搜索
楼主: Jerry.Lin
收起左侧

[杀软评测] 反虚拟机/沙盒检测技术:对几款在线沙盒的评估

  [复制链接]
hez2010
发表于 2020-5-29 11:42:13 | 显示全部楼层
本帖最后由 hez2010 于 2020-5-29 11:43 编辑

贴一个 Windows Sandbox:控制台输出:
  1. [al-khaser version 0.79]
  2. -------------------------[Initialisation]-------------------------

  3. [*] You are running: Microsoft Windows 10  (build 19635) 64-bit
  4. [*] All APIs present and accounted for.

  5. -------------------------[TLS Callbacks]-------------------------
  6. [*] TLS process attach callback                                                                    [ GOOD ]
  7. [*] TLS thread attach callback                                                                     [ GOOD ]

  8. -------------------------[Debugger Detection]-------------------------
  9. [*] Checking IsDebuggerPresent API                                                                 [ GOOD ]
  10. [*] Checking PEB.BeingDebugged                                                                     [ GOOD ]
  11. [*] Checking CheckRemoteDebuggerPresent API                                                        [ GOOD ]
  12. [*] Checking PEB.NtGlobalFlag                                                                      [ GOOD ]
  13. [*] Checking ProcessHeap.Flags                                                                     [ GOOD ]
  14. [*] Checking ProcessHeap.ForceFlags                                                                [ GOOD ]
  15. [*] Checking NtQueryInformationProcess with ProcessDebugPort                                       [ GOOD ]
  16. [*] Checking NtQueryInformationProcess with ProcessDebugFlags                                      [ GOOD ]
  17. [*] Checking NtQueryInformationProcess with ProcessDebugObject                                     [ GOOD ]
  18. [*] Checking WudfIsAnyDebuggerPresent API                                                          [ GOOD ]
  19. [*] Checking WudfIsKernelDebuggerPresent API                                                       [ GOOD ]
  20. [*] Checking WudfIsUserDebuggerPresent API                                                         [ GOOD ]
  21. [*] Checking NtSetInformationThread with ThreadHideFromDebugger                                    [ GOOD ]
  22. [*] Checking CloseHandle with an invalide handle                                                   [ GOOD ]
  23. [*] Checking UnhandledExcepFilterTest                                                              [ GOOD ]
  24. [*] Checking OutputDebugString                                                                     [ GOOD ]
  25. [*] Checking Hardware Breakpoints                                                                  [ GOOD ]
  26. [*] Checking Software Breakpoints                                                                  [ GOOD ]
  27. [*] Checking Interupt 0x2d                                                                         [ GOOD ]
  28. [*] Checking Interupt 1                                                                            [ GOOD ]
  29. [*] Checking trap flag                                                                             [ GOOD ]
  30. [*] Checking Memory Breakpoints PAGE GUARD                                                         [ GOOD ]
  31. [*] Checking If Parent Process is explorer.exe                                                     [ GOOD ]
  32. [*] Checking SeDebugPrivilege                                                                      [ GOOD ]
  33. [*] Checking NtQueryObject with ObjectTypeInformation                                              [ GOOD ]
  34. [*] Checking NtQueryObject with ObjectAllTypesInformation                                          [ GOOD ]
  35. [*] Checking NtYieldExecution                                                                      [ GOOD ]
  36. [*] Checking CloseHandle protected handle trick                                                    [ GOOD ]
  37. [*] Checking NtQuerySystemInformation with SystemKernelDebuggerInformation                         [ GOOD ]
  38. [*] Checking SharedUserData->KdDebuggerEnabled                                                     [ GOOD ]
  39. [*] Checking if process is in a job                                                                [ GOOD ]
  40. [*] Checking VirtualAlloc write watch (buffer only)                                                [ GOOD ]
  41. [*] Checking VirtualAlloc write watch (API calls)                                                  [ GOOD ]
  42. [*] Checking VirtualAlloc write watch (IsDebuggerPresent)                                          [ GOOD ]
  43. [*] Checking VirtualAlloc write watch (code write)                                                 [ GOOD ]
  44. [*] Checking for page exception breakpoints                                                        [ GOOD ]
  45. [*] Checking for API hooks outside module bounds                                                   [ GOOD ]

  46. -------------------------[DLL Injection Detection]-------------------------
  47. [*] Enumerating modules with EnumProcessModulesEx [32-bit]                                         [ GOOD ]
  48. [*] Enumerating modules with EnumProcessModulesEx [64-bit]                                         [ GOOD ]
  49. [*] Enumerating modules with EnumProcessModulesEx [ALL]                                            [ GOOD ]
  50. [*] Enumerating modules with ToolHelp32                                                            [ GOOD ]
  51. [*] Enumerating the process LDR via LdrEnumerateLoadedModules                                      [ GOOD ]
  52. [*] Enumerating the process LDR directly                                                           [ GOOD ]
  53. [*] Walking process memory with GetModuleInformation                                               [ GOOD ]
  54. [*] Walking process memory for hidden modules                                                       [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\winmm.dll
  55. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\winmm.dll
  56. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\winmm.dll
  57. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\winmm.dll
  58. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\winmm.dll
  59. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\mpr.dll
  60. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\mpr.dll
  61. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\mpr.dll
  62. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\mpr.dll
  63. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\mpr.dll
  64. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\wudfplatform.dll
  65. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\wudfplatform.dll
  66. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\wudfplatform.dll
  67. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\wudfplatform.dll
  68. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\wudfplatform.dll
  69. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\umpdc.dll
  70. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\umpdc.dll
  71. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\umpdc.dll
  72. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\umpdc.dll
  73. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\umpdc.dll
  74. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\iphlpapi.dll
  75. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\iphlpapi.dll
  76. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\iphlpapi.dll
  77. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\iphlpapi.dll
  78. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\iphlpapi.dll
  79. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\powrprof.dll
  80. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\powrprof.dll
  81. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\powrprof.dll
  82. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\powrprof.dll
  83. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\powrprof.dll
  84. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\devobj.dll
  85. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\devobj.dll
  86. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\devobj.dll
  87. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\devobj.dll
  88. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\devobj.dll
  89. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sspicli.dll
  90. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sspicli.dll
  91. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sspicli.dll
  92. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sspicli.dll
  93. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sspicli.dll
  94. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\bcrypt.dll
  95. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\bcrypt.dll
  96. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\bcrypt.dll
  97. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\bcrypt.dll
  98. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\bcrypt.dll
  99. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcp_win.dll
  100. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcp_win.dll
  101. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcp_win.dll
  102. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcp_win.dll
  103. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcp_win.dll
  104. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcp_win.dll
  105. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ucrtbase.dll
  106. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ucrtbase.dll
  107. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ucrtbase.dll
  108. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ucrtbase.dll
  109. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ucrtbase.dll
  110. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernelbase.dll
  111. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernelbase.dll
  112. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernelbase.dll
  113. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernelbase.dll
  114. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernelbase.dll
  115. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernelbase.dll
  116. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\win32u.dll
  117. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\win32u.dll
  118. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\win32u.dll
  119. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\win32u.dll
  120. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\win32u.dll
  121. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\cfgmgr32.dll
  122. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\cfgmgr32.dll
  123. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\cfgmgr32.dll
  124. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\cfgmgr32.dll
  125. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\cfgmgr32.dll
  126. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\cfgmgr32.dll
  127. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32full.dll
  128. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32full.dll
  129. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32full.dll
  130. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32full.dll
  131. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32full.dll
  132. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\combase.dll
  133. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\combase.dll
  134. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\combase.dll
  135. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\combase.dll
  136. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\combase.dll
  137. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\oleaut32.dll
  138. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\oleaut32.dll
  139. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\oleaut32.dll
  140. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\oleaut32.dll
  141. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\oleaut32.dll
  142. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  143. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  144. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  145. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  146. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  147. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  148. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\sechost.dll
  149. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shell32.dll
  150. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shell32.dll
  151. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shell32.dll
  152. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shell32.dll
  153. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shell32.dll
  154. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shell32.dll
  155. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernel32.dll
  156. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernel32.dll
  157. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernel32.dll
  158. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernel32.dll
  159. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernel32.dll
  160. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\kernel32.dll
  161. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32.dll
  162. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32.dll
  163. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32.dll
  164. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32.dll
  165. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\gdi32.dll
  166. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shlwapi.dll
  167. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shlwapi.dll
  168. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shlwapi.dll
  169. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shlwapi.dll
  170. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\shlwapi.dll
  171. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ole32.dll
  172. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ole32.dll
  173. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ole32.dll
  174. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ole32.dll
  175. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ole32.dll
  176. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ole32.dll
  177. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\imm32.dll
  178. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\imm32.dll
  179. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\imm32.dll
  180. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\imm32.dll
  181. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\imm32.dll
  182. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\setupapi.dll
  183. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\setupapi.dll
  184. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\setupapi.dll
  185. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\setupapi.dll
  186. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\setupapi.dll
  187. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\psapi.dll
  188. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\psapi.dll
  189. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\psapi.dll
  190. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\psapi.dll
  191. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\psapi.dll
  192. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\user32.dll
  193. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\user32.dll
  194. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\user32.dll
  195. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\user32.dll
  196. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\user32.dll
  197. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  198. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  199. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  200. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  201. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  202. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  203. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\msvcrt.dll
  204. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\rpcrt4.dll
  205. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\rpcrt4.dll
  206. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\rpcrt4.dll
  207. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\rpcrt4.dll
  208. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\rpcrt4.dll
  209. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  210. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  211. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  212. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  213. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  214. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  215. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  216. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\advapi32.dll
  217. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  218. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  219. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  220. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  221. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  222. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  223. [!] Injected library: \Device\vmsmb\VSMB-{dcc079ae-60ba-4d07-847c-3493609c0870}\os\Windows\System32\ntdll.dll
  224. [ BAD  ]

  225. -------------------------[Generic Sandboxe/VM Detection]-------------------------
  226. [*] Checking if process loaded modules contains: avghookx.dll                                      [ GOOD ]
  227. [*] Checking if process loaded modules contains: avghooka.dll                                      [ GOOD ]
  228. [*] Checking if process loaded modules contains: snxhk.dll                                         [ GOOD ]
  229. [*] Checking if process loaded modules contains: sbiedll.dll                                       [ GOOD ]
  230. [*] Checking if process loaded modules contains: dbghelp.dll                                       [ GOOD ]
  231. [*] Checking if process loaded modules contains: api_log.dll                                       [ GOOD ]
  232. [*] Checking if process loaded modules contains: dir_watch.dll                                     [ GOOD ]
  233. [*] Checking if process loaded modules contains: pstorec.dll                                       [ GOOD ]
  234. [*] Checking if process loaded modules contains: vmcheck.dll                                       [ GOOD ]
  235. [*] Checking if process loaded modules contains: wpespy.dll                                        [ GOOD ]
  236. [*] Checking if process loaded modules contains: cmdvrt64.dll                                      [ GOOD ]
  237. [*] Checking if process loaded modules contains: cmdvrt32.dll                                      [ GOOD ]
  238. [*] Checking if process file name contains: sample.exe                                             [ GOOD ]
  239. [*] Checking if process file name contains: bot.exe                                                [ GOOD ]
  240. [*] Checking if process file name contains: sandbox.exe                                            [ GOOD ]
  241. [*] Checking if process file name contains: malware.exe                                            [ GOOD ]
  242. [*] Checking if process file name contains: test.exe                                               [ GOOD ]
  243. [*] Checking if process file name contains: klavme.exe                                             [ GOOD ]
  244. [*] Checking if process file name contains: myapp.exe                                              [ GOOD ]
  245. [*] Checking if process file name contains: testapp.exe                                            [ GOOD ]
  246. [*] Checking if process file name looks like a hash: al-khaser                                     [ GOOD ]
  247. [*] Checking Number of processors in machine                                                       [ GOOD ]
  248. [*] Checking Interupt Descriptor Table location                                                    [ GOOD ]
  249. [*] Checking Local Descriptor Table location                                                       [ BAD  ]
  250. [*] Checking Global Descriptor Table location                                                      [ GOOD ]
  251. [*] Checking Store Task Register                                                                   [ GOOD ]
  252. [*] Checking Number of cores in machine using WMI                                                  [ GOOD ]
  253. [*] Checking hard disk size using WMI                                                              [ BAD  ]
  254. [*] Checking hard disk size using DeviceIoControl                                                  [ BAD  ]
  255. [*] Checking SetupDi_diskdrive                                                                     [ BAD  ]
  256. [*] Checking mouse movement                                                                        [ GOOD ]
  257. [*] Checking memory space using GlobalMemoryStatusEx                                               [ GOOD ]
  258. [*] Checking disk size using GetDiskFreeSpaceEx                                                    [ BAD  ]
  259. [*] Checking if CPU hypervisor field is set using cpuid(0x1)                                       [ BAD  ]
  260. [*] Checking hypervisor vendor using cpuid(0x40000000)                                             [ BAD  ]
  261. [*] Check if time has been accelerated                                                             [ GOOD ]
  262. [*] VM Driver Services                                                                             [ GOOD ]
  263. [*] Checking SerialNumber from BIOS using WMI                                                      [ GOOD ]
  264. [*] Checking Model from ComputerSystem using WMI                                                   [ GOOD ]
  265. [*] Checking Manufacturer from ComputerSystem using WMI                                            [ GOOD ]
  266. [*] Checking Current Temperature using WMI                                                         [ BAD  ]
  267. [*] Checking ProcessId using WMI                                                                   [ GOOD ]
  268. [*] Checking power capabilities                                                                    [ BAD  ]
  269. [*] Checking CPU fan using WMI                                                                     [ BAD  ]
  270. [*] Checking NtQueryLicenseValue with Kernel-VMDetection-Private                                   [ GOOD ]
  271. [*] Checking Win32_CacheMemory with WMI                                                            [ BAD  ]
  272. [*] Checking Win32_PhysicalMemory with WMI                                                         [ GOOD ]
  273. [*] Checking Win32_MemoryDevice with WMI                                                           [ GOOD ]
  274. [*] Checking Win32_MemoryArray with WMI                                                            [ GOOD ]
  275. [*] Checking Win32_VoltageProbe with WMI                                                           [ BAD  ]
  276. [*] Checking Win32_PortConnector with WMI                                                          [ BAD  ]
  277. [*] Checking Win32_SMBIOSMemory with WMI                                                           [ GOOD ]
  278. [*] Checking ThermalZoneInfo performance counters with WMI                                         [ BAD  ]
  279. [*] Checking CIM_Memory with WMI                                                                   [ BAD  ]
  280. [*] Checking CIM_Sensor with WMI                                                                   [ BAD  ]
  281. [*] Checking CIM_NumericSensor with WMI                                                            [ BAD  ]
  282. [*] Checking CIM_TemperatureSensor with WMI                                                        [ BAD  ]
  283. [*] Checking CIM_VoltageSensor with WMI                                                            [ BAD  ]
  284. [*] Checking CIM_PhysicalConnector with WMI                                                        [ BAD  ]
  285. [*] Checking CIM_Slot with WMI                                                                     [ BAD  ]

  286. -------------------------[VirtualBox Detection]-------------------------
  287. [*] Checking reg key HARDWARE\Description\System - Identifier is set to VBOX                       [ GOOD ]
  288. [*] Checking reg key HARDWARE\Description\System - SystemBiosVersion is set to VBOX                [ GOOD ]
  289. [*] Checking reg key HARDWARE\Description\System - VideoBiosVersion is set to VIRTUALBOX           [ GOOD ]
  290. [*] Checking reg key HARDWARE\Description\System - SystemBiosDate is set to 06/23/99               [ GOOD ]
  291. [*] Checking VirtualBox Guest Additions directory                                                  [ GOOD ]
  292. [*] Checking file C:\Windows\System32\drivers\VBoxMouse.sys                                        [ GOOD ]
  293. [*] Checking file C:\Windows\System32\drivers\VBoxGuest.sys                                        [ GOOD ]
  294. [*] Checking file C:\Windows\System32\drivers\VBoxSF.sys                                           [ GOOD ]
  295. [*] Checking file C:\Windows\System32\drivers\VBoxVideo.sys                                        [ GOOD ]
  296. [*] Checking file C:\Windows\System32\vboxdisp.dll                                                 [ GOOD ]
  297. [*] Checking file C:\Windows\System32\vboxhook.dll                                                 [ GOOD ]
  298. [*] Checking file C:\Windows\System32\vboxmrxnp.dll                                                [ GOOD ]
  299. [*] Checking file C:\Windows\System32\vboxogl.dll                                                  [ GOOD ]
  300. [*] Checking file C:\Windows\System32\vboxoglarrayspu.dll                                          [ GOOD ]
  301. [*] Checking file C:\Windows\System32\vboxoglcrutil.dll                                            [ GOOD ]
  302. [*] Checking file C:\Windows\System32\vboxoglerrorspu.dll                                          [ GOOD ]
  303. [*] Checking file C:\Windows\System32\vboxoglfeedbackspu.dll                                       [ GOOD ]
  304. [*] Checking file C:\Windows\System32\vboxoglpackspu.dll                                           [ GOOD ]
  305. [*] Checking file C:\Windows\System32\vboxoglpassthroughspu.dll                                    [ GOOD ]
  306. [*] Checking file C:\Windows\System32\vboxservice.exe                                              [ GOOD ]
  307. [*] Checking file C:\Windows\System32\vboxtray.exe                                                 [ GOOD ]
  308. [*] Checking file C:\Windows\System32\VBoxControl.exe                                              [ GOOD ]
  309. [*] Checking reg key HARDWARE\ACPI\DSDT\VBOX__                                                     [ GOOD ]
  310. [*] Checking reg key HARDWARE\ACPI\FADT\VBOX__                                                     [ GOOD ]
  311. [*] Checking reg key HARDWARE\ACPI\RSDT\VBOX__                                                     [ GOOD ]
  312. [*] Checking reg key SOFTWARE\Oracle\VirtualBox Guest Additions                                    [ GOOD ]
  313. [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxGuest                                       [ GOOD ]
  314. [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxMouse                                       [ GOOD ]
  315. [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxService                                     [ GOOD ]
  316. [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxSF                                          [ GOOD ]
  317. [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxVideo                                       [ GOOD ]
  318. [*] Checking Mac Address start with 08:00:27                                                       [ GOOD ]
  319. [*] Checking MAC address (Hybrid Analysis)                                                         [ GOOD ]
  320. [*] Checking device \\.\VBoxMiniRdrDN                                                              [ GOOD ]
  321. [*] Checking device \\.\VBoxGuest                                                                  [ GOOD ]
  322. [*] Checking device \\.\pipe\VBoxMiniRdDN                                                          [ GOOD ]
  323. [*] Checking device \\.\VBoxTrayIPC                                                                [ GOOD ]
  324. [*] Checking device \\.\pipe\VBoxTrayIPC                                                           [ GOOD ]
  325. [*] Checking VBoxTrayToolWndClass / VBoxTrayToolWnd                                                [ GOOD ]
  326. [*] Checking VirtualBox Shared Folders network provider                                            [ GOOD ]
  327. [*] Checking VirtualBox process vboxservice.exe                                                    [ GOOD ]
  328. [*] Checking VirtualBox process vboxtray.exe                                                       [ GOOD ]
  329. [*] Checking Win32_PnPDevice DeviceId from WMI for VBox PCI device                                 [ GOOD ]
  330. [*] Checking Win32_PnPDevice Name from WMI for VBox controller hardware                            [ GOOD ]
  331. [*] Checking Win32_PnPDevice Name from WMI for VBOX names                                          [ GOOD ]
  332. [*] Checking Win32_Bus from WMI                                                                    [ GOOD ]
  333. [*] Checking Win32_BaseBoard from WMI                                                              [ GOOD ]
  334. [*] Checking MAC address from WMI                                                                  [ GOOD ]
  335. [*] Checking NTEventLog from WMI                                                                   [ GOOD ]
  336. [*] Checking SMBIOS firmware                                                                       [ GOOD ]
  337. [*] Checking ACPI tables                                                                           [ GOOD ]

  338. -------------------------[VMWare Detection]-------------------------
  339. [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0  [ GOOD ]
  340. [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0  [ GOOD ]
  341. [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0  [ GOOD ]
  342. [*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation                                [ GOOD ]
  343. [*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation                                [ GOOD ]
  344. [*] Checking reg key SOFTWARE\VMware, Inc.\VMware Tools                                            [ GOOD ]
  345. [*] Checking file C:\Windows\System32\drivers\vmnet.sys                                            [ GOOD ]
  346. [*] Checking file C:\Windows\System32\drivers\vmmouse.sys                                          [ GOOD ]
  347. [*] Checking file C:\Windows\System32\drivers\vmusb.sys                                            [ GOOD ]
  348. [*] Checking file C:\Windows\System32\drivers\vm3dmp.sys                                           [ GOOD ]
  349. [*] Checking file C:\Windows\System32\drivers\vmci.sys                                             [ GOOD ]
  350. [*] Checking file C:\Windows\System32\drivers\vmhgfs.sys                                           [ GOOD ]
  351. [*] Checking file C:\Windows\System32\drivers\vmmemctl.sys                                         [ GOOD ]
  352. [*] Checking file C:\Windows\System32\drivers\vmx86.sys                                            [ GOOD ]
  353. [*] Checking file C:\Windows\System32\drivers\vmrawdsk.sys                                         [ GOOD ]
  354. [*] Checking file C:\Windows\System32\drivers\vmusbmouse.sys                                       [ GOOD ]
  355. [*] Checking file C:\Windows\System32\drivers\vmkdb.sys                                            [ GOOD ]
  356. [*] Checking file C:\Windows\System32\drivers\vmnetuserif.sys                                      [ GOOD ]
  357. [*] Checking file C:\Windows\System32\drivers\vmnetadapter.sys                                     [ GOOD ]
  358. [*] Checking MAC starting with 00:05:69                                                            [ GOOD ]
  359. [*] Checking MAC starting with 00:0c:29                                                            [ GOOD ]
  360. [*] Checking MAC starting with 00:1C:14                                                            [ GOOD ]
  361. [*] Checking MAC starting with 00:50:56                                                            [ GOOD ]
  362. [*] Checking VMWare network adapter name                                                           [ GOOD ]
  363. [*] Checking device \\.\HGFS                                                                       [ GOOD ]
  364. [*] Checking device \\.\vmci                                                                       [ GOOD ]
  365. [*] Checking VMWare directory                                                                      [ GOOD ]
  366. [*] Checking SMBIOS firmware                                                                       [ GOOD ]
  367. [*] Checking ACPI tables                                                                           [ GOOD ]

  368. -------------------------[Virtual PC Detection]-------------------------
  369. [*] Checking Virtual PC processes VMSrvc.exe                                                       [ GOOD ]
  370. [*] Checking Virtual PC processes VMUSrvc.exe                                                      [ GOOD ]
  371. [*] Checking reg key SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters                           [ GOOD ]

  372. -------------------------[QEMU Detection]-------------------------
  373. [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0  [ GOOD ]
  374. [*] Checking reg key HARDWARE\Description\System                                                   [ GOOD ]
  375. [*] Checking qemu processes qemu-ga.exe                                                            [ GOOD ]
  376. [*] Checking SMBIOS firmware                                                                       [ GOOD ]
  377. [*] Checking ACPI tables                                                                           [ GOOD ]

  378. -------------------------[Xen Detection]-------------------------
  379. [*] Checking Citrix Xen process xenservice.exe                                                     [ GOOD ]
  380. [*] Checking Mac Address start with 08:16:3E                                                       [ GOOD ]

  381. -------------------------[Wine Detection]-------------------------
  382. [*] Checking Wine via dll exports                                                                  [ GOOD ]
  383. [*] Checking reg key SOFTWARE\Wine                                                                 [ GOOD ]

  384. -------------------------[Paralles Detection]-------------------------
  385. [*] Checking Parallels processes: prl_cc.exe                                                       [ GOOD ]
  386. [*] Checking Parallels processes: prl_tools.exe                                                    [ GOOD ]
  387. [*] Checking Mac Address start with 08:1C:42                                                       [ GOOD ]

  388. -------------------------[Timing-attacks]-------------------------

  389. [*] Delay value is set to 10 minutes ...
  390. [*] Performing a sleep using NtDelayExecution ...                                                  [ GOOD ]
  391. [*] Performing a sleep() in a loop ...                                                             [ GOOD ]
  392. [*] Delaying execution using SetTimer ...                                                          [ GOOD ]
  393. [*] Delaying execution using timeSetEvent ...                                                      [ GOOD ]
  394. [*] Delaying execution using WaitForSingleObject ...                                               [ GOOD ]
  395. [*] Delaying execution using IcmpSendEcho ...                                                      [ GOOD ]
  396. [*] Delaying execution using CreateWaitableTimer ...                                               [ GOOD ]
  397. [*] Delaying execution using CreateTimerQueueTimer ...                                             [ GOOD ]
  398. [*] Checking RDTSC Locky trick                                                                     [ GOOD ]
  399. [*] Checking RDTSC which force a VM Exit (cpuid)                                                   [ BAD  ]

  400. -------------------------[Analysis-tools]-------------------------
  401. [*] Checking process of malware analysis tool: ollydbg.exe                                         [ GOOD ]
  402. [*] Checking process of malware analysis tool: ProcessHacker.exe                                   [ GOOD ]
  403. [*] Checking process of malware analysis tool: tcpview.exe                                         [ GOOD ]
  404. [*] Checking process of malware analysis tool: autoruns.exe                                        [ GOOD ]
  405. [*] Checking process of malware analysis tool: autorunsc.exe                                       [ GOOD ]
  406. [*] Checking process of malware analysis tool: filemon.exe                                         [ GOOD ]
  407. [*] Checking process of malware analysis tool: procmon.exe                                         [ GOOD ]
  408. [*] Checking process of malware analysis tool: regmon.exe                                          [ GOOD ]
  409. [*] Checking process of malware analysis tool: procexp.exe                                         [ GOOD ]
  410. [*] Checking process of malware analysis tool: idaq.exe                                            [ GOOD ]
  411. [*] Checking process of malware analysis tool: idaq64.exe                                          [ GOOD ]
  412. [*] Checking process of malware analysis tool: ImmunityDebugger.exe                                [ GOOD ]
  413. [*] Checking process of malware analysis tool: Wireshark.exe                                       [ GOOD ]
  414. [*] Checking process of malware analysis tool: dumpcap.exe                                         [ GOOD ]
  415. [*] Checking process of malware analysis tool: HookExplorer.exe                                    [ GOOD ]
  416. [*] Checking process of malware analysis tool: ImportREC.exe                                       [ GOOD ]
  417. [*] Checking process of malware analysis tool: PETools.exe                                         [ GOOD ]
  418. [*] Checking process of malware analysis tool: LordPE.exe                                          [ GOOD ]
  419. [*] Checking process of malware analysis tool: SysInspector.exe                                    [ GOOD ]
  420. [*] Checking process of malware analysis tool: proc_analyzer.exe                                   [ GOOD ]
  421. [*] Checking process of malware analysis tool: sysAnalyzer.exe                                     [ GOOD ]
  422. [*] Checking process of malware analysis tool: sniff_hit.exe                                       [ GOOD ]
  423. [*] Checking process of malware analysis tool: windbg.exe                                          [ GOOD ]
  424. [*] Checking process of malware analysis tool: joeboxcontrol.exe                                   [ GOOD ]
  425. [*] Checking process of malware analysis tool: joeboxserver.exe                                    [ GOOD ]
  426. [*] Checking process of malware analysis tool: joeboxserver.exe                                    [ GOOD ]
  427. [*] Checking process of malware analysis tool: ResourceHacker.exe                                  [ GOOD ]
  428. [*] Checking process of malware analysis tool: x32dbg.exe                                          [ GOOD ]
  429. [*] Checking process of malware analysis tool: x64dbg.exe                                          [ GOOD ]
  430. [*] Checking process of malware analysis tool: Fiddler.exe                                         [ GOOD ]
  431. [*] Checking process of malware analysis tool: httpdebugger.exe                                    [ GOOD ]
  432. Begin AntiDisassmConstantCondition
  433. Begin AntiDisassmAsmJmpSameTarget
  434. Begin AntiDisassmImpossibleDiasassm
  435. Begin AntiDisassmFunctionPointer
  436. Begin AntiDisassmReturnPointerAbuse

  437. -------------------------[Anti Dumping]-------------------------
  438. [*] Erasing PE header from memory
  439. [*] Increasing SizeOfImage in PE Header to: 0x100000


  440. Analysis done, I hope you didn't get red flags :)
复制代码


日志:
  1. [Fri May 29 10:13:33 2020] [*] TLS process attach callback  -> 0
  2. [Fri May 29 10:13:33 2020] [*] TLS thread attach callback  -> 0
  3. [Fri May 29 10:13:33 2020] [*] Checking IsDebuggerPresent API  -> 0
  4. [Fri May 29 10:13:33 2020] [*] Checking PEB.BeingDebugged  -> 0
  5. [Fri May 29 10:13:33 2020] [*] Checking CheckRemoteDebuggerPresent API  -> 0
  6. [Fri May 29 10:13:33 2020] [*] Checking PEB.NtGlobalFlag  -> 0
  7. [Fri May 29 10:13:33 2020] [*] Checking ProcessHeap.Flags  -> 0
  8. [Fri May 29 10:13:33 2020] [*] Checking ProcessHeap.ForceFlags  -> 0
  9. [Fri May 29 10:13:33 2020] [*] Checking NtQueryInformationProcess with ProcessDebugPort  -> 0
  10. [Fri May 29 10:13:33 2020] [*] Checking NtQueryInformationProcess with ProcessDebugFlags  -> 0
  11. [Fri May 29 10:13:33 2020] [*] Checking NtQueryInformationProcess with ProcessDebugObject  -> 0
  12. [Fri May 29 10:13:33 2020] [*] Checking WudfIsAnyDebuggerPresent API  -> 0
  13. [Fri May 29 10:13:33 2020] [*] Checking WudfIsKernelDebuggerPresent API  -> 0
  14. [Fri May 29 10:13:33 2020] [*] Checking WudfIsUserDebuggerPresent API  -> 0
  15. [Fri May 29 10:13:33 2020] [*] Checking NtSetInformationThread with ThreadHideFromDebugger  -> 0
  16. [Fri May 29 10:13:33 2020] [*] Checking CloseHandle with an invalide handle  -> 0
  17. [Fri May 29 10:13:33 2020] [*] Checking UnhandledExcepFilterTest  -> 0
  18. [Fri May 29 10:13:33 2020] [*] Checking OutputDebugString  -> 0
  19. [Fri May 29 10:13:33 2020] [*] Checking Hardware Breakpoints  -> 0
  20. [Fri May 29 10:13:33 2020] [*] Checking Software Breakpoints  -> 0
  21. [Fri May 29 10:13:33 2020] [*] Checking Interupt 0x2d  -> 0
  22. [Fri May 29 10:13:33 2020] [*] Checking Interupt 1  -> 0
  23. [Fri May 29 10:13:33 2020] [*] Checking trap flag -> 0
  24. [Fri May 29 10:13:33 2020] [*] Checking Memory Breakpoints PAGE GUARD  -> 0
  25. [Fri May 29 10:13:33 2020] [*] Checking If Parent Process is explorer.exe  -> 0
  26. [Fri May 29 10:13:33 2020] [*] Checking SeDebugPrivilege  -> 0
  27. [Fri May 29 10:13:33 2020] [*] Checking NtQueryObject with ObjectTypeInformation  -> 0
  28. [Fri May 29 10:13:33 2020] [*] Checking NtQueryObject with ObjectAllTypesInformation  -> 0
  29. [Fri May 29 10:13:34 2020] [*] Checking NtYieldExecution  -> 0
  30. [Fri May 29 10:13:34 2020] [*] Checking CloseHandle protected handle trick   -> 0
  31. [Fri May 29 10:13:34 2020] [*] Checking NtQuerySystemInformation with SystemKernelDebuggerInformation   -> 0
  32. [Fri May 29 10:13:34 2020] [*] Checking SharedUserData->KdDebuggerEnabled   -> 0
  33. [Fri May 29 10:13:34 2020] [*] Checking if process is in a job   -> 0
  34. [Fri May 29 10:13:34 2020] [*] Checking VirtualAlloc write watch (buffer only)  -> 0
  35. [Fri May 29 10:13:34 2020] [*] Checking VirtualAlloc write watch (API calls)  -> 0
  36. [Fri May 29 10:13:34 2020] [*] Checking VirtualAlloc write watch (IsDebuggerPresent)  -> 0
  37. [Fri May 29 10:13:34 2020] [*] Checking VirtualAlloc write watch (code write)  -> 0
  38. [Fri May 29 10:13:34 2020] [*] Checking for page exception breakpoints  -> 0
  39. [Fri May 29 10:13:34 2020] [*] Checking for API hooks outside module bounds  -> 0
  40. [Fri May 29 10:13:34 2020] [*] Enumerating modules with EnumProcessModulesEx [32-bit]  -> 0
  41. [Fri May 29 10:13:34 2020] [*] Enumerating modules with EnumProcessModulesEx [64-bit]  -> 0
  42. [Fri May 29 10:13:34 2020] [*] Enumerating modules with EnumProcessModulesEx [ALL]  -> 0
  43. [Fri May 29 10:13:34 2020] [*] Enumerating modules with ToolHelp32  -> 0
  44. [Fri May 29 10:13:34 2020] [*] Enumerating the process LDR via LdrEnumerateLoadedModules  -> 0
  45. [Fri May 29 10:13:34 2020] [*] Enumerating the process LDR directly  -> 0
  46. [Fri May 29 10:13:40 2020] [*] Walking process memory with GetModuleInformation  -> 0
  47. [Fri May 29 10:13:40 2020] [*] Walking process memory for hidden modules  -> 1
  48. [Fri May 29 10:13:40 2020] [*] Checking if process loaded modules contains: avghookx.dll  -> 0
  49. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: avghooka.dll  -> 0
  50. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: snxhk.dll  -> 0
  51. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: sbiedll.dll  -> 0
  52. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: dbghelp.dll  -> 0
  53. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: api_log.dll  -> 0
  54. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: dir_watch.dll  -> 0
  55. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: pstorec.dll  -> 0
  56. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: vmcheck.dll  -> 0
  57. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: wpespy.dll  -> 0
  58. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: cmdvrt64.dll  -> 0
  59. [Fri May 29 10:13:41 2020] [*] Checking if process loaded modules contains: cmdvrt32.dll  -> 0
  60. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: sample.exe  -> 0
  61. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: bot.exe  -> 0
  62. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: sandbox.exe  -> 0
  63. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: malware.exe  -> 0
  64. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: test.exe  -> 0
  65. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: klavme.exe  -> 0
  66. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: myapp.exe  -> 0
  67. [Fri May 29 10:13:41 2020] [*] Checking if process file name contains: testapp.exe  -> 0
  68. [Fri May 29 10:13:41 2020] [*] Checking if process file name looks like a hash: al-khaser  -> 0
  69. [Fri May 29 10:13:41 2020] [*] Checking Number of processors in machine  -> 0
  70. [Fri May 29 10:13:41 2020] [*] Checking Interupt Descriptor Table location  -> 0
  71. [Fri May 29 10:13:41 2020] [*] Checking Local Descriptor Table location  -> 1
  72. [Fri May 29 10:13:41 2020] [*] Checking Global Descriptor Table location  -> 0
  73. [Fri May 29 10:13:41 2020] [*] Checking Store Task Register  -> 0
  74. [Fri May 29 10:13:42 2020] [*] Checking Number of cores in machine using WMI  -> 0
  75. [Fri May 29 10:13:43 2020] [*] Checking hard disk size using WMI  -> 1
  76. [Fri May 29 10:13:43 2020] [*] Checking hard disk size using DeviceIoControl  -> 1
  77. [Fri May 29 10:13:43 2020] [*] Checking SetupDi_diskdrive  -> 1
  78. [Fri May 29 10:13:48 2020] [*] Checking mouse movement  -> 0
  79. [Fri May 29 10:13:48 2020] [*] Checking memory space using GlobalMemoryStatusEx  -> 0
  80. [Fri May 29 10:13:48 2020] [*] Checking disk size using GetDiskFreeSpaceEx  -> 1
  81. [Fri May 29 10:13:48 2020] [*] Checking if CPU hypervisor field is set using cpuid(0x1) -> 1
  82. [Fri May 29 10:13:48 2020] [*] Checking hypervisor vendor using cpuid(0x40000000) -> 1
  83. [Fri May 29 10:14:48 2020] [*] Check if time has been accelerated  -> 0
  84. [Fri May 29 10:14:49 2020] [*] VM Driver Services   -> 0
  85. [Fri May 29 10:14:50 2020] [*] Checking SerialNumber from BIOS using WMI  -> 0
  86. [Fri May 29 10:14:50 2020] [*] Checking Model from ComputerSystem using WMI  -> 0
  87. [Fri May 29 10:14:50 2020] [*] Checking Manufacturer from ComputerSystem using WMI  -> 0
  88. [Fri May 29 10:18:50 2020] [*] Checking Current Temperature using WMI  -> 1
  89. [Fri May 29 10:18:52 2020] [*] Checking ProcessId using WMI  -> 0
  90. [Fri May 29 10:18:52 2020] [*] Checking power capabilities  -> 1
  91. [Fri May 29 10:18:52 2020] [*] Checking CPU fan using WMI  -> 1
  92. [Fri May 29 10:18:52 2020] [*] Checking NtQueryLicenseValue with Kernel-VMDetection-Private  -> 0
  93. [Fri May 29 10:18:52 2020] [*] Checking Win32_CacheMemory with WMI  -> 1
  94. [Fri May 29 10:18:52 2020] [*] Checking Win32_PhysicalMemory with WMI  -> 0
  95. [Fri May 29 10:18:52 2020] [*] Checking Win32_MemoryDevice with WMI  -> 0
  96. [Fri May 29 10:18:52 2020] [*] Checking Win32_MemoryArray with WMI  -> 0
  97. [Fri May 29 10:18:52 2020] [*] Checking Win32_VoltageProbe with WMI  -> 1
  98. [Fri May 29 10:18:52 2020] [*] Checking Win32_PortConnector with WMI  -> 1
  99. [Fri May 29 10:18:52 2020] [*] Checking Win32_SMBIOSMemory with WMI  -> 0
  100. [Fri May 29 10:18:59 2020] [*] Checking ThermalZoneInfo performance counters with WMI  -> 1
  101. [Fri May 29 10:18:59 2020] [*] Checking CIM_Memory with WMI  -> 1
  102. [Fri May 29 10:18:59 2020] [*] Checking CIM_Sensor with WMI  -> 1
  103. [Fri May 29 10:19:00 2020] [*] Checking CIM_NumericSensor with WMI  -> 1
  104. [Fri May 29 10:19:00 2020] [*] Checking CIM_TemperatureSensor with WMI  -> 1
  105. [Fri May 29 10:19:00 2020] [*] Checking CIM_VoltageSensor with WMI  -> 1
  106. [Fri May 29 10:19:00 2020] [*] Checking CIM_PhysicalConnector with WMI  -> 1
  107. [Fri May 29 10:19:00 2020] [*] Checking CIM_Slot with WMI  -> 1
  108. [Fri May 29 10:19:00 2020] [*] Checking reg key HARDWARE\Description\System - Identifier is set to VBOX -> 0
  109. [Fri May 29 10:19:00 2020] [*] Checking reg key HARDWARE\Description\System - SystemBiosVersion is set to VBOX -> 0
  110. [Fri May 29 10:19:00 2020] [*] Checking reg key HARDWARE\Description\System - VideoBiosVersion is set to VIRTUALBOX -> 0
  111. [Fri May 29 10:19:00 2020] [*] Checking reg key HARDWARE\Description\System - SystemBiosDate is set to 06/23/99 -> 0
  112. [Fri May 29 10:19:00 2020] [*] Checking VirtualBox Guest Additions directory  -> 0
  113. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\drivers\VBoxMouse.sys  -> 0
  114. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\drivers\VBoxGuest.sys  -> 0
  115. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\drivers\VBoxSF.sys  -> 0
  116. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\drivers\VBoxVideo.sys  -> 0
  117. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxdisp.dll  -> 0
  118. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxhook.dll  -> 0
  119. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxmrxnp.dll  -> 0
  120. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxogl.dll  -> 0
  121. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxoglarrayspu.dll  -> 0
  122. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxoglcrutil.dll  -> 0
  123. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxoglerrorspu.dll  -> 0
  124. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxoglfeedbackspu.dll  -> 0
  125. [Fri May 29 10:19:00 2020] [*] Checking file C:\Windows\System32\vboxoglpackspu.dll  -> 0
  126. [Fri May 29 10:19:01 2020] [*] Checking file C:\Windows\System32\vboxoglpassthroughspu.dll  -> 0
  127. [Fri May 29 10:19:01 2020] [*] Checking file C:\Windows\System32\vboxservice.exe  -> 0
  128. [Fri May 29 10:19:01 2020] [*] Checking file C:\Windows\System32\vboxtray.exe  -> 0
  129. [Fri May 29 10:19:01 2020] [*] Checking file C:\Windows\System32\VBoxControl.exe  -> 0
  130. [Fri May 29 10:19:01 2020] [*] Checking reg key HARDWARE\ACPI\DSDT\VBOX__  -> 0
  131. [Fri May 29 10:19:01 2020] [*] Checking reg key HARDWARE\ACPI\FADT\VBOX__  -> 0
  132. [Fri May 29 10:19:01 2020] [*] Checking reg key HARDWARE\ACPI\RSDT\VBOX__  -> 0
  133. [Fri May 29 10:19:01 2020] [*] Checking reg key SOFTWARE\Oracle\VirtualBox Guest Additions  -> 0
  134. [Fri May 29 10:19:01 2020] [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxGuest  -> 0
  135. [Fri May 29 10:19:01 2020] [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxMouse  -> 0
  136. [Fri May 29 10:19:01 2020] [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxService  -> 0
  137. [Fri May 29 10:19:01 2020] [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxSF  -> 0
  138. [Fri May 29 10:19:01 2020] [*] Checking reg key SYSTEM\ControlSet001\Services\VBoxVideo  -> 0
  139. [Fri May 29 10:19:01 2020] [*] Checking Mac Address start with 08:00:27  -> 0
  140. [Fri May 29 10:19:01 2020] [*] Checking MAC address (Hybrid Analysis)  -> 0
  141. [Fri May 29 10:19:01 2020] [*] Checking device \\.\VBoxMiniRdrDN  -> 0
  142. [Fri May 29 10:19:01 2020] [*] Checking device \\.\VBoxGuest  -> 0
  143. [Fri May 29 10:19:01 2020] [*] Checking device \\.\pipe\VBoxMiniRdDN  -> 0
  144. [Fri May 29 10:19:01 2020] [*] Checking device \\.\VBoxTrayIPC  -> 0
  145. [Fri May 29 10:19:01 2020] [*] Checking device \\.\pipe\VBoxTrayIPC  -> 0
  146. [Fri May 29 10:19:01 2020] [*] Checking VBoxTrayToolWndClass / VBoxTrayToolWnd  -> 0
  147. [Fri May 29 10:19:01 2020] [*] Checking VirtualBox Shared Folders network provider  -> 0
  148. [Fri May 29 10:19:01 2020] [*] Checking VirtualBox process vboxservice.exe  -> 0
  149. [Fri May 29 10:19:01 2020] [*] Checking VirtualBox process vboxtray.exe  -> 0
  150. [Fri May 29 10:19:02 2020] [*] Checking Win32_PnPDevice DeviceId from WMI for VBox PCI device  -> 0
  151. [Fri May 29 10:19:02 2020] [*] Checking Win32_PnPDevice Name from WMI for VBox controller hardware  -> 0
  152. [Fri May 29 10:19:03 2020] [*] Checking Win32_PnPDevice Name from WMI for VBOX names  -> 0
  153. [Fri May 29 10:19:03 2020] [*] Checking Win32_Bus from WMI  -> 0
  154. [Fri May 29 10:19:04 2020] [*] Checking Win32_BaseBoard from WMI  -> 0
  155. [Fri May 29 10:19:04 2020] [*] Checking MAC address from WMI  -> 0
  156. [Fri May 29 10:19:04 2020] [*] Checking NTEventLog from WMI  -> 0
  157. [Fri May 29 10:19:05 2020] [*] Checking SMBIOS firmware   -> 0
  158. [Fri May 29 10:19:05 2020] [*] Checking ACPI tables   -> 0
  159. [Fri May 29 10:19:05 2020] [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 -> 0
  160. [Fri May 29 10:19:05 2020] [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 -> 0
  161. [Fri May 29 10:19:05 2020] [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 -> 0
  162. [Fri May 29 10:19:05 2020] [*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation -> 0
  163. [Fri May 29 10:19:05 2020] [*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation -> 0
  164. [Fri May 29 10:19:05 2020] [*] Checking reg key SOFTWARE\VMware, Inc.\VMware Tools  -> 0
  165. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmnet.sys  -> 0
  166. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmmouse.sys  -> 0
  167. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmusb.sys  -> 0
  168. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vm3dmp.sys  -> 0
  169. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmci.sys  -> 0
  170. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmhgfs.sys  -> 0
  171. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmmemctl.sys  -> 0
  172. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmx86.sys  -> 0
  173. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmrawdsk.sys  -> 0
  174. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmusbmouse.sys  -> 0
  175. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmkdb.sys  -> 0
  176. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmnetuserif.sys  -> 0
  177. [Fri May 29 10:19:05 2020] [*] Checking file C:\Windows\System32\drivers\vmnetadapter.sys  -> 0
  178. [Fri May 29 10:19:05 2020] [*] Checking MAC starting with 00:05:69 -> 0
  179. [Fri May 29 10:19:05 2020] [*] Checking MAC starting with 00:0c:29 -> 0
  180. [Fri May 29 10:19:05 2020] [*] Checking MAC starting with 00:1C:14 -> 0
  181. [Fri May 29 10:19:05 2020] [*] Checking MAC starting with 00:50:56 -> 0
  182. [Fri May 29 10:19:05 2020] [*] Checking VMWare network adapter name  -> 0
  183. [Fri May 29 10:19:05 2020] [*] Checking device \\.\HGFS  -> 0
  184. [Fri May 29 10:19:05 2020] [*] Checking device \\.\vmci  -> 0
  185. [Fri May 29 10:19:05 2020] [*] Checking VMWare directory  -> 0
  186. [Fri May 29 10:19:05 2020] [*] Checking SMBIOS firmware   -> 0
  187. [Fri May 29 10:19:05 2020] [*] Checking ACPI tables   -> 0
  188. [Fri May 29 10:19:05 2020] [*] Checking Virtual PC processes VMSrvc.exe  -> 0
  189. [Fri May 29 10:19:05 2020] [*] Checking Virtual PC processes VMUSrvc.exe  -> 0
  190. [Fri May 29 10:19:06 2020] [*] Checking reg key SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters  -> 0
  191. [Fri May 29 10:19:06 2020] [*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0  -> 0
  192. [Fri May 29 10:19:06 2020] [*] Checking reg key HARDWARE\Description\System  -> 0
  193. [Fri May 29 10:19:06 2020] [*] Checking qemu processes qemu-ga.exe  -> 0
  194. [Fri May 29 10:19:06 2020] [*] Checking SMBIOS firmware   -> 0
  195. [Fri May 29 10:19:06 2020] [*] Checking ACPI tables   -> 0
  196. [Fri May 29 10:19:06 2020] [*] Checking Citrix Xen process xenservice.exe -> 0
  197. [Fri May 29 10:19:06 2020] [*] Checking Mac Address start with 08:16:3E  -> 0
  198. [Fri May 29 10:19:06 2020] [*] Checking Wine via dll exports  -> 0
  199. [Fri May 29 10:19:06 2020] [*] Checking reg key SOFTWARE\Wine  -> 0
  200. [Fri May 29 10:19:06 2020] [*] Checking Parallels processes: prl_cc.exe -> 0
  201. [Fri May 29 10:19:06 2020] [*] Checking Parallels processes: prl_tools.exe -> 0
  202. [Fri May 29 10:19:06 2020] [*] Checking Mac Address start with 08:1C:42  -> 0
  203. [Fri May 29 10:29:06 2020] [*] Performing a sleep using NtDelayExecution ... -> 0
  204. [Fri May 29 10:39:07 2020] [*] Performing a sleep() in a loop ... -> 0
  205. [Fri May 29 10:59:07 2020] [*] Delaying execution using SetTimer ... -> 0
  206. [Fri May 29 10:59:07 2020] [*] Delaying execution using timeSetEvent ... -> 0
  207. [Fri May 29 11:09:07 2020] [*] Delaying execution using WaitForSingleObject ... -> 0
  208. [Fri May 29 11:19:07 2020] [*] Delaying execution using IcmpSendEcho ... -> 0
  209. [Fri May 29 11:29:07 2020] [*] Delaying execution using CreateWaitableTimer ... -> 0
  210. [Fri May 29 11:39:07 2020] [*] Delaying execution using CreateTimerQueueTimer ... -> 0
  211. [Fri May 29 11:39:07 2020] [*] Checking RDTSC Locky trick  -> 0
  212. [Fri May 29 11:39:07 2020] [*] Checking RDTSC which force a VM Exit (cpuid)  -> 1
  213. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: ollydbg.exe  -> 0
  214. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: ProcessHacker.exe  -> 0
  215. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: tcpview.exe  -> 0
  216. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: autoruns.exe  -> 0
  217. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: autorunsc.exe  -> 0
  218. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: filemon.exe  -> 0
  219. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: procmon.exe  -> 0
  220. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: regmon.exe  -> 0
  221. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: procexp.exe  -> 0
  222. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: idaq.exe  -> 0
  223. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: idaq64.exe  -> 0
  224. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: ImmunityDebugger.exe  -> 0
  225. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: Wireshark.exe  -> 0
  226. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: dumpcap.exe  -> 0
  227. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: HookExplorer.exe  -> 0
  228. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: ImportREC.exe  -> 0
  229. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: PETools.exe  -> 0
  230. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: LordPE.exe  -> 0
  231. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: SysInspector.exe  -> 0
  232. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: proc_analyzer.exe  -> 0
  233. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: sysAnalyzer.exe  -> 0
  234. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: sniff_hit.exe  -> 0
  235. [Fri May 29 11:39:07 2020] [*] Checking process of malware analysis tool: windbg.exe  -> 0
  236. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: joeboxcontrol.exe  -> 0
  237. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: joeboxserver.exe  -> 0
  238. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: joeboxserver.exe  -> 0
  239. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: ResourceHacker.exe  -> 0
  240. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: x32dbg.exe  -> 0
  241. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: x64dbg.exe  -> 0
  242. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: Fiddler.exe  -> 0
  243. [Fri May 29 11:39:08 2020] [*] Checking process of malware analysis tool: httpdebugger.exe  -> 0
复制代码

评分

参与人数 1人气 +1 收起 理由
Jerry.Lin + 1 版区有你更精彩: )

查看全部评分

vhightr
发表于 2020-6-1 09:12:19 | 显示全部楼层
KVMOpen之类的硬件半虚拟化可以么
vhightr
发表于 2020-6-1 09:14:02 | 显示全部楼层
linhai091 发表于 2020-5-15 19:54
虚拟机内存设置过大就会有 内存溢出,sandboxies公布源码后,后面的命运有待进一步观察

在理,如果OOM了的话有一定风险
IllusionWing
发表于 2020-6-1 16:04:18 | 显示全部楼层
这就有点厉害
我是电脑迷
发表于 2020-6-1 22:04:55 | 显示全部楼层
腾讯哈勃开源,还用python写的……
sunshiner
发表于 2020-6-6 18:38:11 | 显示全部楼层
我咋不会这技能术咧
小瑜哥
发表于 2020-6-8 21:26:11 | 显示全部楼层

支持一下,谢谢分享。!!
610100
发表于 2020-6-9 17:06:08 | 显示全部楼层
幸苦,没想到有那么多平台!
QINGMU
发表于 2020-6-11 22:29:24 | 显示全部楼层
进来看看。
huangsijun17
发表于 2020-6-15 16:03:02 | 显示全部楼层
360那个破沙盒呢?不是说至今不漏沙吗?
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 湘ICP备2021004765号-1 ) GMT+8, 2021-4-19 08:36 , Processed in 0.107729 second(s), 16 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表