Hiding Virtual Machines from Malware – Introducing VMwareCloak & VBoxCloak
Many malware families are still using fairly trivial techniques for the detection of virtual machine environments. Once malware detects that it may be running in a virtual machine, it may terminate itself, or worse, execute code that will cause a diversion and potentially lead the malware analyst down the wrong paths :O
Malware often uses the following techniques for virtual machine detection:
Registry Enumeration
Registry enumeration is one of the most common techniques that evasive malware may use to determine if it is running in a VM. Some registry keys malware may look for is hardware information, system BIOS information, and any other registry keys and values that contain references to hypervisors such as VMware Workstation and VirtualBox. Many of these registry keys can be renamed or removed without heavily affected the performance or usability of the VM!
File & Directory Enumeration
Malware may enumerate files and directories on the system to get an understanding of the environment it is running in. Malware may look for files and directories that reference common hypervisors, such as “VMware” or “VBox” directories in the “C:\Programs” directories. Malware may also enumerate the “C:\Windows” directory, typically looking for hypervisor-related drivers and system files. An interesting fact is that many of these files (even system and driver files!) can be removed or renamed without affecting the VM, since these files are loaded into memory and not often accessed from the disk!
Process Enumeration
Finally, malware often enumerates the running processes on the system to determine if any hypervisor-related processes are running. Typically, hypervisors such as VirtualBox and VMware have processes running that are used to enable “helper” related functionalities such as drag-and-drop, clipboard sharing, and shared drives. These processes are often not required for the general functionality of the VM, so they can be safely killed in order to better hid the VM from malware.
Because these detection techniques are fairly trivial, we as malware analysts can also use trivial methods to bypass them! I wrote VMwareCloak (for VMware Workstation) and VBoxCloak (for VirtualBox) for just this reason. These tools are Powershell scripts that are designed to sanitize your Windows sandbox VM’s. The scripts kill processes, and remove or rename registry keys, files, and directories that may lead malware to believe it is running in a virtualized environment.
You can download the scripts here:
For VirtualBox: https://github.com/d4rksystem/VBoxCloak
For VMware: https://github.com/d4rksystem/VMwareCloak
To run the scripts, simply execute your chosen script as an Admin on your Windows VM:
If all goes well, your VM will be sanitized and the evasive malware may now run as if it was not in a VM! (I have tested this script with several malware families. However, these scripts will not work for all malware, especially more advanced variants that are, for example, using hardware detection or timing-based detection techniques.)
A bit more information can be found in my writeup here:
Enjoy! Feel free to yell at me when you inevitably find bugs in the script 😉