好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 hixiaosheng 于 2017-8-16 19:00 编辑
前记: 有朋友问到如何过vmp新版检测,随手单步了一下新版确实变化不少。
主要有2个检测点
下面介绍如何手动找关键的Handler来过检测
1. 找VM_CallApi
MessageBoxExW , 弹出不能运行在虚拟机那个框之后单步返回
0123D97D FFD0 call eax ----> 这里下硬件执行断点
0123D97F 8B6C25 FC mov ebp,dword ptr ss:[ebp-4] ----> 返回到这里
0123D983 F9 stc
0123D984 894425 00 mov dword ptr ss:[ebp],eax
2. VirtualProtect 之后会走到 cpuid hander
CPUID eax为1时,单步之后ecx 31位代表hypervisor
Running on a hypervisor (always 0 on a real CPU, but also with some hypervisors)
也就是真机31位为0,虚拟机最高位是1也就是0x8*******
详细说明
https://en.wikipedia.org/wiki/CP ... fo_and_Feature_Bits
0122858B . 8B4425 00 mov eax,dword ptr ss:[ebp]
0122858F . 53 push ebx
01228590 . 0FC1D3 xadd ebx,edx
01228593 . 0FA2 cpuid -----> 可以把eax清零
01228595 . F8 clc
01228596 . 66:F7C6 A429 test si,29A4
0122859B . 81ED 0C000000 sub ebp,0C
012285A1 . F9 stc
012285A2 . 894425 0C mov dword ptr ss:[ebp+C],eax *******
012285A6 . 66:8BC2 mov ax,dx
012285A9 . 0FB7C3 movzx eax,bx
012285AC . 80FF 99 cmp bh,99
012285AF . 895C25 08 mov dword ptr ss:[ebp+8],ebx *******
012285B3 . 894C25 04 mov dword ptr ss:[ebp+4],ecx *******
012285B7 . 80DB 5F sbb bl,5F
012285BA . 895425 00 mov dword ptr ss:[ebp],edx *******
012285BE . 5B pop ebx
012285BF . 66:0FBEC2 movsx ax,dl
012285C3 . 8DB6 FCFFFFFF lea esi,dword ptr ds:[esi-4]
012285C9 . 8B06 mov eax,dword ptr ds:[esi]
012285CB . F5 cmc
012285CC . 33C3 xor eax,ebx
012285CE . E9 FD111E00 jmp NOTEPAD_.014097D0
3.
xp:
ntdll.ZwOpenSection
NTSTATUS ZwOpenSection(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName; ----> 这里是 UNICODE "\device\physicalmemory"
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
把第一个参数SectionHandle改成0,让其打开失败
NTSTATUS ZwMapViewOfSection(
_In_ HANDLE SectionHandle, ---> 这个是上面打开的句柄
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress, ---> 这里有打开硬件信息 "VMware virtual machine VMware, Inc"
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
_Inout_ PSIZE_T ViewSize,
_In_ SECTION_INHERIT InheritDisposition,
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect
);
win7:
kernel32.LocalAlloc
kernel32.EnumSystemFirmwareTables
kernel32.GetSystemFirmwareTable
UINT WINAPI GetSystemFirmwareTable(
_In_ DWORD FirmwareTableProviderSignature,
_In_ DWORD FirmwareTableID,
_Out_ PVOID pFirmwareTableBuffer, ---> 这里是保存硬件信息的指针,对返回的数据下硬件访问断点
_In_ DWORD BufferSize
);
以上获取硬件特征的地方下硬件访问断点可以遇到下面的字符串检测。
检测特征码
cmp byte ptr ds:[eax+ecx+0x1],0x69
cmp byte ptr ds:[eax+ecx+0x2],0x72
cmp byte ptr ds:[eax+ecx+3],74
cmp byte ptr ds:[eax+ecx+4],75
cmp byte ptr ds:[eax+ecx+5],61
cmp byte ptr ds:[eax+ecx+6],6C
cmp byte ptr ds:[eax+ecx+7],42
cmp byte ptr ds:[eax+ecx+8],6F
cmp byte ptr ds:[eax+ecx+9],78
56 69 72 74 75 61 6c 42 6f 78 ===> VirtualBox
cmp byte ptr ds:[edx],56
cmp byte ptr ds:[eax+ecx+1],4D
cmp byte ptr ds:[eax+ecx+2],77
cmp byte ptr ds:[eax+ecx+3],61
cmp byte ptr ds:[eax+ecx+4],72
cmp byte ptr ds:[eax+ecx+5],65
56 4d 77 61 72 65 ===> VMware
cmp byte ptr ds:[edx],50
cmp byte ptr ds:[eax+ecx+1],61
cmp byte ptr ds:[eax+ecx+2],72
cmp byte ptr ds:[eax+ecx+3],61
cmp byte ptr ds:[eax+ecx+4],6C
cmp byte ptr ds:[eax+ecx+5],6C
cmp byte ptr ds:[eax+ecx+6],65
cmp byte ptr ds:[eax+ecx+7],6C
cmp byte ptr ds:[eax+ecx+8],73
50 61 72 61 6c 6c 65 6c 73 ===> Parallels
录了一个gif动画,附件有原始加的NOTEPAD样本。
|
-
-
01.rar
4 MB, 下载次数: 848, 下载积分: 吾爱币 -1 CB
-
-
02.rar
3.54 MB, 下载次数: 675, 下载积分: 吾爱币 -1 CB
免费评分
-
查看全部评分
|