/* * wdCheckEmulatedVFS * * Purpose: * * Detect Microsoft Security Engine emulation by it own VFS artefact. * * Microsoft AV provides special emulated environment for scanned application where it * fakes general system information, process environment structures/data to make sure * API calls are transparent for scanned code. It also use simple Virtual File System * allowing this AV track file system changes and if needed continue emulation on new target. * * This method implemented in commercial malware presumable since 2013. * */ VOID wdCheckEmulatedVFS( VOID ) { WCHAR szBuffer[MAX_PATH]; WCHAR szMsEngVFS[12] = { L':', L'\\', L'm', L'y', L'a', L'p', L'p', L'.', L'e', L'x', L'e', 0 }; RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); GetModuleFileName(NULL, szBuffer, MAX_PATH); if (_strstri(szBuffer, szMsEngVFS) != NULL) { ExitProcess((UINT)0); } }
/* * supQueryWinstationDescription * * Purpose: * * Query predefined window station types, if found equal copy to buffer it friendly name. * * Input buffer size must be at least MAX_PATH size. * */ BOOL supQueryWinstationDescription( _In_ LPWSTR lpWindowStationName, _Inout_ LPWSTR Buffer, _In_ DWORD ccBuffer //size of buffer in chars ) { BOOL bFound = FALSE; LPWSTR lpType; if ((lpWindowStationName == NULL) || (Buffer == NULL) || (ccBuffer < MAX_PATH)) return bFound; lpType = NULL; if (_strstri(lpWindowStationName, T_WINSTA_SYSTEM) != NULL) { lpType = L"System"; bFound = TRUE; goto Done; } if (_strstri(lpWindowStationName, T_WINSTA_ANONYMOUS) != NULL) { lpType = L"Anonymous"; bFound = TRUE; goto Done; } if (_strstri(lpWindowStationName, T_WINSTA_LOCALSERVICE) != NULL) { lpType = L"Local Service"; bFound = TRUE; goto Done; } if (_strstri(lpWindowStationName, T_WINSTA_NETWORK_SERVICE) != NULL) { lpType = L"Network Service"; bFound = TRUE; } Done: if (bFound) { wsprintf(Buffer, L"%s logon session", lpType); } return bFound; }