Closed SeanKim777 closed 8 years ago
hello people....
hmmm, any interest in building a common set of hook_reg etc evasions for common pafish (or perhaps more ) tests? (including other machinery). or at least a couple of examples per hook type. registry seems fairly self explanatory but it's not always clear where say WMI query output comes from (sometimes after traversing classes in MOF you find it's from an API call that queries bios info (I suppose we could hook those as well?) ). File, service or driver /device name - (e.g. scsi adapter) or volume names , perhaps a bit less clear? That also leaves some things that aren't easily changeable via (the above) hooks and we should edit vm properties or do a custom bios/efi . would be good to have a doc explaining what's in scope for trying to check into cuckoomon, what isn't and what people hardening their image should do (VBox and KVM look to have fairly good VM evasion guides and or custom EFI/BIOS guides) and firm up the position .
I agree that having this well documented in one place would be useful. The pafish checks are a good start, but they are incomplete. For example, there is no check for the "VMware backdoor" (https://sites.google.com/site/chitchatvmback/backdoor).
@jgajek VMDE has it and a few others pafish doesn't have. https://github.com/hfiref0x/VMDE
@jgajek Funny. I have made this pull request to find out why some sample did not executed on my vmware esxi environment. "VMware backdoor" was the reason and it made me long time to find the reason
PCI\VEN_80EE&DEV_CAFE is a virtualbox driver pafish detect through wmi query Found on https://github.com/a0rtega/pafish/blob/d13b9cb1d07f132b2071ee5d72e786e91b6a20e3/pafish/vbox.c#L258 Checked existence of registry key on Windows7 and Windows XP.