Hello loyal readers.<\/p>\n
Good news! I’ve been picked to speak at ToorCon in San Diego next month in October. I will be going over my findings in malware that manages to slip by FireEye undetected. A chink in the armor of one of the most powerful (and expensive) malware appliances out there. <\/p>\n
But enough about that, today I’m going over ideas I’ve had about sandboxes and their methods.<\/p>\n
I’m sure you’ve all seen or at least know of sites like malwr.com & virustotal.com which do a scan of malware that users can upload. These are great tools. But how do people go about bypassing them? Anti-sandboxing methods aren’t mentioned very often in talks and blogs. How do the pro’s do it?<\/p>\n
My idea:<\/p>\n
Check for the existence of a small data file using InternetOpenUrl() and compare it with a hash.
\nExample: http:\/\/www.microsoft.com\/favicon.ico<\/p>\n
17,174 bytes in size
\nfavicon.ico md5 – 12E3DAC858061D088023B2BD48E2FA96<\/p>\n
Assuming the sandbox in question blocks out Internet access probes or attempts to simulate them, this could work. <\/p>\n
Now for some code. We’ll be using wininet functions for downloading, and win32 crypto api’s for MD5 sums. <\/p>\n
<\/p>\n
#include <stdio.h><\/span>\r\n#include <windows.h><\/span>\r\n#include <wincrypt.h><\/span>\r\n#pragma comment(lib, "advapi32.lib")<\/span>\r\n#include <wininet.h><\/span>\r\n#pragma comment(lib, "wininet.lib")<\/span>\r\n#define DEFAULT_AGENT\t\t\t\t"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.17 (KHTML, like Gecko) Chrome\/24.0.1312.57 Safari\/537.17"<\/span>\r\n\r\n\r\nBOOL HashData<\/span>(LPTSTR szOut, DWORD cchOut, LPCBYTE lpIn, DWORD cbIn, ALG_ID hash_algorithm)\r\n{\r\n HCRYPTPROV hProv =<\/span> 0<\/span>;\r\n HCRYPTHASH hHash =<\/span> 0<\/span>;\r\n BYTE raw[64<\/span>];\r\n DWORD raw_len =<\/span> sizeof<\/span>(raw);\r\n BOOL bResult =<\/span> FALSE;\r\n UINT i;\r\n \r\n if<\/span>(CryptAcquireContext(&<\/span>hProv, NULL<\/span>, NULL<\/span>, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT |<\/span> CRYPT_SILENT) &&<\/span>\r\n CryptCreateHash(hProv, hash_algorithm, 0<\/span>, 0<\/span>, &<\/span>hHash) &&<\/span>\r\n CryptHashData(hHash, lpIn, cbIn, 0<\/span>) &&<\/span>\r\n CryptGetHashParam(hHash, HP_HASHVAL, raw, &<\/span>raw_len, 0<\/span>) &&<\/span>\r\n (raw_len *<\/span> 2<\/span>) +<\/span> 1<\/span> <=<\/span> cchOut)\r\n {\r\n for<\/span> (i =<\/span> 0<\/span>;i <<\/span> raw_len;i++<\/span>)\r\n {\r\n wsprintf(&<\/span>szOut[i *<\/span> 2<\/span>], TEXT("%02.2x"<\/span>), raw[i]);\r\n }\r\n \r\n bResult =<\/span> TRUE;\r\n }\r\n \r\n if<\/span> (hHash) CryptDestroyHash(hHash);\r\n if<\/span> (hProv) CryptReleaseContext(hProv, 0<\/span>);\r\n \r\n return<\/span> bResult;\r\n}\r\nvoid<\/span> DownFile<\/span>()\r\n{\r\nHINTERNET IntOpen =<\/span> InternetOpen(DEFAULT_AGENT, LOCAL_INTERNET_ACCESS, 0<\/span>, 0<\/span>, 0<\/span>);\r\nHINTERNET handle =<\/span> InternetOpenUrl(IntOpen, "http:\/\/www.microsoft.com\/favicon.ico"<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>);\r\nHANDLE hFile =<\/span> CreateFile("test.ico"<\/span>, GENERIC_WRITE, 0<\/span>, 0<\/span>, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0<\/span>);\r\nchar<\/span> Buffer[4096<\/span>];\r\nDWORD dwRead =<\/span>0<\/span>;\r\nwhile<\/span>(InternetReadFile(handle, Buffer, sizeof<\/span>(Buffer), &<\/span>dwRead) ==<\/span> TRUE)\r\n{\r\n if<\/span> ( dwRead ==<\/span> 0<\/span>) \r\n break<\/span>;\r\n DWORD dwWrite =<\/span> 0<\/span>;\r\n WriteFile(hFile, Buffer, dwRead, &<\/span>dwWrite, 0<\/span>);\r\n}\r\nCloseHandle(hFile);\r\nInternetCloseHandle(handle);\r\n}\r\nchar<\/span>*<\/span> ReadIconFile<\/span>(void<\/span>)\r\n{\r\n char<\/span> *<\/span>readbuff;\r\n\tFILE<\/span> *<\/span>lolfile; \r\n\tlolfile =<\/span> fopen("test.ico"<\/span>,"rb"<\/span>);\r\n\tif<\/span>(lolfile!=<\/span>NULL<\/span>)\r\n\t{\r\n\tfseek(lolfile,0<\/span>,SEEK_END);\r\n\tlong<\/span> fsize =<\/span> ftell(lolfile);rewind(lolfile);\r\n\treadbuff =<\/span> (char<\/span>*<\/span>) malloc (sizeof<\/span>(char<\/span>)*<\/span>fsize);\r\n\tfread (readbuff,1<\/span>,fsize,lolfile);\r\n\tfclose(lolfile);\r\n\treturn<\/span> readbuff;\r\n\t}\r\n}\r\nint<\/span> main<\/span>(void<\/span>)\r\n{\r\n\tchar<\/span> szHash[64<\/span>];\r\n\tDownFile();\r\n\tchar<\/span> *<\/span>lol =<\/span> ReadKeyFile();\r\n if<\/span> (HashData(szHash, 33<\/span>, lol, strlen(lol), CALG_MD5))\r\n\t{\r\n\t\tMessageBox(NULL<\/span>,szHash,"lol"<\/span>,MB_OK);\r\n\t\tif<\/span>(!<\/span>strcmp(szHash,"12E3DAC858061D088023B2BD48E2FA96"<\/span>)) \/\/ md5 of icon file<\/span>\r\n\t\t{\r\n\t\tMessageBox(NULL<\/span>,"Not in a sandbox!"<\/span>,"yah"<\/span>,MB_OK);\r\n\t\t}\r\n\t\telse<\/span> \/\/ else just crash<\/span>\r\n\t\t{\r\n\t\t__asm<\/span> int3\r\n\t\t}\r\n\t}\r\n \r\n return<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\nI tested this with Pelles C compiler, no idea how well this works with CodeBlocks \/ Mingw \/ Visual Studio. <\/p>\n
Since C# is awesome and needs some love, here is the .net version of the above code done last week (November 2014)
\n<\/p>\n
\nusing<\/span> System<\/span>;\r\nusing<\/span> System.Collections.Generic<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nusing<\/span> System.IO<\/span>;\r\nusing<\/span> System.Security.Cryptography<\/span>;\r\nusing<\/span> System.Net<\/span>;\r\n\r\nnamespace<\/span> AmISandBoxMode<\/span>\r\n{\r\n class<\/span> Program<\/span>\r\n {\r\n static<\/span> void<\/span> Main<\/span>(string<\/span>[] args)\r\n {\r\n if<\/span>(CheckYahoo())\r\n Console.Write("You are in a sandbox!"<\/span>);\r\n else<\/span>\r\n Console.Write("You are legit"<\/span>);\r\n }\r\n private<\/span> static<\/span> bool<\/span> CheckYahoo<\/span>()\r\n {\r\n string<\/span> curdir = AppDomain.CurrentDomain.BaseDirectory;\r\n WebClient wc = new<\/span> WebClient();\r\n wc.DownloadFile("https:\/\/www.yahoo.com\/favicon.ico"<\/span>, curdir + "testing.joe"<\/span>);\r\n string<\/span> yahoomd5 = "9796ed786d95606d51be9dab54fb5350"<\/span>;\r\n string<\/span> testval = GetMd5Hash(curdir + "testing.joe"<\/span>);\r\n if<\/span>(yahoomd5 == testval)\r\n {\r\n return<\/span> false<\/span>;\r\n }\r\n \r\n return<\/span> true<\/span>;\r\n }\r\n public<\/span> static<\/span> string<\/span> GetMd5Hash<\/span>(string<\/span> filePath)\r\n {\r\n using<\/span> (var<\/span> kek = MD5.Create())\r\n {\r\n using<\/span> (FileStream fs = File.OpenRead(filePath))\r\n {\r\n return<\/span> BitConverter.ToString(kek.ComputeHash(fs)).Replace("-"<\/span>, ""<\/span>).ToLower(); ;\r\n }\r\n }\r\n }\r\n\r\n }\r\n}\r\n<\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"Hello loyal readers. Good news! I’ve been picked to speak at ToorCon in San Diego next month in October. I will be going over my findings in malware that manages to slip by FireEye undetected. A chink in the armor of one of the most powerful (and expensive) malware appliances out there. But enough about […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[69,48,68],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/522"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=522"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/522\/revisions"}],"predecessor-version":[{"id":965,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/522\/revisions\/965"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}