-
Notifications
You must be signed in to change notification settings - Fork 2
/
TODO
22 lines (18 loc) · 1.18 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
TODO
========
* Add VMs/sandbox detection using APIs as:
-- CallNamedPipe https://msdn.microsoft.com/en-us/library/windows/desktop/aa365144(v=vs.85).aspx
-- GetNamedPipeClientComputerName https://msdn.microsoft.com/en-us/library/windows/desktop/aa365437(v=vs.85).aspx
-- GetNamedPipeClientProcessId https://msdn.microsoft.com/en-us/library/windows/desktop/aa365440(v=vs.85).aspx
-- GetNamedClientSessionId https://msdn.microsoft.com/en-us/library/windows/desktop/aa365442(v=vs.85).aspx
-- PeekNamedPipe https://msdn.microsoft.com/en-us/library/windows/desktop/aa365779(v=vs.85).aspx
-- WaitNamedPipe https://msdn.microsoft.com/en-us/library/windows/desktop/aa365800(v=vs.85).aspx
-- Via shared folders
* To be fixed:
-- Process32First: it seems Pin is using this API to communicate its child process
-- CreateFile: it crashes when integrated with Cuckoo Sandbox (not yet find out the reason!)
* Add VMs/sandbox detection using instruction set:ión
-- LDT/IDT/GDT
-- in eax, dx, with eax = 564D5868h, ebx = 0, ecx = 0Ah and edx = 5658
--> it leaves in ebx 564D5868h value (VMWare-specific detection)
* Other techniques: keep an eye on P. Ferrie's paper ("Attacks on More ...")