-
-
[原创] [翻译]规避技术:注册表
-
2021-5-17 16:32 12502
-
备注
原文地址:Evasions: Registry (checkpoint.com)
原文标题:Evasions: Registry
更新日期:2021年5月17日
此文后期:根据自身所学进行内容扩充
因自身技术有限,只能尽自身所能翻译国外技术文章,供大家学习,若有不当或可完善的地方,希望可以指出,用于共同完善这篇文章。
目录
注册表检测方法
1.检查是否存在特定的注册表路径
2. 检查特定的注册表键是否包含指定的字符串
反制措施
归功于
注册表检测方法
所有注册表检测方法的原则如下:在通常的主机中没有这样的注册表键和值。然而,它们存在于特定的虚拟环境中。
有时,通常的系统在应用这些检查时可能会导致误报,因为它安装了一些虚拟机,因此系统中存在一些虚拟机的工件。尽管在所有其他方面,这样的系统与虚拟环境相比是干净的。
注册表键可以通过WinAPI调用查询。
kernel32.dll中使用的函数:
- RegOpenKey
- RegOpenKeyEx
- RegQueryValue
- RegQueryValueEx
- RegCloseKey
- RegEnumKeyEx
上面的函数是在以下ntdll.dll函数之上的wrappers:
- NtOpenKey
- NtEnumerateKey
- NtQueryValueKey
- NtClose
1.检查是否存在特定的注册表路径
请看标题部分,以获取使用的函数列表。
代码样本:
/* sample of usage: see detection of VirtualBox in the table below to check registry path */ int vbox_reg_key7() { return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__"); } /* code is taken from "pafish" project, see references on the parent page */ int pafish_exists_regkey(HKEY hKey, char * regkey_s) { HKEY regkey; LONG ret; /* regkey_s == "HARDWARE\\ACPI\\FADT\\VBOX__"; */ if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { RegCloseKey(regkey); return TRUE; } else return FALSE; }
此代码样本的作者:pafish project
识别标志
如果以下函数包含列表`注册表路径`的第二个参数
- NtOpenKey(..., registry_path, ...)
那么这就表明应用程序试图使用规避技术。
检测表
检查是否存在以下注册表路径: | ||
检测 | 注册表路径(registry path) | 细节(如果有的话) |
[general] | HKLM\Software\Classes\Folder\shell\sandbox | |
Hyper-V | HKLM\SOFTWARE\Microsoft\Hyper-V | |
HKLM\SOFTWARE\Microsoft\VirtualMachine | ||
HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters | 通常 "HostName "和 "VirtualMachineName "的值是在这个路径下读取的。 | |
HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat | ||
HKLM\SYSTEM\ControlSet001\Services\vmicvss | ||
HKLM\SYSTEM\ControlSet001\Services\vmicshutdown | ||
HKLM\SYSTEM\ControlSet001\Services\vmicexchange | ||
Parallels | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8* | 子键有以下结构 VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
Sandboxie | HKLM\SYSTEM\CurrentControlSet\Services\SbieDrv | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie | ||
VirtualBox | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE* | 子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
HKLM\HARDWARE\ACPI\DSDT\VBOX__ | ||
HKLM\HARDWARE\ACPI\FADT\VBOX__ | ||
HKLM\HARDWARE\ACPI\RSDT\VBOX__ | ||
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxGuest | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxMouse | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxService | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxSF | ||
HKLM\SYSTEM\ControlSet001\Services\VBoxVideo | ||
VirtualPC | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333* | 子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
HKLM\SYSTEM\ControlSet001\Services\vpcbus | ||
HKLM\SYSTEM\ControlSet001\Services\vpc-s3 | ||
HKLM\SYSTEM\ControlSet001\Services\vpcuhub | ||
HKLM\SYSTEM\ControlSet001\Services\msvmmouf | ||
VMware | HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD* | 子键有以下结构: VEN_XXXX&DEV_YYYY&SUBSYS_ZZZZ&REV_WW |
HKCU\SOFTWARE\VMware, Inc.\VMware Tools | ||
HKLM\SOFTWARE\VMware, Inc.\VMware Tools | ||
HKLM\SYSTEM\ControlSet001\Services\vmdebug | ||
HKLM\SYSTEM\ControlSet001\Services\vmmouse | ||
HKLM\SYSTEM\ControlSet001\Services\VMTools | ||
HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL | ||
HKLM\SYSTEM\ControlSet001\Services\vmware | ||
HKLM\SYSTEM\ControlSet001\Services\vmci | ||
HKLM\SYSTEM\ControlSet001\Services\vmx86 | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD* | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD* | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive* | ||
HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive* | ||
Wine | HKCU\SOFTWARE\Wine | |
HKLM\SOFTWARE\Wine | ||
Xen | HKLM\HARDWARE\ACPI\DSDT\xen | |
HKLM\HARDWARE\ACPI\FADT\xen | ||
HKLM\HARDWARE\ACPI\RSDT\xen | ||
HKLM\SYSTEM\ControlSet001\Services\xenevtchn | ||
HKLM\SYSTEM\ControlSet001\Services\xennet | ||
HKLM\SYSTEM\ControlSet001\Services\xennet6 | ||
HKLM\SYSTEM\ControlSet001\Services\xensvc | ||
HKLM\SYSTEM\ControlSet001\Services\xenvdb |
在特殊情况下,恶意软件可能会列举子键并检查子键的名称是否包含某些字符串,而不是检查指定的键是否存在。
例如:列举 "HKLM\SYSTEM\ControlSet001\Services\"的子键并搜索 "VBox "字符串。
2. 检查特定的注册表键值是否包含指定的字符串
请看标题部分,以获得所使用的函数列表。请注意,大小写与这些检查无关:它可以是大写或小写。
代码样本:
/* sample of usage: see detection of VirtualBox in the table below to check registry path and key values */ int vbox_reg_key2() { return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX"); } /* code is taken from "pafish" project, see references on the parent page */ int pafish_exists_regkey_value_str(HKEY hKey, char * regkey_s, char * value_s, char * lookup) { /* regkey_s == "HARDWARE\\Description\\System"; value_s == "SystemBiosVersion"; lookup == "VBOX"; */ HKEY regkey; LONG ret; DWORD size; char value[1024], * lookup_str; size_t lookup_size; lookup_size = strlen(lookup); lookup_str = malloc(lookup_size+sizeof(char)); strncpy(lookup_str, lookup, lookup_size+sizeof(char)); size = sizeof(value); /* regkey_s == "HARDWARE\\Description\\System"; */ if (pafish_iswow64()) { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, ®key); } else { ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); } if (ret == ERROR_SUCCESS) { /* value_s == "SystemBiosVersion"; */ ret = RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size); RegCloseKey(regkey); if (ret == ERROR_SUCCESS) { size_t i; for (i = 0; i < strlen(value); i++) { /* case-insensitive */ value[i] = toupper(value[i]); } for (i = 0; i < lookup_size; i++) { /* case-insensitive */ lookup_str[i] = toupper(lookup_str[i]); } if (strstr(value, lookup_str) != NULL) { free(lookup_str); return TRUE; } } } free(lookup_str); return FALSE; }
此代码样本的作者:pafish project
识别标志
如果以下函数包含列表`注册表路径`的第二个参数:
NtOpenKey(..., 注册表路径, ...)
并后跟对以下函数的调用,该函数带有表列“注册表键值”的第二个参数:
- NtQueryValueKey(..., registry_item, ...)
那么这就表明应用程序试图使用规避技术。
检测表
检查以下注册表值是否包含以下字符串(不区分大小写: | |||
Detect | 注册表路径 | 注册表键值 | 字符串 |
[general] | HKLM\HARDWARE\Description\System | SystemBiosDate | 06/23/99 |
HKLM\HARDWARE\Description\System\BIOS | SystemProductName | A M I | |
BOCHS | HKLM\HARDWARE\Description\System | SystemBiosVersion | BOCHS |
HKLM\HARDWARE\Description\System | VideoBiosVersion | BOCHS | |
Anubis | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-337-8429955-22614 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-337-8429955-22614 | |
CwSandbox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 76487-644-3177037-23510 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 76487-644-3177037-23510 | |
JoeBox | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion | ProductID | 55274-640-2673064-23950 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | ProductID | 55274-640-2673064-23950 | |
Parallels | HKLM\HARDWARE\Description\System | SystemBiosVersion | PARALLELS |
HKLM\HARDWARE\Description\System | VideoBiosVersion | PARALLELS | |
QEMU | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | QEMU |
HKLM\HARDWARE\Description\System | SystemBiosVersion | QEMU | |
HKLM\HARDWARE\Description\System | VideoBiosVersion | QEMU | |
HKLM\HARDWARE\Description\System\BIOS | SystemManufacturer | QEMU | |
VirtualBox | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VBOX | |
HKLM\HARDWARE\Description\System | SystemBiosVersion | VBOX | |
HKLM\HARDWARE\Description\System | VideoBiosVersion | VIRTUALBOX | |
HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VIRTUAL | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VBOX | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VBOX | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VBOX | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VBOX | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VBOX | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VBOX | |
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUAL | |
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VIRTUALBOX | |
VMware | HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | |
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 | Identifier | VMWARE | |
HKLM\HARDWARE\Description\System | SystemBiosVersion | VMWARE | |
HKLM\HARDWARE\Description\System | SystemBiosVersion | INTEL - 6040000 | |
HKLM\HARDWARE\Description\System | VideoBiosVersion | VMWARE | |
HKLM\HARDWARE\Description\System\BIOS | SystemProductName | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 0 | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | 1 | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | DeviceDesc | VMware | |
HKLM\SYSTEM\ControlSet001\Services\Disk\Enum | FriendlyName | VMware | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | DeviceDesc | VMware | |
HKLM\SYSTEM\ControlSet002\Services\Disk\Enum | FriendlyName | VMware | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | DeviceDesc | VMware | |
HKLM\SYSTEM\ControlSet003\Services\Disk\Enum | FriendlyName | VMware | |
HKCR\Installer\Products | ProductName | vmware tools | |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | DisplayName | vmware tools | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | CoInstallers32 | *vmx* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | DriverDesc | VMware* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | InfSection | vmx* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 | ProviderName | VMware* | |
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings | Device Description | VMware* | |
HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation | SystemProductName | VMWARE | |
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video | Service | vm3dmp | |
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\Video | Service | vmx_svga | |
HKLM\SYSTEM\CurrentControlSet\Control\Video\{GUID}\0000 | Device Description | VMware SVGA* | |
Xen | HKLM\HARDWARE\Description\System\BIOS | SystemProductName | Xen |
反制措施
拦截目标函数,如果指标(来自表格的注册表字符串)被检查,则返回适当的结果。
归功于
归功于开源项目,代码样本取自该项目。
- github上的pafish project
尽管Check Point工具InviZzzible已经实现了所有这些功能,但由于代码的模块化结构,需要更多的空间来展示这个工具的代码样本,以达到相同的目的。这就是为什么我们决定在整个百科全书中使用其他伟大的开源项目作为例子。
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。