{"id":3727,"date":"2016-07-01T23:45:19","date_gmt":"2016-07-01T23:45:19","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3727"},"modified":"2021-02-26T22:31:45","modified_gmt":"2021-02-26T22:31:45","slug":"enter-sandbox-part-12-the-library-of-naughty-libraries","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/07\/01\/enter-sandbox-part-12-the-library-of-naughty-libraries\/","title":{"rendered":"Enter Sandbox \u2013 part 12: The Library of naughty libraries"},"content":{"rendered":"<p><strong>Updated 2021-02-26<\/strong><\/p>\n<p>Added Avast libs<\/p>\n<p><strong>Updated 2020-06-22<\/strong><\/p>\n<p>Added ivm-inject.dll and log_api32. <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a> sent these long time ago, but I sat on it even longer. I finally managed to update the post &amp; apologies to Andrew for this taking so long!!!<\/p>\n<p><strong>Updated 2019-10-17<\/strong><\/p>\n<p>And a few more additions from <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>! RapportGP, RapportGP_x64, and aswhook. Thanks !<\/p>\n<p><strong>Updated 2019-09-20<\/strong><\/p>\n<p>Added a few more pointed out by <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>! fshook32, aswhookx, aswhooka. Thanks!<\/p>\n<p><strong>Updated 2019-08-20<\/strong><\/p>\n<p>Added a few libraries pointed out by <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>! ollydbg.dll vboxhook.dll, vghookx.dll and avghooka.dll. Thanks!<\/p>\n<p><strong>Updated 2018-07-14<\/strong><\/p>\n<p>Added apihex86.dll and apihex64.dll + apilogen.dll &amp; amxread.dll<\/p>\n<p><strong>Updated 2017-12-17<\/strong><\/p>\n<p>Added <a href=\"https:\/\/github.com\/secrary\/makin\">makin<\/a> library ahlo.dll<\/p>\n<p><strong>Updated 2017-11-18<\/strong><\/p>\n<p>Fixed incorrectly attributed iDefense Labs libs, added some 64- bit libs and updated descriptions<\/p>\n<p><strong>Old post<\/strong><\/p>\n<p>Detecting sandboxes is a cool domain for research. It&#8217;s been a fav topic for many companies to cover for many years in their blogs and there is&#8230; no end to it.<\/p>\n<p>In this short summary, I&#8217;ll try to list all the phantom\/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment.<\/p>\n<p>Some of them are very well known, some of them&#8230; less.<\/p>\n<p>If you know any others, please do let me know.<\/p>\n<p>Thank you!<\/p>\n<p>Here they are:<\/p>\n<ul>\n<li>a2hooks32\u00a0\u00a0\u00a0 Emsisoft 32-bit<\/li>\n<li>a2hooks64 \u00a0\u00a0 Emsisoft 64-bit<\/li>\n<li>adialhk\u00a0\u00a0 \u00a0Kaspersky Anti-Virus<\/li>\n<li>amxread.dll\u00a0\u00a0\u00a0 Used by logman API Trace &#8211; API Tracing Manifest Read Library<\/li>\n<li>AMSI.dll\u00a0\u00a0 Used by Antimalware Scan Interface (AMSI)<\/li>\n<li>aswAMSI.dll\u00a0\u00a0 Used by Avast<\/li>\n<li>anvirhook56\u00a0\u00a0 \u00a0AnVir Software<\/li>\n<li>apihex86.dll\u00a0\u00a0\u00a0 Used by <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/06\/09\/logman-the-windows-volverine\/\">logman API Trace<\/a> (32-bit) &#8211; API Tracing X86 Hook Engine<\/li>\n<li>apihex64.dll\u00a0\u00a0 \u00a0Used by logman API Trace (64-bit) &#8211; API Tracing x64 Hook Engine &#8211; also see this <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/07\/13\/logman-api-trace-lame-anti-tracing-trick\/\">link<\/a><\/li>\n<li>api_log\u00a0\u00a0\u00a0 iDefense Labs<\/li>\n<li>apihookdll\u00a0\u00a0 \u00a0(Generic API Hooking DLL name)<\/li>\n<li>apilogen.dll\u00a0\u00a0\u00a0 Used by logman API Trace &#8211; API Tracing Log Engine<\/li>\n<li>apshook\u00a0\u00a0 \u00a0Cognizant Application Protection Hook<\/li>\n<li>asho\u00a0\u00a0\u00a0 Library injected by <a href=\"https:\/\/github.com\/secrary\/makin\">makin<\/a><\/li>\n<li>aswhook \u00a0\u00a0 Avast Security Suite<\/li>\n<li>avgrsstx\u00a0\u00a0 \u00a0AVG Internet Security<\/li>\n<li>avcuf32\u00a0\u00a0 \u00a0BitDefender 32-bit<\/li>\n<li>avcuf64 \u00a0\u00a0 BitDefender 64-bit<\/li>\n<li>avghooka \u00a0\u00a0 AVG (<a href=\"https:\/\/github.com\/LordNoteworthy\/al-khaser\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>avghookx \u00a0\u00a0 AVG (<a href=\"https:\/\/github.com\/LordNoteworthy\/al-khaser\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>aswhooka.dll \u00a0\u00a0 Avast (<a href=\"https:\/\/www.vkremez.com\/2018\/07\/lets-learn-in-depth-reversing-of-qakbot.html\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>aswhookx.dll \u00a0\u00a0 Avast (<a href=\"https:\/\/www.vkremez.com\/2018\/07\/lets-learn-in-depth-reversing-of-qakbot.html\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>BgAgent\u00a0\u00a0\u00a0 BullGuard<\/li>\n<li>cmdvrt32 \u00a0\u00a0 Comodo 32-bit<\/li>\n<li>cmdvrt64 \u00a0\u00a0 Comodo 64-bit<\/li>\n<li>cssdll32\u00a0\u00a0 \u00a0Comodo (SafeSurf)<\/li>\n<li>dbghelp\u00a0\u00a0 \u00a0Debug Help (Potentially used to detect sandboxing env)<\/li>\n<li>desktopmessaging\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>dir_watch\u00a0\u00a0\u00a0 iDefense Labs<\/li>\n<li>eeconsumer\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>fshook32 \u00a0\u00a0 F-Secure (<a href=\"https:\/\/www.vkremez.com\/2018\/07\/lets-learn-in-depth-reversing-of-qakbot.html\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>guard32\u00a0\u00a0 \u00a0Comodo 32-bit<\/li>\n<li>guard64 \u00a0\u00a0 Comodo 64-bit<\/li>\n<li>hinthk\u00a0\u00a0 \u00a0HintSoft<\/li>\n<li>iatloader\u00a0\u00a0 \u00a0API Override<\/li>\n<li>icadapter\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>icmanagement\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>ieprot\u00a0\u00a0 \u00a0Rising Information Technology (IE Protector)<\/li>\n<li>ivm-inject.dll\u00a0 Buster Sandbox Analyzer (<a href=\"https:\/\/malwareandstuff.com\/an-old-enemy-diving-into-qbot-part-2\/\">Link<\/a>, <a href=\"https:\/\/bsa.isoftware.nl\/frame5.htm\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>kakatool\u00a0\u00a0 \u00a0Rising Information Technology<\/li>\n<li>kloehk\u00a0\u00a0 \u00a0Kaspersky Anti-Virus (Outlook Express Hook)<\/li>\n<li>kmon\u00a0\u00a0 \u00a0Rising Information Technology<\/li>\n<li>log_api32 \u00a0 Buster Sandbox Analyzer (<a href=\"https:\/\/www.vkremez.com\/2017\/11\/lets-learn-lethic-spambot-survey-of.html\">Link<\/a>, <a href=\"https:\/\/bsa.isoftware.nl\/frame5.htm\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>log_api64 \u00a0 Buster Sandbox Analyzer (<a href=\"https:\/\/bsa.isoftware.nl\/frame5.htm\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>legacyconsumers\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>mzvkbd\u00a0\u00a0 \u00a0Kaspersky Anti-Virus<\/li>\n<li>ollydbg \u00a0\u00a0 AVG (<a href=\"https:\/\/www.kernelmode.info\/forum\/viewtopic.php?t=2157&amp;start=10\">Link<\/a>, Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>pavshook\u00a0\u00a0 \u00a0Panda<\/li>\n<li>PCTGMhk\u00a0\u00a0 \u00a0PC Tools<\/li>\n<li>persistance\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>pinvm\u00a0\u00a0 \u00a0PIN (Instrumentation Framework)<\/li>\n<li>printfhelp\u00a0\u00a0 \u00a0Unknown Sandbox<\/li>\n<li>psapi\u00a0\u00a0 \u00a0Possibly loaded to look for processes\/modules<\/li>\n<li>pstorec\u00a0\u00a0 \u00a0Possible SunBelt Sandbox (but also other sandboxes that preload DLLs)<\/li>\n<li>QOEHook\u00a0\u00a0\u00a0 Qurb<\/li>\n<li>R3HOOK\u00a0\u00a0 \u00a0Kaspersky Anti-Virus (Ring 3 Hooker)<\/li>\n<li>rapport\u00a0\u00a0 \u00a0Trusteer<\/li>\n<li>rapportGP \u00a0\u00a0 Trusteer<\/li>\n<li>rapportGP_x64 \u00a0\u00a0 Trusteer<\/li>\n<li>rooksbas\u00a0\u00a0 \u00a0Trusteer<\/li>\n<li>sar1\u00a0\u00a0 \u00a0Sophos Anti-Rootkit<\/li>\n<li>sar2\u00a0\u00a0 \u00a0Sophos Anti-Rootkit<\/li>\n<li>sar3\u00a0\u00a0 \u00a0Sophos Anti-Rootkit<\/li>\n<li>sar4\u00a0\u00a0 \u00a0Sophos Anti-Rootkit<\/li>\n<li>savneutralres\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>savreseng\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>savshellext\u00a0\u00a0 \u00a0Sophos Anti-Virus 32-bit<\/li>\n<li>savshellextx64\u00a0\u00a0 \u00a0Sophos Anti-Virus 64-bit<\/li>\n<li>sbie\u00a0\u00a0 \u00a0SandBoxie<\/li>\n<li>sbie!ll\u00a0\u00a0 \u00a0SandBoxie<\/li>\n<li>sbiedll\u00a0\u00a0 \u00a0SandBoxie<\/li>\n<li>sbiedllx\u00a0\u00a0 \u00a0SandBoxie<\/li>\n<li>scaneditfacade\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>scanmanagement\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>security\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>sf2 \u00a0\u00a0 Avast<\/li>\n<li>sipsmanagement\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>snxhk\u00a0\u00a0 \u00a0Avast<\/li>\n<li>sophos_detoured\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>sophos_detoured_x64\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>sophosbho\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>sophosbhox64\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>sophtaineradapter\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>ssleay32\u00a0\u00a0 \u00a0Trusteer (could be a legitimate use of OpenSSL library though)<\/li>\n<li>swi_filter\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>swi_ifslsp\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>swimanagement\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>sxin\u00a0\u00a0\u00a0 Qihoo 360<\/li>\n<li>systeminformation\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>tamperprotectionmanagement\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>threatdetection\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>translators\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>UMEngx86\u00a0\u00a0 \u00a0Norton Sonar<\/li>\n<li>VBOXHOOK \u00a0\u00a0 VirtualBox (<a href=\"https:\/\/www.virustotal.com\/gui\/file\/562a08fcd541e751621dc4b64e68ad055d689e70c6aa1b668c64fd42d3003ba0\/behavior\/Yomi%20Hunter\">Sample<\/a>; Thx <a href=\"https:\/\/twitter.com\/SmugYeti\">Andrew<\/a>!)<\/li>\n<li>virusdetection\u00a0\u00a0 \u00a0Sophos Anti-Virus<\/li>\n<li>vmcheck\u00a0\u00a0 \u00a0Virtual PC<\/li>\n<li>vmhgfs\u00a0\u00a0 \u00a0VMWare<\/li>\n<li>wbsys\u00a0\u00a0 \u00a0Stardock.Net (WindowBlinds)<\/li>\n<li>wl_hdlr\u00a0\u00a0 \u00a0Agnitum (Outpost)<\/li>\n<li>wl_hook\u00a0\u00a0 \u00a0Agnitum (Outpost)<\/li>\n<li>wpcap\u00a0\u00a0 \u00a0Attempts ot WinPCAP library (possible sandbox detection)<\/li>\n<li>wpespy\u00a0\u00a0 \u00a0Winsock Packet Editor (WPE)<\/li>\n<\/ul>\n<p>A separate category is the OS DLLs. The technique that some malware relies on requires loading f.ex. ntdll.dll as a data file, parsing it manually as a PE file, then discovering its exports, finding the code of the API functions that are typically hooked, and eventually comparing that &#8216;static&#8217; code with the code of the actually loaded library (in memory). This is a trick used by some older packers (AFAIR Themida), but also some custom (and typically advanced, since written in asm most of the time) malware.<\/p>\n<p>Note: if you use this list in a commercial sandbox, please ensure you give a credit \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Updated 2021-02-26 Added Avast libs Updated 2020-06-22 Added ivm-inject.dll and log_api32. Andrew sent these long time ago, but I sat on it even longer. I finally managed to update the post &amp; apologies to Andrew for this taking so long!!! &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/07\/01\/enter-sandbox-part-12-the-library-of-naughty-libraries\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,39,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3727"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3727"}],"version-history":[{"count":20,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3727\/revisions"}],"predecessor-version":[{"id":7727,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3727\/revisions\/7727"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}