Open Sqeegie opened 3 years ago
Appears there are a bunch of potential artifacts we can use here:
SM_CXSCREEN
/ SM_CYSCREEN
from GetSystemMetrics
(primary screen size)SM_CXVIRTUALSCREEN
/ SM_CYVIRTUALSCREEN
from GetSystemMetrics
(virtual desktop size, across all screens)SM_REMOTECONTROL
from GetSystemMetrics
(reveals if the session is associated with an active terminal services session)SPI_GETWORKAREA
from SystemParametersInfo
(size of the work area on the primary screen)DISPLAY_DEVICE.DeviceString
from EnumDisplayDevices
(display device name)SetupDiEnumDeviceInfo
/ SetupDiOpenDevRegKey
(all sorts of fun in here, needs some parsing)HORZRES
/ VERTRES
from GetDeviceCaps
(screen size of target monitor handle)DESKTOPHORZRES
/ DESKTOPVERTRES
from GetDeviceCaps
(desktop size of target monitor handle)HORZSIZE
/ VERTSIZE
from GetDeviceCaps
(EDID-reported physical panel dimensions of target monitor handle)LOGCOLORSPACE
data from GetColorSpace
/ GetLogColorSpace
(ICM profile data for target monitor handle)
While not a full-proof detection vector, using common default VM resolutions (I.e. 800x600 or 1024x768), could be a good test for default sandboxes.
https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/