundreds different ways to detect the virtual environment plus other tools used by reversers during dynamic or in-depth analysis – most of these can be easily picked up by malware looking for process names, registry keys, or using one of the undocumented, or semi-documented bugs/features of VMs (usually snippets of code producing different results when executed on a real CPU vs. on a virtual CPU).
This short post describes a few ways how to hide VM (main focus on VMWare) and tools – by hiding their files, processes, services + associated with them registry keys/values.
Changing VM settings
It has has been described quite well here.
Hiding Processes only
When the HideToolz is active, the processes marked for hiding are not visible in a Task Manager and can’t be found by normal process enumeration functions.
This is what HideToolz sees (processes marked with an asterisk are hidden)
And this is what Task Manager can see (Process Explorer as well)
Hiding Files, Folders, Processes, Services, Registry entries
When it comes to hiding more stuff, one can use help from the good ol’ Hacker Defender rootkit by HolyFather.
The rootkit uses a configuration file that allows to specify what we want hidden in the environment and that includes:
- services and their associated registry entries
- registry keys/names/values
To set up the Hacker Defender one needs to edit/change the default configuration file into sth along these lines:
[Hidden Table] hxd* vmu* vmt* vmw* tools* procexp* ollydbg* [Root Processes] hxd* vmu* vmt* vmw* tools* procexp* ollydbg* [Hidden Services] HackerDefender100 vmu* vmt* vmw* procexp* [Hidden RegKeys] VMware, Inc. Sysinternals [Hidden RegValues] vmu* vmt* vmw* [Startup Run] [Free Space] [Hidden Ports] [Settings] Password=infected BackdoorShell=cmd.exe FileMappingName=_.-=[Hacker Defender]=-._ ServiceName=HackerDefender100 ServiceDisplayName=HXD Service 100 ServiceDescription=NT rootkit DriverName=HackerDefenderDrv100 DriverFileName=hxdefdrv.sys [Comments]
The new configuration file can be now loaded:
And from now on browsing the folders, files, registry keys, names, values and processes, services lists will be available only to processes listed in ‘root processes’ section.
Example: what Regedit sees before installing the rootkit:
and after its installation
What Task Manager sees before
and after rootkit installation
Obviously, the configuration I provided above is far from being perfect. The VM-specific strings are all over the place inside the registry, so we need to do a bit more of a home work. It is also more than likely that your environment uses different paths and tools.
It would be ideal if VM product developers allowed to completely hide the tools and the environment from the guest OS by e.g. using simple randomization of names, windows titles, processes’ names etc. - a simple technique used for years by many antirootkit tools e.g. XUETR and GMER.