Return to site
Return to site

Wpe Pro 1.3

broken image


Processes and libraries detection methods
1. Check specific running processes and loaded libraries
1.1. Check if specific processes are running
1.2. Check if specific libraries are loaded in the process address space
1.3. Check if specific functions are present in specific libraries
1.4. Countermeasures
2. Check if specific artifacts are present in process address space (Sandboxie only)
2.1. Countermeasures
Credits

Processes and libraries detection methods

Virtual environment launches some specific helper processes which are not being executed in usual host OS. There are also some specific modules which are loaded into processes address spaces.


1. Check specific running processes and loaded libraries


WPE 24 USER MANUAL VERSION 1.3 WPE 3SERIES www.workpro.es 1. INTRODUCTION WPE 24 is a digital signal processor with external control capability. Its compact design and format make it perfect for use by audiovisual integrators. The device has balanced inputs and outputs to give them greater immunity against electromagnetic interference. WPE Pro could also be a useful tool for testing thick client applications or web applications which use applets to establish socket connections on non http ports. Mar 12, 2018 - Wpe Pro 1.3 Download. Publisher Description Winsock Packet Editor (WPE) Pro is.

Wpe Pro 1.3

1.1. Check if specific processes are running

Functions used:

  • CreateToolhelp32Snapshot
  • psapi.EnumProcesses (WinXP, Vista)
  • kernel32.EnumProcesses (Win7+)

Code sample

Signature recommendations

Wpe Pro 1.3 Download

Signature recommendations are not provided as it's hard to say what exactly is queried in the processes' snapshot.

Detections table

Check if the following processes are running:
DetectProcess
JoeBoxjoeboxserver.exe
joeboxcontrol.exe
Parallelsprl_cc.exe
prl_tools.exe
VirtualBoxvboxservice.exe
vboxtray.exe
VirtualPCvmsrvc.exe
vmusrvc.exe
VMWarevmtoolsd.exe
vmacthlp.exe
vmwaretray.exe
vmwareuser.exe
vmware.exe
vmount2.exe
Xenxenservice.exe
xsvc_depriv.exe
WPE ProWPE Pro.exe


Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.


1.2. Check if specific libraries are loaded in the process address space

Functions used:

  • GetModuleHandle

Code sample

Pro

Credits for this code sample: al-khaser project

Signature recommendations

If the following function contains its only argument from the table column `Library`:

  • GetModuleHandle(module_name)

then it's an indication of application trying to use this evasion technique.

Detections table

Check if the following libraries are loaded in the process address space:
DetectLibrary
CWSandboxapi_log.dll
dir_watch.dll
pstorec.dll
Sandboxiesbiedll.dll
ThreatExpertdbghelp.dll
VirtualPCvmcheck.dll
WPE Prowpespy.dll


Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.


1.3. Check if specific functions are present in specific libraries

Functions used (see note about native functions):

  • kernel32.GetProcAddress
  • kernel32.LdrGetProcedureAddress (called internally)
  • ntdll.LdrGetProcedureAddress
  • ntdll.LdrpGetProcedureAddress (called internally)

Wpe Pro 1.3 Download

Code sample

Credits for this code sample: al-khaser project

Signature recommendations

If the following functions contain 2nd argument from the table column 'Function' and the 1st argument is the address of matching 'Library' name from the table:

  • kernel32.GetProcAddress(lib_handle, func_name)
  • kernel32.LdrGetProcedureAddress(lib_handle, func_name)
  • ntdll.LdrGetProcedureAddress(lib_handle, func_name)
  • ntdll.LdrpGetProcedureAddress(lib_handle, func_name)

then it's an indication of application trying to use this evasion technique.

Detections table

Check if the following functions are present in the following libraries:
DetectLibraryFunction
Winekernel32.dllwine_get_unix_file_name
ntdll.dllwine_get_version


1.4. Countermeasures

  • for processes: exclude target processes from enumeration or terminate them;
  • for libraries: exclude them from enumeration lists in PEB;
  • for functions in libraries: hook appropriate functions and compare their arguments against target ones.


2. Check if specific artifacts are present in process address space (Sandboxie only)

Wpe pro 1.3 free

Functions used:

  • NtQueryVirtualMemory

Code sample

Take a look at VMDE project sources.

Signature recommendations

Signature recommendations are not provided as it's hard to say what exactly is queried when memory buffer is being examined.


2.1. Countermeasures

Erase present artifacts from memory.


Credits

Credits go to open-source project from where code samples were taken:

  • al-khaser project on github
  • VMDE project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That's why we've decided to use other great open-source projects for examples throughout the encyclopedia.

1.3

1.1. Check if specific processes are running

Functions used:

  • CreateToolhelp32Snapshot
  • psapi.EnumProcesses (WinXP, Vista)
  • kernel32.EnumProcesses (Win7+)

Code sample

Signature recommendations

Wpe Pro 1.3 Download

Signature recommendations are not provided as it's hard to say what exactly is queried in the processes' snapshot.

Detections table

Check if the following processes are running:
DetectProcess
JoeBoxjoeboxserver.exe
joeboxcontrol.exe
Parallelsprl_cc.exe
prl_tools.exe
VirtualBoxvboxservice.exe
vboxtray.exe
VirtualPCvmsrvc.exe
vmusrvc.exe
VMWarevmtoolsd.exe
vmacthlp.exe
vmwaretray.exe
vmwareuser.exe
vmware.exe
vmount2.exe
Xenxenservice.exe
xsvc_depriv.exe
WPE ProWPE Pro.exe


Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.


1.2. Check if specific libraries are loaded in the process address space

Functions used:

  • GetModuleHandle

Code sample

Credits for this code sample: al-khaser project

Signature recommendations

If the following function contains its only argument from the table column `Library`:

  • GetModuleHandle(module_name)

then it's an indication of application trying to use this evasion technique.

Detections table

Check if the following libraries are loaded in the process address space:
DetectLibrary
CWSandboxapi_log.dll
dir_watch.dll
pstorec.dll
Sandboxiesbiedll.dll
ThreatExpertdbghelp.dll
VirtualPCvmcheck.dll
WPE Prowpespy.dll


Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.


1.3. Check if specific functions are present in specific libraries

Functions used (see note about native functions):

  • kernel32.GetProcAddress
  • kernel32.LdrGetProcedureAddress (called internally)
  • ntdll.LdrGetProcedureAddress
  • ntdll.LdrpGetProcedureAddress (called internally)

Wpe Pro 1.3 Download

Code sample

Credits for this code sample: al-khaser project

Signature recommendations

If the following functions contain 2nd argument from the table column 'Function' and the 1st argument is the address of matching 'Library' name from the table:

  • kernel32.GetProcAddress(lib_handle, func_name)
  • kernel32.LdrGetProcedureAddress(lib_handle, func_name)
  • ntdll.LdrGetProcedureAddress(lib_handle, func_name)
  • ntdll.LdrpGetProcedureAddress(lib_handle, func_name)

then it's an indication of application trying to use this evasion technique.

Detections table

Check if the following functions are present in the following libraries:
DetectLibraryFunction
Winekernel32.dllwine_get_unix_file_name
ntdll.dllwine_get_version


1.4. Countermeasures

  • for processes: exclude target processes from enumeration or terminate them;
  • for libraries: exclude them from enumeration lists in PEB;
  • for functions in libraries: hook appropriate functions and compare their arguments against target ones.


2. Check if specific artifacts are present in process address space (Sandboxie only)

Functions used:

  • NtQueryVirtualMemory

Code sample

Take a look at VMDE project sources.

Signature recommendations

Signature recommendations are not provided as it's hard to say what exactly is queried when memory buffer is being examined.


2.1. Countermeasures

Erase present artifacts from memory.


Credits

Credits go to open-source project from where code samples were taken:

  • al-khaser project on github
  • VMDE project on github

Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That's why we've decided to use other great open-source projects for examples throughout the encyclopedia.







broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save