Sandboxes are commonly used to analyze malware. They provide a temporary, isolated, and secure environment in which to observe whether a suspicious file exhibits any malicious behavior. However, malware developers have also developed methods to evade sandboxes and analysis environments. One such method is to perform checks to determine whether the machine the malware is being executed on is being operated by a real user. One such check is the RAM size. If the RAM size is unrealistically small (e.g., 1GB), it may indicate that the machine is a sandbox. If the malware detects a sandbox, it will not execute its true malicious behavior and may appear to be a benign file
Details
-
The
GetPhysicallyInstalledSystemMemoryAPI retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables. It takes aPULONGLONGparameter and returnsTRUEif the function succeeds, setting theTotalMemoryInKilobytesto a nonzero value. If the function fails, it returnsFALSE. -
The amount of physical memory retrieved by the
GetPhysicallyInstalledSystemMemoryfunction must be equal to or greater than the amount reported by theGlobalMemoryStatusExfunction; if it is less, the SMBIOS data is malformed and the function fails withERROR_INVALID_DATA, Malformed SMBIOS data may indicate a problem with the user's computer . -
The register
rcxholds the parameterTotalMemoryInKilobytes. To overwrite the jump address ofGetPhysicallyInstalledSystemMemory, I use the following opcodes:mov qword ptr ss:[rcx],4193B840. This moves the value4193B840(or 1.1 TB) torcx. Then, the ret instruction is used to pop the return address off the stack and jump to it, Therefore, wheneverGetPhysicallyInstalledSystemMemoryis called, it will setrcxto the custom value."
from KitPloit - PenTest & Hacking Tools https://ift.tt/NMfze6v
via hacking
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon