Named System Object Checks

From ema
Jump to navigation Jump to search
EMA ID: ema-1092
Description: Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
Associated Behavior: virtual machine detect & evade
Privilege Level: User space
Supporting Details:
This can including the following types of system objects:
  • Devices
  • Drivers
  • Mutants
  • Semaphores
  • Events
  • Sections
  • Ports
As an example, VMWare can be detected by looking for the following Registry key/value, which signifies the presence of a particular video driver:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}00\DriverDesc VMware SVGA II


Inherited Attributes:

applicable platform: Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows XP, Windows XP SP1, Windows XP SP2, Windows XP SP3
References:
Date Malware Family URL
November 1, 2013 http://artemonsecurity.com/vmde.pdf