Sandboxing | Hexacorn

Wine is a free implementation of Windows on Unix. That’s what the Wine web site says. To a malware analyst though, Wine is a free analysis platform that can be leveraged to analyze Windows executables.

How so?

It’s all thanks to the various so-called debug channels that Wine offers. Some of these channels – when enabled – turn Wine into a fully-blown tracer, an API monitor, or a complete log madness that includes any possible messages from Wine.

I won’t cover here how to install Wine, but you should easily find a recipe online. Once installed, it’s ready for a few quick tests that will demonstrate its main monitoring features (from the malware analysts’ perspective):

Showing a list of loaded/unloaded modules (during run-time)
- ```
WINEDEBUG=+loaddll wine /mnt/<path>/notepad.exe
```
Showing list of API calls and their return values
- ```
WINEDEBUG=+relay wine /mnt/<path>/notepad.exe
```
Absolute tracing madness (yet still meaningful)
- ```
WINEDEBUG=+all wine /mnt/<path>/notepad.exe
```

A number of channels can be combined, f.ex. one can run the following command:

```
WINEDEBUG=+relay,+tid,+timestamp
```

to prepend the API log with a timestamp, and the TID (thread ID) of the current thread executing the API inside the process:

202729.726:0024:Call ntdll.RtlAllocateHeap(00110000,00000000,00000020) ret=7ed13224
202729.726:0024:Ret  ntdll.RtlAllocateHeap() retval=00118ac8 ret=7ed13224
202729.726:0024:Ret  rpcrt4.I_RpcGetBuffer() retval=00000000 ret=7ed57c45
202729.726:0024:Call rpcrt4.NdrServerContextNewMarshall(00b4e718,00119078,7ed55770,7ed612a4) ret=7ed57c81
202729.726:0024:Call ntdll.RtlFreeHeap(00110000,00000000,00118fc0) ret=7ed14071
202729.726:0024:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ed14071
202729.726:0024:Call ntdll.RtlReleaseResource(0011909c) ret=7ecfc83c
202729.726:0024:Ret  ntdll.RtlReleaseResource() retval=00000000 ret=7ecfc83c
202729.726:0024:Call ntdll.RtlDeleteResource(0011909c) ret=7ecfb4a7
202729.726:0024:Ret  ntdll.RtlDeleteResource() retval=00000000 ret=7ecfb4a7
202729.726:0024:Call ntdll.RtlFreeHeap(00110000,00000000,00119078) ret=7ecfb4bb
202729.726:0024:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecfb4bb
202729.726:0024:Ret  rpcrt4.NdrServerContextNewMarshall() retval=001166a8 ret=7ed57c81
202729.726:0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000018) ret=7ed03c9c
202729.726:0024:Ret  ntdll.RtlAllocateHeap() retval=00118c20 ret=7ed03c9c
202729.726:0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000030) ret=7ed04c44
202729.731:0024:Ret  ntdll.RtlAllocateHeap() retval=00118fc0 ret=7ed04c44
202729.731:0024:Call KERNEL32.WriteFile(00000024,00118fc0,00000030,00b4e748,00000000) ret=7ed0cc8f
202729.731:0018:Ret  KERNEL32.ReadFile() retval=00000001 ret=7ec72d02
202729.731:0018:Call ntdll.RtlAllocateHeap(00110000,00000000,00000018) ret=7ec6be06
202729.731:0018:Ret  ntdll.RtlAllocateHeap() retval=0011b888 ret=7ec6be06

A few notes at the end:

Wine supports both 64- and 32- Portable Executables
There are 400+ different channels; I will lie if I say that I know what all of them trace
Obviously, running executables under Wine is a subject to various sandbox detections, including these I described in the past.
The analysis could be automated to produce a decent sandbox report; while it can’t compete with commercial sandboxes, it may be a a decent solution for in-house analysis, especially for small companies (and as an alternative, complementary sandbox)
If combined with other free solutions, may provide a secondary sandbox for differential analysis i.e. certain artifacts could be compared between 2 sessions (f.ex. one in cuckoo and one in Wine) and help in highlighting ‘randomness’ of some artifacts f.ex. mutex names, files created, etc.
Since it is running natively on Linux, lots of tools are available out of the box that may help in scripting and data processing
The source code is available and you can modify it to your purposes (f.ex. add automatic yara rule generation for specific artifacts, automatic URL extraction, etc.)
Last, but not least – it won’t work with some executables – it still has bugs & features that are not implemented yet

All in all, yet another tool that may sometimes come handy.

Updated 2021-02-26

Added Avast libs

Updated 2020-06-22

Added ivm-inject.dll and log_api32. Andrew sent these long time ago, but I sat on it even longer. I finally managed to update the post & apologies to Andrew for this taking so long!!!

Updated 2019-10-17

And a few more additions from Andrew! RapportGP, RapportGP_x64, and aswhook. Thanks !

Updated 2019-09-20

Added a few more pointed out by Andrew! fshook32, aswhookx, aswhooka. Thanks!

Updated 2019-08-20

Added a few libraries pointed out by Andrew! ollydbg.dll vboxhook.dll, vghookx.dll and avghooka.dll. Thanks!

Updated 2018-07-14

Added apihex86.dll and apihex64.dll + apilogen.dll & amxread.dll

Updated 2017-12-17

Added makin library ahlo.dll

Updated 2017-11-18

Fixed incorrectly attributed iDefense Labs libs, added some 64- bit libs and updated descriptions

Old post

Detecting sandboxes is a cool domain for research. It’s been a fav topic for many companies to cover for many years in their blogs and there is… no end to it.

In this short summary, I’ll try to list all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment.

Some of them are very well known, some of them… less.

If you know any others, please do let me know.

Thank you!

Here they are:

a2hooks32 Emsisoft 32-bit
a2hooks64 Emsisoft 64-bit
adialhk Kaspersky Anti-Virus
amxread.dll Used by logman API Trace – API Tracing Manifest Read Library
AMSI.dll Used by Antimalware Scan Interface (AMSI)
aswAMSI.dll Used by Avast
anvirhook56 AnVir Software
apihex86.dll Used by logman API Trace (32-bit) – API Tracing X86 Hook Engine
apihex64.dll Used by logman API Trace (64-bit) – API Tracing x64 Hook Engine – also see this link
api_log iDefense Labs
apihookdll (Generic API Hooking DLL name)
apilogen.dll Used by logman API Trace – API Tracing Log Engine
apshook Cognizant Application Protection Hook
asho Library injected by makin
aswhook Avast Security Suite
avgrsstx AVG Internet Security
avcuf32 BitDefender 32-bit
avcuf64 BitDefender 64-bit
avghooka AVG (Link, Thx Andrew!)
avghookx AVG (Link, Thx Andrew!)
aswhooka.dll Avast (Link, Thx Andrew!)
aswhookx.dll Avast (Link, Thx Andrew!)
BgAgent BullGuard
cmdvrt32 Comodo 32-bit
cmdvrt64 Comodo 64-bit
cssdll32 Comodo (SafeSurf)
dbghelp Debug Help (Potentially used to detect sandboxing env)
desktopmessaging Sophos Anti-Virus
dir_watch iDefense Labs
eeconsumer Sophos Anti-Virus
fshook32 F-Secure (Link, Thx Andrew!)
guard32 Comodo 32-bit
guard64 Comodo 64-bit
hinthk HintSoft
iatloader API Override
icadapter Sophos Anti-Virus
icmanagement Sophos Anti-Virus
ieprot Rising Information Technology (IE Protector)
ivm-inject.dll Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
kakatool Rising Information Technology
kloehk Kaspersky Anti-Virus (Outlook Express Hook)
kmon Rising Information Technology
log_api32 Buster Sandbox Analyzer (Link, Link, Thx Andrew!)
log_api64 Buster Sandbox Analyzer (Link, Thx Andrew!)
legacyconsumers Sophos Anti-Virus
mzvkbd Kaspersky Anti-Virus
ollydbg AVG (Link, Thx Andrew!)
pavshook Panda
PCTGMhk PC Tools
persistance Sophos Anti-Virus
pinvm PIN (Instrumentation Framework)
printfhelp Unknown Sandbox
psapi Possibly loaded to look for processes/modules
pstorec Possible SunBelt Sandbox (but also other sandboxes that preload DLLs)
QOEHook Qurb
R3HOOK Kaspersky Anti-Virus (Ring 3 Hooker)
rapport Trusteer
rapportGP Trusteer
rapportGP_x64 Trusteer
rooksbas Trusteer
sar1 Sophos Anti-Rootkit
sar2 Sophos Anti-Rootkit
sar3 Sophos Anti-Rootkit
sar4 Sophos Anti-Rootkit
savneutralres Sophos Anti-Virus
savreseng Sophos Anti-Virus
savshellext Sophos Anti-Virus 32-bit
savshellextx64 Sophos Anti-Virus 64-bit
sbie SandBoxie
sbie!ll SandBoxie
sbiedll SandBoxie
sbiedllx SandBoxie
scaneditfacade Sophos Anti-Virus
scanmanagement Sophos Anti-Virus
security Sophos Anti-Virus
sf2 Avast
sipsmanagement Sophos Anti-Virus
snxhk Avast
sophos_detoured Sophos Anti-Virus
sophos_detoured_x64 Sophos Anti-Virus
sophosbho Sophos Anti-Virus
sophosbhox64 Sophos Anti-Virus
sophtaineradapter Sophos Anti-Virus
ssleay32 Trusteer (could be a legitimate use of OpenSSL library though)
swi_filter Sophos Anti-Virus
swi_ifslsp Sophos Anti-Virus
swimanagement Sophos Anti-Virus
sxin Qihoo 360
systeminformation Sophos Anti-Virus
tamperprotectionmanagement Sophos Anti-Virus
threatdetection Sophos Anti-Virus
translators Sophos Anti-Virus
UMEngx86 Norton Sonar
VBOXHOOK VirtualBox (Sample; Thx Andrew!)
virusdetection Sophos Anti-Virus
vmcheck Virtual PC
vmhgfs VMWare
wbsys Stardock.Net (WindowBlinds)
wl_hdlr Agnitum (Outpost)
wl_hook Agnitum (Outpost)
wpcap Attempts ot WinPCAP library (possible sandbox detection)
wpespy Winsock Packet Editor (WPE)

A separate category is the OS DLLs. The technique that some malware relies on requires loading f.ex. ntdll.dll as a data file, parsing it manually as a PE file, then discovering its exports, finding the code of the API functions that are typically hooked, and eventually comparing that ‘static’ code with the code of the actually loaded library (in memory). This is a trick used by some older packers (AFAIR Themida), but also some custom (and typically advanced, since written in asm most of the time) malware.

Note: if you use this list in a commercial sandbox, please ensure you give a credit 🙂

Hexacorn

Hexacorn

Category Archives: Sandboxing

Malware analysis using Wine

Enter Sandbox – part 12: The Library of naughty libraries