Sandbox Evasion with CreateDXGIFactory

Malware One comment

Hi Malware Developer

Looking at some malware sample arround, I would like to share one of many ways on how malware identify its environment in order not to get caught by Sanboxing solution.

There are many factors that malware need check to ensure that it is run on the real victim machine instead of running on Sandbox environment. One of the environment information is the GPU hardware information such as the VendorID

Why GPU Vendor ID ?

Most of the sandbox run on the virtualization infrastructure which impact it leaves some traces about the operating system and hardware information that the OS uses. Most of the sandbox that run on the OS running on virtualization will not be assigned a dedicated GPU since it will impact the cost and no malware requires GPU to handle its process.

Evading The Sanbox

With the fact that most virtualization machine does not have a dedicated physical GPU hence it can be a factor to determine whether the malware running on the sandbox or physical device. The malware will its process when it knows that it is running on sandbox so that it does not reveal it’s actual behaviour to minimize the information being known.

C++ Code


#include <dxgi.h>
#include <cstdlib>
#include <cstdio>

#pragma comment(lib, "dxgi.lib")
#pragma comment(lib, "dxguid.lib")


int main()
{
    IDXGIFactory* pFactory = NULL;
    HRESULT result = CreateDXGIFactory(__uuidof(IDXGIFactory), (void**)&pFactory);
    if (result == S_OK) {
        UINT i = 0;
        IDXGIAdapter* pAdapter;
        while (pFactory->EnumAdapters(i, &pAdapter) != DXGI_ERROR_NOT_FOUND) {
            DXGI_ADAPTER_DESC adapterDesc;
            pAdapter->GetDesc(&adapterDesc);
            fprintf(stdout, "VendorID: 0x%x\n", adapterDesc.VendorId);
            ++i;
        }
    }
    return 0;
}

Output

Below are the output of the code running on the VMWare which tell that the vendor ID is known to be VMWare.

For your reference of known vendor ID for the intel, nvdia and AMD. If the malware found that this vendorID then it is quite safe to continue the process

Intel : 0x8086
AMD : 0x1002
nVidia : 0x10de

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s