C++: Sandbox Detection via Registry

Objective

Detect sandbox environment via Registry keys.

To do list

• Research registry keys and values used by virtual machines.

• Check keys and values to determine wether environment is sandbox or not.

Registry Keys

Here are the common registry keys / values used by virtual machines:

Registry Key List

"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier",

"SYSTEM\CurrentControlSet\Enum\SCSI\Disk&VenVMware&ProdVMware_Virtual_S",

"SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev",

"SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers",

"SYSTEM\ControlSet001\Services\VBoxGuest",

"SYSTEM\ControlSet001\Services\VBoxMouse",

"SYSTEM\ControlSet001\Services\VBoxService",

"SYSTEM\ControlSet001\Services\VBoxSF",

"SYSTEM\ControlSet001\Services\VBoxVideo",

"SOFTWARE\VMWare, Inc.\VMWare Tools",

"SOFTWARE\Oracle\VirtualBox Guest Additions",

"SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters",

"HARDWARE\ACPI\DSDT\VBOX"

"HARDWARE\ACPI\FADT\VBOX"

"HARDWARE\ACPI\RSDT\VBOX", "HARDWARE\ACPI\DSDT\VBOX__"

Common Values

Strings to search: "VMWare", "virtualbox", "vbox", "qemu", "xen", "hyper"

"HARDWARE\Description\System", "SystemBiosInformation" ,

"HARDWARE\Description\System", "VideoBiosVersion" ,

"HARDWARE\Description\System\BIOS", "SystemManufacturer" ,

"HARDWARE\Description\System\BIOS", "SystemProductName" ,

"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0", "Logical Unit Id 0",

"HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0", "Logical Unit Id 0" ,

"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0", "Logical Unit Id 0"

Functions

• RegOpenKeyExA: Try to open a key. If key exists key will be opened.

  • Header: winreg.h

  • Definition:LSTATUS RegOpenKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult);

    • hKey: Key root. HKEY_LOCAL_MACHINE. Check references for further information.

    • lbSubKey: Name of the registry subkey to open. Predefined list will be used in a loop.

    • ulOptions: 0 as default. Check references for further information.

    • samDesired: Desired access rights. KEY_READ. Check references for further information.

    • phkResult: Pointer of the handle to hold results. HKEY hKey;

• RegQueryValueExA: Retrieve value from the registry key.

  • Header: winreg.h

  • Definition: LSTATUS RegQueryValueExA(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData);

    • hKey: Handle to open registry key. Returns from RegOpenKeyExA. hKey.

    • lpValueName: Name of the registry value. Predefined list will be used in a loop.

    • lpReserved: NULL as default. Check references for further information.

    • lpType: NULL as default. Check references for further information.

    • lpData: A pointer to a buffer that receives the value's data. (LPBYTE)buff.

    • lpcbData: Pointer of size of the buff used in lpData. *buffSize

• RegCloseKey: Closes the key.

  • Header: winreg.h

  • Definition: RegCloseKey(HKEY handle)

    • handle: hKey

Application (sandbox-check.cpp)

#include <Windows.h>
#include <Shlwapi.h>
#include <stdio.h>


int checkSandbox();

int main() {


}


//returns 0 if machine is virtual.

int checkSandbox(){

	const char *strings[6] = { "VMWare", "virtualbox", "vbox", "qemu", "xen", "hyper" }; //virtual machine strings
	int count = 0;


//common registry keys used by virtualization softwares

	const char *keys[16] = { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier",
		"SYSTEM\\CurrentControlSet\\Enum\\SCSI\\Disk&Ven_VMware_&Prod_VMware_Virtual_S",
		"SYSTEM\\CurrentControlSet\\Control\\CriticalDeviceDatabase\\root#vmwvmcihostdev",
		"SYSTEM\\CurrentControlSet\\Control\\VirtualDeviceDrivers",
		"SYSTEM\\ControlSet001\\Services\\VBoxGuest",
        "SYSTEM\\ControlSet001\\Services\\VBoxMouse",
        "SYSTEM\\ControlSet001\\Services\\VBoxService",
        "SYSTEM\\ControlSet001\\Services\\VBoxSF",
        "SYSTEM\\ControlSet001\\Services\\VBoxVideo",
		"SOFTWARE\\VMWare, Inc.\\VMWare Tools",
		"SOFTWARE\\Oracle\\VirtualBox Guest Additions",
		"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters",
		"HARDWARE\\ACPI\\DSDT\\VBOX_",
		"HARDWARE\\ACPI\\FADT\\VBOX__",
		"HARDWARE\\ACPI\\RSDT\\VBOX__",
		"HARDWARE\\ACPI\\DSDT\\VBOX__", };

	const char *values[7][2] = {
	{ "HARDWARE\\Description\\System", "SystemBiosInformation" },
	{ "HARDWARE\\Description\\System", "VideoBiosVersion" },
	{ "HARDWARE\\Description\\System\\BIOS", "SystemManufacturer" },
	{ "HARDWARE\\Description\\System\\BIOS", "SystemProductName" },
	{ "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" },
	{ "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" },
	{ "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0", "Logical Unit Id 0" }
	};

	//check if keys are exists

	for (int i = 0; i < 7; ++i) {
		HKEY hKey; //key handle
		if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, keys[i], 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
			RegCloseKey(hKey);
			count++;
		}
	}


	//check values in the keys

	for (int i = 0; i < 6; ++i) {
		HKEY hKey; //key handle
		TCHAR buff[1024] = { 0 };
		DWORD buffSize = 1024;
		if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, values[i][0], 0, KEY_READ, &hKey) == ERROR_SUCCESS) {
			if (RegQueryValueExA(hKey, values[i][1], NULL, NULL, (LPBYTE)buff, &buffSize) == ERROR_SUCCESS) {
				for (int j = 0; j < 5; ++j) {
					if (StrStrIA(buff, strings[j]) != NULL) {
						count++;
					}
				}
			}
			//close the key.
			RegCloseKey(hKey);
		}
	}
	
	if (count < 1) {
		return 0;
	}

	return 1;

}

Compile: gcc sandbox-check.cpp -o sandbox-check.exe

References

1. Microsoft, RegOpenKeyExA function, https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa
2. Microsoft, RegQueryValueExA function, https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexa