Unsupported Anti-VM trick

[jfloser]

I noticed some anti analysis/VM trick which I think that is not really new at all. This trick is by computing the interval of last input events of the user. Its pseudocode is as follows:

To compute the interval of user last input event, it subtracts the last input event tickcount to the current tickcount. At first, I assumed that cuckoo can support this trick by just enabling the simulated human interaction tickcount. However, I found out that cuckoo didn't support this so I decided to a look at it.

Looking at GetLastInputInfo API, it is not hooked by cuckoo which just fine and will only return time of the last input event. However, GetTickCount has been hooked by cuckoo which the hook handler returns the current tickcount plus the startup time. Based on what I found for the value of startup time, it is purposely set to 1 up to 30 times 20 minutes to the startup time of the process to support anti-vm checks whether the VM has only been up for < 10 minutes. Here is snippet of GetTickCount hook handler:

    DWORD ret = Old_kernel32_GetTickCount(
    );
    get_last_error(&lasterror);

    ret += sleep_skipped() / 10000;

Since the GetTickCount will going to return large tickcount value, the interval from the last input event will going to be large enough, thus the anti-vm trick will going to loop up until cuckoo will hit the timeout.

Right now, my temporary solution for is to also hook the GetLastInputInfo API, and will return the tickcount relative to the hook handler of GetTickCount.

GetLastInputInfo

Signature::

* Is success: 1
* Library: user32
* Logging: no
* Return value: BOOLEAN

Parameters::

*  PLASTINPUTINFO plii

Post::

plii->dwTime += sleep_skipped() / 10000;

Do you have any other and elegant suggestion how to support this trick?

[d0mnik]

@jfloser would you happen to know how to modify the hook on GetDiskFreeSpaceExW such that it always returns 100GB, to prevent malware from detecting that its in a VM?