checkpointsw / invizzzible Goto Github PK

InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.

License: GNU General Public License v3.0

C++ 90.67% HTML 0.12% Python 1.15% C 8.05%

research evasion malware

invizzzible's Introduction

InviZzzible

Contributed By Check Point Software Technologies LTD.
Programmed by Stanislav Skuratovich.
Presented at:

ShmooCon 2017 by Alexander Chailytko and Stanislav Skuratovich.
Virus Bulletin 2016 by Alexander Chailytko and Stanislav Skuratovich.

Slides: https://github.com/CheckPointSW/InviZzzible/blob/master/conferences/Skuratovich_Chailytko-DefeatingSandboxEvasion.pdf
Video: https://archive.org/details/ShmooCon2017/ShmooCon2017+-+Defeating+Sandbox+Evasion.mp4

Overview

InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them. Also, you can add and expand existing techniques yourself even without modifying the source code.

Supported environments

Cuckoo Sandbox
Joe Sandbox
VMWare virtualization products
VirtualBox
Hyper-V
Parallels
QEMU
BOCHS
Xen
VirtualPC
Sandboxie
Wine

Features

Generic tool that covers a lot of different virtual environment detection techniques and proposes fixes for that.
Easily extendable; support for new virtual environments can be added quickly.
As Cuckoo Sandbox is the most prevalent tool used for automated malware analysis, we include the detections of it as well.
Ability to introduce new detection techniques not through modifying the source code, but using the JSON configuration files, so the whole community can contribute towards the development of that tool.
User-friendly reports about the checked environment that can be shared within the organization among the purely technical guys as well as higher management.

Configurations

You can build InviZzzible with a built-in set of default configurations to make it work without command line arguments. We added two examples of build configurations for your convenience:

vmware
cuckoo vmware generic

To build InviZzzible with your own custom set of configurations, open Project Properties -> Configuration Properties -> Build Events -> Pre-Build Event, and change the list of evasion configuration names in the Command Line property after python gen_default_data.py. Example:

python gen_default_data.py generic vmware misc

You can find the list of available configurations here.

Credits

Aliaksandr Trafimchuk
Alexey Bukhteyev
Raman Ladutska
Yaraslau Harakhavik
VMDE project
Pafish project

invizzzible's People

Contributors

Stargazers

Watchers

invizzzible's Issues

Thanks!

Sincerely,
Clueless malware authors of the world

Seriously -- is there any point to publishing new sandbox attacks for malware authors to copy+paste? Nearly all of these issues are obvious, so what is the point? You realize right that no public sandbox will be able to withstand detection? Not to mention the can of worms you probably don't even realize can be opened with more interesting anti-sleep-skipping code for which there's nothing a sandbox can do about it.

I don't see any point to this except for publicity for you guys and having upstream Cuckoo fix a tiny number of the bypass methods possible (many of which weren't used in the wild) to give the appearance of progress. Add more pointless busy work for people who publish their code in the open, and I'm sure you'll see less of it.

-Brad

Not all strings cachted?

Hi guys,

thank you so much for this cool tool.

I made the Checks for my vm and fixed them all except the string: ven_15ad, I cant change and save it in my registry or is it possible on another way?

The next thing is that after all the work their still a bunch of vmware strings that can be found, but I ask me, can everybody make a full registry scan with any external installed software or not?

Because of the Admin rights for the installation/running the software it should be so and they can figure out that its a vm?

best regards

How to enable other test besides cuckoo?

Hi Guys,

how can i activate the other test like generic, qemu, kvm?
Read something about some parameters when submit to cuckoo/cape, but cant find some documentation how to do that, maybe i'm blind.
btw: i build SandboxEvasion.exe with VS Studio 2022 and Python 3.10 which works in my CAPE instance:
ClaudioWayne@cec3704
Maybe a PR would solve #12, let me know.

Claudio

Updates

Dear Sir

I was wondering if the software will be updated with the newest fixes.
Because I saw that the latest change had happened in 2019

Kind regards

Do you have any documentation?

Hi,

I was wondering if you provide any documentation for this tool?

Instructions on usage of Tool for Cuckoo

Hi, is there a documentation on how to use/compile this tool? I would like to configure this tool with Cuckoo, but I have no idea on how to get started.

Compiled version

Hello,

I'm kindly asking to add a compiled version for Windows 10 x64 and put into Releases section. It will make life easier, because there are some errors during compilation.

Thanks in advance.

Compiling

Hi, I am having trouble compiling SandboxEvasion, every time I get the error

MSB3073 The command "python gen_default_data.py def_data.conf
:VCEnd" exited with code 1.	SandboxEvasion C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V140\Microsoft.CppCommon.targets 123

I opened gen_default_data.py and VS Code showed me that there are 5 problems with brackets in print function, I added them, tried to compile again but I got the same error. I ran python gen_default_data.py def_data.conf with a terminal and got output

Traceback (most recent call last):
  File "C:\InviZzzible\SandboxEvasion\gen_default_data.py", line 97, in <module>
    main()
  File "C:\InviZzzible\SandboxEvasion\gen_default_data.py", line 92, in main
    If not create_includes(conf):
  File "C:\InviZzzible\SandboxEvasion\gen_default_data.py", line 61, in create_includes
    cuckoo_file = "static const char *cuckoo_conf = \"%s\";" % escape_file_data(cuckoo_d)
  File "C:\InviZzzible\SandboxEvasion\gen_default_data.py", line 18, in escape_file_data
    data = data.replace("\\\", "\\\\")
TypeError: a bytes-like object is required, not 'str'

I am using Python 3.9.5(added Path), VS Comunity 2019 16.10.0 with Universal Windows Platform development and Desktop Development with C++

Can you help me compile SandboxEvasion?

Linux version?

Is there any chance you can port this tool to linux, to produce an elf binary instead of windows' .exe?

compiling

I am having problems, I cant compile the project.
Can you upload the compiled file?