Hiding env./tools from malware a.k.a. fight fire with fire (but only inside VM)

November 25, 2012 in Malware Analysis

Seasoned malware analysts/reversers/crackers move along – you already know this stuff :-)

Analyzing malware is always challenging as there are a few dozen if not hundreds different ways to detect the virtual environment plus other tools used by reversers during dynamic or in-depth analysis – most of these can be easily picked up by malware looking for process names, registry keys, or using one of the undocumented, or semi-documented bugs/features of VMs (usually snippets of code producing different results when executed on a real CPU vs. on a virtual CPU).

This short post describes a few ways how to hide VM (main focus on VMWare) and tools – by hiding their files, processes, services + associated with them registry keys/values.

Changing VM settings

It has has been described quite well here.

Hiding Processes only

If you need to hide the process only, you can use HideToolz available for a download from Fyyre’s web site.

When the HideToolz is active, the processes marked for hiding are not visible in a Task Manager and can’t be found by normal process enumeration functions.

This is what HideToolz sees (processes marked with an asterisk are hidden)

 

And this is what Task Manager can see (Process Explorer as well)

Hiding Files, Folders, Processes, Services, Registry entries

When it comes to hiding more stuff, one can use help from the good ol’ Hacker Defender rootkit by HolyFather.

The rootkit uses a configuration file that allows to specify what we want hidden in the environment and that includes:

  • files/folders
  • processes
  • services and their associated registry entries
  • registry keys/names/values

To set up the Hacker Defender one needs to  edit/change the default configuration file into sth along these lines:

[Hidden Table]
hxd*
vmu*
vmt*
vmw*
tools*
procexp*
ollydbg*

[Root Processes]
hxd*
vmu*
vmt*
vmw*
tools*
procexp*
ollydbg*

[Hidden Services]
HackerDefender100
vmu*
vmt*
vmw*
procexp*

[Hidden RegKeys]
VMware, Inc.
Sysinternals

[Hidden RegValues]
vmu*
vmt*
vmw*

[Startup Run]

[Free Space]

[Hidden Ports]

[Settings]
Password=infected
BackdoorShell=cmd.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

The new configuration file can be now loaded:

hxdef100.exe hide.ini

And from now on browsing the folders, files, registry keys, names, values and processes, services lists will be available only to processes listed in  ‘root processes’ section.

Example: what Regedit sees before installing the rootkit:

and after its installation

What Task Manager sees before

and after rootkit installation

 

Obviously, the configuration I provided above is far from being perfect. The VM-specific strings are all over the place inside the registry, so we need to do a bit more of a home work. It is also more than likely that your environment uses different paths and tools.

It would be ideal if VM product developers allowed to completely hide the tools and the environment from the guest OS by e.g. using simple randomization of names, windows titles, processes’ names etc. -  a simple technique used for years by many antirootkit tools e.g. XUETR and GMER.

Comments are closed.