C++: Sandbox Detection via Registry

Objective

Detect sandbox environment via Registry keys.

To do list

Research registry keys and values used by virtual machines.
Check keys and values to determine wether environment is sandbox or not.

Registry Keys

Here are the common registry keys / values used by virtual machines:

"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier",

"SYSTEM\CurrentControlSet\Enum\SCSI\Disk&VenVMware&ProdVMware_Virtual_S",

"SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev",

"SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers",

"SYSTEM\ControlSet001\Services\VBoxGuest",

"SYSTEM\ControlSet001\Services\VBoxMouse",

"SYSTEM\ControlSet001\Services\VBoxService",

"SYSTEM\ControlSet001\Services\VBoxSF",

"SYSTEM\ControlSet001\Services\VBoxVideo",

"SOFTWARE\VMWare, Inc.\VMWare Tools",

"SOFTWARE\Oracle\VirtualBox Guest Additions",

"SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters",

"HARDWARE\ACPI\DSDT\VBOX"

"HARDWARE\ACPI\FADT\VBOX"

"HARDWARE\ACPI\RSDT\VBOX", "HARDWARE\ACPI\DSDT\VBOX__"

Functions

RegOpenKeyExA: Try to open a key. If key exists key will be opened.
- Header: winreg.h
- Definition:LSTATUS RegOpenKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult);
  - hKey: Key root. HKEY_LOCAL_MACHINE. Check references for further information.
  - lbSubKey: Name of the registry subkey to open. Predefined list will be used in a loop.
  - ulOptions: 0 as default. Check references for further information.
  - samDesired: Desired access rights. KEY_READ. Check references for further information.
  - phkResult: Pointer of the handle to hold results. HKEY hKey;
RegQueryValueExA: Retrieve value from the registry key.
- Header: winreg.h
- Definition: LSTATUS RegQueryValueExA(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData);
  - hKey: Handle to open registry key. Returns from RegOpenKeyExA. hKey.
  - lpValueName: Name of the registry value. Predefined list will be used in a loop.
  - lpReserved: NULL as default. Check references for further information.
  - lpType: NULL as default. Check references for further information.
  - lpData: A pointer to a buffer that receives the value's data. (LPBYTE)buff.
  - lpcbData: Pointer of size of the buff used in lpData. *buffSize
RegCloseKey: Closes the key.
- Header: winreg.h
- Definition: RegCloseKey(HKEY handle)
  - handle: hKey

Application (sandbox-check.cpp)

#include <Windows.h>
#include <Shlwapi.h>
#include <stdio.h>


int checkSandbox();

int main() {


}


//returns 0 if machine is virtual.

int checkSandbox(){

	const char *strings[6] = { "VMWare", "virtualbox", "vbox", "qemu", "xen", "hyper" }; //virtual machine strings
	int count = 0;


//common registry keys used by virtualization softwares

	const char *keys[16] = { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier",
		"SYSTEM\\CurrentControlSet\\Enum\\SCSI\\Disk&Ven_VMware_&Prod_VMware_Virtual_S",
		"SYSTEM\\CurrentControlSet\\Control\\CriticalDeviceDatabase\\root#vmwvmcihostdev",
		"SYSTEM\\CurrentControlSet\\Control\\VirtualDeviceDrivers",
		"SYSTEM\\ControlSet001\\Services\\VBoxGuest",
        "SYSTEM\\ControlSet001\\Services\\VBoxMouse",
        "SYSTEM\\ControlSet001\\Services\\VBoxService",
        "SYSTEM\\ControlSet001\\Services\\VBoxSF",
        "SYSTEM\\ControlSet001\\Services\\VBoxVideo",
		"SOFTWARE\\VMWare, Inc.\\VMWare Tools",
		"SOFTWARE\\Oracle\\VirtualBox Guest Additions",
		"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters",
		"HARDWARE\\ACPI\\DSDT\\VBOX_",
		"HARDWARE\\ACPI\\FADT\\VBOX__",
		"HARDWARE\\ACPI\\RSDT\\VBOX__",
		"HARDWARE\\ACPI\\DSDT\\VBOX__", };

	const char *values[7][2] = {
	{ "HARDWARE\\Description\\System", "SystemBiosInformation" },
	{ "HARDWARE\\Description\\System", "VideoBiosVersion" },
	{ "HARDWARE\\Description\\System\\BIOS", "SystemManufacturer" },
	{ "HARDWARE\\Description\\System\\BIOS", "SystemProductName" },
	{ "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" },
	{ "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" },
	{ "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" }
	};

	//check if keys are exists

	for (int i = 0; i < 7; ++i) {
		HKEY hKey; //key handle
		if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, keys[i], 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
			RegCloseKey(hKey);
			count++;
		}
	}


	//check values in the keys

	for (int i = 0; i < 6; ++i) {
		HKEY hKey; //key handle
		TCHAR buff[1024] = { 0 };
		DWORD buffSize = 1024;
		if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, values[i][0], 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
			if (RegQueryValueExA(hKey, values[i][1], NULL, NULL, (LPBYTE)buff, &buffSize) == ERROR_SUCCESS) {
				for (int j = 0; j < 5; ++j) {
					if (StrStrIA(buff, strings[j]) != NULL) {
						count++;
					}
				}
			}
			//close the key.
			RegCloseKey(hKey);
		}
	}
	
	if (count < 1) {
		return 0;
	}

	return 1;

}

Compile: gcc sandbox-check.cpp -o sandbox-check.exe

References

Microsoft, RegOpenKeyExA function, https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa
Microsoft, RegQueryValueExA function, https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexa

PreviousC++: Sendin HTTP GET Request NextC++: Enumerating Environment

Last updated 4 years ago

Was this helpful?