/*
* wdCheckEmulatedVFS
*
* Purpose:
*
* Detect Microsoft Security Engine emulation by it own VFS artefact.
*
* Microsoft AV provides special emulated environment for scanned application where it
* fakes general system information, process environment structures/data to make sure
* API calls are transparent for scanned code. It also use simple Virtual File System
* allowing this AV track file system changes and if needed continue emulation on new target.
*
* This method implemented in commercial malware presumable since 2013.
*
*/
VOID wdCheckEmulatedVFS(
VOID
)
{
WCHAR szBuffer[MAX_PATH];
WCHAR szMsEngVFS[12] = { L':', L'\\', L'm', L'y', L'a', L'p', L'p', L'.', L'e', L'x', L'e', 0 };
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
GetModuleFileName(NULL, szBuffer, MAX_PATH);
if (_strstri(szBuffer, szMsEngVFS) != NULL) {
ExitProcess((UINT)0);
}
}
/*
* supQueryWinstationDescription
*
* Purpose:
*
* Query predefined window station types, if found equal copy to buffer it friendly name.
*
* Input buffer size must be at least MAX_PATH size.
*
*/
BOOL supQueryWinstationDescription(
_In_ LPWSTR lpWindowStationName,
_Inout_ LPWSTR Buffer,
_In_ DWORD ccBuffer //size of buffer in chars
)
{
BOOL bFound = FALSE;
LPWSTR lpType;
if ((lpWindowStationName == NULL) || (Buffer == NULL) || (ccBuffer < MAX_PATH))
return bFound;
lpType = NULL;
if (_strstri(lpWindowStationName, T_WINSTA_SYSTEM) != NULL) {
lpType = L"System";
bFound = TRUE;
goto Done;
}
if (_strstri(lpWindowStationName, T_WINSTA_ANONYMOUS) != NULL) {
lpType = L"Anonymous";
bFound = TRUE;
goto Done;
}
if (_strstri(lpWindowStationName, T_WINSTA_LOCALSERVICE) != NULL) {
lpType = L"Local Service";
bFound = TRUE;
goto Done;
}
if (_strstri(lpWindowStationName, T_WINSTA_NETWORK_SERVICE) != NULL) {
lpType = L"Network Service";
bFound = TRUE;
}
Done:
if (bFound) {
wsprintf(Buffer, L"%s logon session", lpType);
}
return bFound;
}
