- Forum
- Windows Programming
- [CODE] Sandbox Detection [/CODE]
[CODE] Sandbox Detection [/CODE]
closed account (ozUkoG1T)
Hi,
Today I will be posting a code snippet of SandBox Detection. When I do my analysis of Computer Worms such as Conficker and such. Those Worms tend to have a built in SandBox Detector which makes sure the Worm does not show it's existence to the SandBox this is simple done via exiting process. This is not only implemented on Worms but to Anti-Virus as well. The reason because is due to many Worms out there trying to sandbox AV (Anti-Virus) & Destroy them.
So I have made a SandBox Detection Program:
Code Snippet:
Usage in Program:
NOTE: This is a Generic Detection of a SandBox.
Feel free to implement this into your projects.
Kind Regards,
Today I will be posting a code snippet of SandBox Detection. When I do my analysis of Computer Worms such as Conficker and such. Those Worms tend to have a built in SandBox Detector which makes sure the Worm does not show it's existence to the SandBox this is simple done via exiting process. This is not only implemented on Worms but to Anti-Virus as well. The reason because is due to many Worms out there trying to sandbox AV (Anti-Virus) & Destroy them.
So I have made a SandBox Detection Program:
Code Snippet:
|
|
Usage in Program:
|
|
NOTE: This is a Generic Detection of a SandBox.
Feel free to implement this into your projects.
Kind Regards,
Last edited on
Don't forget to include windows.h and winbase.h
EDIT: How about a little explanation about this code by the way? It looks like you're trying to see if "CreateProcessA" is found at a specific place in memory, but since the Kernel32.dll is loaded in the same place for all processes don't you think you would want to see if it's NOT loaded in a specific place?
EDIT2: This did not detect that it was being run inside of Sandboxie: http://www.brothersoft.com/download-sandboxie-60880.html
EDIT: How about a little explanation about this code by the way? It looks like you're trying to see if "CreateProcessA" is found at a specific place in memory, but since the Kernel32.dll is loaded in the same place for all processes don't you think you would want to see if it's NOT loaded in a specific place?
EDIT2: This did not detect that it was being run inside of Sandboxie: http://www.brothersoft.com/download-sandboxie-60880.html
Last edited on
closed account (ozUkoG1T)
Yeah , but most people who have the knowledge, like you would include it also winbase.h is actually in windows.h so I tend not to add it considering I am very cautious about my memory usage so , I try to keep the memory low as I can.
Also all this code does it tries to find if CreateProcessA is in a specific place in the memory. Many of the Sandboxes out there tend to always put CreateProcessA in a specific place in the memory which is 0xE9. Well , this uses simple heuristic's to locate if this program is running under sandbox. Other Sandbox detectors simply try do some wierd actions to show if they are in sandbox but this simples checks memory for CreateProcessA.
Well, you see in the specific sandbox you pointed to me is one of the most secure SandBoxes out there since the CreateProcessA and other functions telling if it is a SandBox is in a different memory location to the common ones. This Sandbox is one of the best I can vouch for it myself.
As I said it uses heuritics and guessing to see if it is in a sandbox. & As some people here know heuristics can be funny at times such as this. If you want a prime example of failure heuristic scan results just download some DLL injector or such and scan that with your favorite Anti-Virus , Must support heuristic scanning, then see the results most AV tend to give False-Positives.
Many of the Rootkits I have made in past Hooking functions such as NtQuerySystemInformation() & other NT system calls tend to never get positive for Malware but when I make a simple Injector which is non-Malicious always tend to get falsified results. The reason for this is Heuristic scans work in a way like this:
1. The scanner , using heuristics , look at all the tell tale signs of a Malware[s] so these include:
- Finding Internet Bandwidth Consumption via GetTcpTable() function
- Finding all the Registry keys.
- Translating the EXE or DLL into hex format then scanning the Hex format for known Malware signatures
- Finding if the EXE has a security Clearance so a verified certificate. A worm like Stuxnet was hard to detect since it had a real security clearance.
- Finding all recent Injection activity
- Finding all the hooking activity
These are the tell tale signs.
Mine uses very very very simple heuristic scan to find if it is a sandbox and it is generic and not programmed for one sandbox software so that's the reason behind this result.
Also all this code does it tries to find if CreateProcessA is in a specific place in the memory. Many of the Sandboxes out there tend to always put CreateProcessA in a specific place in the memory which is 0xE9. Well , this uses simple heuristic's to locate if this program is running under sandbox. Other Sandbox detectors simply try do some wierd actions to show if they are in sandbox but this simples checks memory for CreateProcessA.
Well, you see in the specific sandbox you pointed to me is one of the most secure SandBoxes out there since the CreateProcessA and other functions telling if it is a SandBox is in a different memory location to the common ones. This Sandbox is one of the best I can vouch for it myself.
As I said it uses heuritics and guessing to see if it is in a sandbox. & As some people here know heuristics can be funny at times such as this. If you want a prime example of failure heuristic scan results just download some DLL injector or such and scan that with your favorite Anti-Virus , Must support heuristic scanning, then see the results most AV tend to give False-Positives.
Many of the Rootkits I have made in past Hooking functions such as NtQuerySystemInformation() & other NT system calls tend to never get positive for Malware but when I make a simple Injector which is non-Malicious always tend to get falsified results. The reason for this is Heuristic scans work in a way like this:
1. The scanner , using heuristics , look at all the tell tale signs of a Malware[s] so these include:
- Finding Internet Bandwidth Consumption via GetTcpTable() function
- Finding all the Registry keys.
- Translating the EXE or DLL into hex format then scanning the Hex format for known Malware signatures
- Finding if the EXE has a security Clearance so a verified certificate. A worm like Stuxnet was hard to detect since it had a real security clearance.
- Finding all recent Injection activity
- Finding all the hooking activity
These are the tell tale signs.
Mine uses very very very simple heuristic scan to find if it is a sandbox and it is generic and not programmed for one sandbox software so that's the reason behind this result.
Last edited on
This was found on Google to detect some sandbox programs:
The code posted has obvious errors, fix it on your own. Also this is interesting to read:
http://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual
|
|
The code posted has obvious errors, fix it on your own. Also this is interesting to read:
http://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual
Last edited on
closed account (ozUkoG1T)
well, true
but I did not make the best SandBox detector ever but mine still works on *SOME* also thanks I will keep the link given safely as a Malware Researcher It is like platinum for me.
but I did not make the best SandBox detector ever but mine still works on *SOME* also thanks I will keep the link given safely as a Malware Researcher It is like platinum for me.
An antivirus can run a program in "Sandbox Mode". This limits the executable in many ways.
closed account (ozUkoG1T)
Sandbox is a type of software which restricts any file a typical SandBox tends to move the File to a Scratch Space which is a memory location on the hard drive , that location is a temporary location. It can be easily removed.
Not only that but SandBox tends to have capability to undo all the changes made by the program. This would be a good idea else the SandBox need to keep finding new memory in the Scratch Space and Scratch Space is not very big so the SandBox has to maintain its memory location.
Thats why I uses 0xE9 to suggest if we are in a SandBox since as I said SandBox tends to operate in scratch spaces in Hard Drive.
Not only that but SandBox tends to have capability to undo all the changes made by the program. This would be a good idea else the SandBox need to keep finding new memory in the Scratch Space and Scratch Space is not very big so the SandBox has to maintain its memory location.
Thats why I uses 0xE9 to suggest if we are in a SandBox since as I said SandBox tends to operate in scratch spaces in Hard Drive.
Last edited on
Topic archived. No new replies allowed.