Anti-Sandboxing Ideas

Hello loyal readers.

Good news! I’ve been picked to speak at ToorCon in San Diego next month in October. I will be going over my findings in malware that manages to slip by FireEye undetected. A chink in the armor of one of the most powerful (and expensive) malware appliances out there.

But enough about that, today I’m going over ideas I’ve had about sandboxes and their methods.

I’m sure you’ve all seen or at least know of sites like malwr.com & virustotal.com which do a scan of malware that users can upload. These are great tools. But how do people go about bypassing them? Anti-sandboxing methods aren’t mentioned very often in talks and blogs. How do the pro’s do it?

My idea:

Check for the existence of a small data file using InternetOpenUrl() and compare it with a hash.
Example: http://www.microsoft.com/favicon.ico

17,174 bytes in size
favicon.ico md5 – 12E3DAC858061D088023B2BD48E2FA96

Assuming the sandbox in question blocks out Internet access probes or attempts to simulate them, this could work.

Now for some code. We’ll be using wininet functions for downloading, and win32 crypto api’s for MD5 sums.

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#pragma comment(lib, "advapi32.lib")
#include <wininet.h>
#pragma comment(lib, "wininet.lib")
#define DEFAULT_AGENT				"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"


BOOL HashData(LPTSTR szOut, DWORD cchOut, LPCBYTE lpIn, DWORD cbIn, ALG_ID hash_algorithm)
{
    HCRYPTPROV hProv      = 0;
    HCRYPTHASH hHash      = 0;
    BYTE       raw[64];
    DWORD      raw_len    = sizeof(raw);
    BOOL       bResult    = FALSE;
    UINT       i;
 
    if(CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT) &&
       CryptCreateHash(hProv, hash_algorithm, 0, 0, &hHash) &&
       CryptHashData(hHash, lpIn, cbIn, 0) &&
       CryptGetHashParam(hHash, HP_HASHVAL, raw, &raw_len, 0) &&
       (raw_len * 2) + 1 <= cchOut)
    {
        for (i = 0;i < raw_len;i++)
        {
            wsprintf(&szOut[i * 2], TEXT("%02.2x"), raw[i]);
        }
 
        bResult = TRUE;
    }
 
    if (hHash) CryptDestroyHash(hHash);
    if (hProv) CryptReleaseContext(hProv, 0);
 
    return bResult;
}
void DownFile()
{
HINTERNET IntOpen  = InternetOpen(DEFAULT_AGENT, LOCAL_INTERNET_ACCESS, 0, 0, 0);
HINTERNET handle  = InternetOpenUrl(IntOpen, "http://www.microsoft.com/favicon.ico", 0, 0, 0, 0);
HANDLE hFile    = CreateFile("test.ico", GENERIC_WRITE, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
char Buffer[4096];
DWORD dwRead =0;
while(InternetReadFile(handle, Buffer, sizeof(Buffer), &dwRead) == TRUE)
{
  if ( dwRead == 0) 
    break;
  DWORD dwWrite = 0;
  WriteFile(hFile, Buffer, dwRead, &dwWrite, 0);
}
CloseHandle(hFile);
InternetCloseHandle(handle);
}
char* ReadIconFile(void)
{
    char *readbuff;
	FILE *lolfile; 
	lolfile = fopen("test.ico","rb");
	if(lolfile!=NULL)
	{
	fseek(lolfile,0,SEEK_END);
	long fsize = ftell(lolfile);rewind(lolfile);
	readbuff = (char*) malloc (sizeof(char)*fsize);
	fread (readbuff,1,fsize,lolfile);
	fclose(lolfile);
	return readbuff;
	}
}
int main(void)
{
	char szHash[64];
	DownFile();
	char *lol = ReadKeyFile();
    if (HashData(szHash, 33, lol, strlen(lol), CALG_MD5))
	{
		MessageBox(NULL,szHash,"lol",MB_OK);
		if(!strcmp(szHash,"12E3DAC858061D088023B2BD48E2FA96")) // md5 of icon file
		{
		MessageBox(NULL,"Not in a sandbox!","yah",MB_OK);
		}
		else // else just crash
		{
		__asm int3
		}
	}
  
    return 0;
}

I tested this with Pelles C compiler, no idea how well this works with CodeBlocks / Mingw / Visual Studio.

Since C# is awesome and needs some love, here is the .net version of the above code done last week (November 2014)

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using System.Security.Cryptography;
using System.Net;

namespace AmISandBoxMode
{
    class Program
    {
        static void Main(string[] args)
        {
            if(CheckYahoo())
                Console.Write("You are in a sandbox!");
            else
                Console.Write("You are legit");
        }
        private static bool CheckYahoo()
        {
            string curdir = AppDomain.CurrentDomain.BaseDirectory;
            WebClient wc = new WebClient();
            wc.DownloadFile("https://www.yahoo.com/favicon.ico", curdir + "testing.joe");
            string yahoomd5 = "9796ed786d95606d51be9dab54fb5350";
            string testval = GetMd5Hash(curdir + "testing.joe");
            if(yahoomd5 == testval)
            {
                return false;
            }
            
            return true;
        }
        public static string GetMd5Hash(string filePath)
        {
            using (var kek = MD5.Create())
            {
                using (FileStream fs = File.OpenRead(filePath))
                {
                    return BitConverter.ToString(kek.ComputeHash(fs)).Replace("-", "").ToLower(); ;
                }
            }
        }

    }
}

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.