This issue is the second issue of learning record: reverse engineering. If you want to see my first issue of BYPASS, you can go to my personal home page
Written at the beginning, this series of articles belong to education and experience exchange. Please do not use them for illegal purposes!!!
Understand sandbox
Sandbox is an execution environment that restricts program behavior according to security policies. In the early days, it was mainly used to test suspicious software. For example, hackers can often run them in a sandbox environment in order to try some viruses or unsafe products. The classical sandbox system is generally implemented by intercepting system calls, monitoring program behavior, and then controlling and limiting the program's use of computer resources according to user-defined policies, such as rewriting the registry, reading and writing disks, etc
I often use network sandbox: micro step online cloud sandbox and VirusTotal. I personally recommend VirusTotal sandbox, because VirusTotal calls the security manufacturer to detect files up to 60 +, which is relatively strict. Micro sandbox is more in line with the domestic demand
To put it bluntly, if we get an unknown program or dynamic link library and other executable files, we should sandbox it to see what the purpose of the process is and whether it is harmful.
Let me start with a chestnut:
Red team A wrote A horse to the blue team for analysis and research. When the blue team got the sample, it certainly wouldn't get on the computer and would throw it into the sandbox to see what Windows API was used, whether there was network behavior and which IP it communicated with. If A's horse doesn't do anti reverse mode or doesn't do it in place, that may be the case
The blue team is too lazy to analyze. They just throw it in the trash can
What about making an anti sandbox instead?
Alas, this situation is much more comfortable. Of course, the score of VirusTotal can be reduced. Finally, I'll introduce the method. If the blue team carries out reverse engineering on this file, once it is dragged into the sandbox and OD program, it will exit(1)GG and will not give debugging opportunities.
Anti reverse principle
I quote Drunkmars here: the simplest anti debugging measure is to detect the parent process. Generally speaking, the parent process of the program we manually click to execute is explorer. If the parent process of a program is not explorer, we can think that it is started by sandbox. Then we will exit directly. In this way, we can't continue to analyze our behavior.
Clear thinking and start to realize:
First call CreateToolhelp32Snapshot to take a process snapshot, then traverse the parent process PID of our current process, then query the PID of explorer, and finally compare the explorer PID with the PID of the current program. If the two values are equal, it is determined that the program is not debugging. On the contrary, exit directly (1);
C + + implementation:
Query the parent process PID of the current program
DWORD search_my_processid(DWORD pid) { DWORD ParentProcessID = -1; PROCESSENTRY32 pe; HANDLE hkz; HMODULE hModule = LoadLibrary(_T("Kernel32.dll")); FARPROC Address = GetProcAddress(hModule, "CreateToolhelp32Snapshot"); if (Address == NULL) { OutputDebugString(_T("GetProc error")); return(-1); } _asm { push 0 push 2 call Address mov hkz, eax } pe.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hkz, &pe)) { do { if (pe.th32ProcessID == pid) { ParentProcessID = pe.th32ParentProcessID; break; } } while (Process32Next(hkz, &pe)); } return ParentProcessID; }
Query PID of Explorer
DWORD search_explorer_processid() { DWORD explorer_id = -1; PROCESSENTRY32 pe; HANDLE hkz; HMODULE hModule = LoadLibrary(_T("Kernel32.dll")); if (hModule == NULL) { OutputDebugString(_T("Loaddll error")); return(-1); } FARPROC Address = GetProcAddress(hModule, "CreateToolhelp32Snapshot"); if (Address == NULL) { OutputDebugString(_T("GetProc error")); return(-1); } _asm { push 0 push 2 call Address mov hkz, eax } pe.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hkz, &pe)) { do { if (strcmp((const char*)pe.szExeFile, "explorer.exe") == 0) { explorer_id = pe.th32ProcessID; break; } } while (Process32Next(hkz, &pe)); } return explorer_id; }
Compare the PID of the two:
int determine() { DWORD explorer_id = search_explorer_processid(); DWORD my_pid =search_my_processid(GetCurrentProcessId()); if (explorer_id == my_pid) { return 1; } else { return 0; } }
In main.cpp
void main(){ int anti_sendbox; anti_sendbox=sendbox(); if(!anti_sendbox){ exit(1); } }
The actual effect is the red team's anti reverse processing issued above
The score of VirusTotal is 10 / 67. If you want to be perfect, you can try to call Windows API functions with pointers, which is relatively safe. In addition, this article is about anti reverse engineering and sandbox. Although it is said that you will not report poison when using AV, you can't confuse shellcode (like CS) in the program, Some dangerous behaviors will destroy the judgment of whether the document is a normal procedure.
-END-