Enter Sandbox – part 12: The Library of naughty libraries

July 1, 2016 in Batch Analysis, Clustering, Sandboxing

Updated 2021-02-26

Added Avast libs

Updated 2020-06-22

Added ivm-inject.dll and log_api32. Andrew sent these long time ago, but I sat on it even longer. I finally managed to update the post & apologies to Andrew for this taking so long!!!

Updated 2019-10-17

And a few more additions from Andrew! RapportGP, RapportGP_x64, and aswhook. Thanks !

Updated 2019-09-20

Added a few more pointed out by Andrew! fshook32, aswhookx, aswhooka. Thanks!

Updated 2019-08-20

Added a few libraries pointed out by Andrew! ollydbg.dll vboxhook.dll, vghookx.dll and avghooka.dll. Thanks!

Updated 2018-07-14

Added apihex86.dll and apihex64.dll + apilogen.dll & amxread.dll

Updated 2017-12-17

Added makin library ahlo.dll

Updated 2017-11-18

Fixed incorrectly attributed iDefense Labs libs, added some 64- bit libs and updated descriptions

Old post

Detecting sandboxes is a cool domain for research. It’s been a fav topic for many companies to cover for many years in their blogs and there is… no end to it.

In this short summary, I’ll try to list all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment.

Some of them are very well known, some of them… less.

If you know any others, please do let me know.

Thank you!

Here they are:

  • a2hooks32    Emsisoft 32-bit
  • a2hooks64    Emsisoft 64-bit
  • adialhk    Kaspersky Anti-Virus
  • amxread.dll    Used by logman API Trace – API Tracing Manifest Read Library
  • AMSI.dll   Used by Antimalware Scan Interface (AMSI)
  • aswAMSI.dll   Used by Avast
  • anvirhook56    AnVir Software
  • apihex86.dll    Used by logman API Trace (32-bit) – API Tracing X86 Hook Engine
  • apihex64.dll    Used by logman API Trace (64-bit) – API Tracing x64 Hook Engine – also see this link
  • api_log    iDefense Labs
  • apihookdll    (Generic API Hooking DLL name)
  • apilogen.dll    Used by logman API Trace – API Tracing Log Engine
  • apshook    Cognizant Application Protection Hook
  • asho    Library injected by makin
  • aswhook    Avast Security Suite
  • avgrsstx    AVG Internet Security
  • avcuf32    BitDefender 32-bit
  • avcuf64    BitDefender 64-bit
  • avghooka    AVG (Link, Thx Andrew!)
  • avghookx    AVG (Link, Thx Andrew!)
  • aswhooka.dll    Avast (Link, Thx Andrew!)
  • aswhookx.dll    Avast (Link, Thx Andrew!)
  • BgAgent    BullGuard
  • cmdvrt32    Comodo 32-bit
  • cmdvrt64    Comodo 64-bit
  • cssdll32    Comodo (SafeSurf)
  • dbghelp    Debug Help (Potentially used to detect sandboxing env)
  • desktopmessaging    Sophos Anti-Virus
  • dir_watch    iDefense Labs
  • eeconsumer    Sophos Anti-Virus
  • fshook32    F-Secure (Link, Thx Andrew!)
  • guard32    Comodo 32-bit
  • guard64    Comodo 64-bit
  • hinthk    HintSoft
  • iatloader    API Override
  • icadapter    Sophos Anti-Virus
  • icmanagement    Sophos Anti-Virus
  • ieprot    Rising Information Technology (IE Protector)
  • ivm-inject.dll  Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
  • kakatool    Rising Information Technology
  • kloehk    Kaspersky Anti-Virus (Outlook Express Hook)
  • kmon    Rising Information Technology
  • log_api32   Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
  • log_api64   Buster Sandbox Analyzer (Link, Thx Andrew!)
  • legacyconsumers    Sophos Anti-Virus
  • mzvkbd    Kaspersky Anti-Virus
  • ollydbg    AVG (Link, Thx Andrew!)
  • pavshook    Panda
  • PCTGMhk    PC Tools
  • persistance    Sophos Anti-Virus
  • pinvm    PIN (Instrumentation Framework)
  • printfhelp    Unknown Sandbox
  • psapi    Possibly loaded to look for processes/modules
  • pstorec    Possible SunBelt Sandbox (but also other sandboxes that preload DLLs)
  • QOEHook    Qurb
  • R3HOOK    Kaspersky Anti-Virus (Ring 3 Hooker)
  • rapport    Trusteer
  • rapportGP    Trusteer
  • rapportGP_x64    Trusteer
  • rooksbas    Trusteer
  • sar1    Sophos Anti-Rootkit
  • sar2    Sophos Anti-Rootkit
  • sar3    Sophos Anti-Rootkit
  • sar4    Sophos Anti-Rootkit
  • savneutralres    Sophos Anti-Virus
  • savreseng    Sophos Anti-Virus
  • savshellext    Sophos Anti-Virus 32-bit
  • savshellextx64    Sophos Anti-Virus 64-bit
  • sbie    SandBoxie
  • sbie!ll    SandBoxie
  • sbiedll    SandBoxie
  • sbiedllx    SandBoxie
  • scaneditfacade    Sophos Anti-Virus
  • scanmanagement    Sophos Anti-Virus
  • security    Sophos Anti-Virus
  • sf2    Avast
  • sipsmanagement    Sophos Anti-Virus
  • snxhk    Avast
  • sophos_detoured    Sophos Anti-Virus
  • sophos_detoured_x64    Sophos Anti-Virus
  • sophosbho    Sophos Anti-Virus
  • sophosbhox64    Sophos Anti-Virus
  • sophtaineradapter    Sophos Anti-Virus
  • ssleay32    Trusteer (could be a legitimate use of OpenSSL library though)
  • swi_filter    Sophos Anti-Virus
  • swi_ifslsp    Sophos Anti-Virus
  • swimanagement    Sophos Anti-Virus
  • sxin    Qihoo 360
  • systeminformation    Sophos Anti-Virus
  • tamperprotectionmanagement    Sophos Anti-Virus
  • threatdetection    Sophos Anti-Virus
  • translators    Sophos Anti-Virus
  • UMEngx86    Norton Sonar
  • VBOXHOOK    VirtualBox (Sample; Thx Andrew!)
  • virusdetection    Sophos Anti-Virus
  • vmcheck    Virtual PC
  • vmhgfs    VMWare
  • wbsys    Stardock.Net (WindowBlinds)
  • wl_hdlr    Agnitum (Outpost)
  • wl_hook    Agnitum (Outpost)
  • wpcap    Attempts ot WinPCAP library (possible sandbox detection)
  • wpespy    Winsock Packet Editor (WPE)

A separate category is the OS DLLs. The technique that some malware relies on requires loading f.ex. ntdll.dll as a data file, parsing it manually as a PE file, then discovering its exports, finding the code of the API functions that are typically hooked, and eventually comparing that ‘static’ code with the code of the actually loaded library (in memory). This is a trick used by some older packers (AFAIR Themida), but also some custom (and typically advanced, since written in asm most of the time) malware.

Note: if you use this list in a commercial sandbox, please ensure you give a credit 🙂

Comments are closed.