Pafish is a testing tool that detects virtual machines and malware analysis environments using the same techniques as malware. The behaviors below were identified by reviewing the Pafish source code. [1]
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Debugger Detection::IsDebuggerPresent (B0001.008) | Pafish uses the IsDebuggerPresent function to determine whether a debugger is present. [1] |
| Anti-Behavioral Analysis::Debugger Detection::Process Environment Block/Being Debugged (B0001.035) | Pafish uses the BeingDebugged field of the Process Environment Block (PEB) to determine whether the process is being debugged. [1] |
| Anti-Behavioral Analysis::Debugger Detection::OutputDebugString (B0001.016) | Pafish uses the OutputDebugString function to determine whether a debugger is present. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing - RDTSC (B0009.036) | Pafish identifies a VM CPU by checking the difference between CPU timestamp counters (rdtsc). [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing - CPUID (B0009.034) | Pafish identifies a VM CPU by checking the hypervisor bit in cpuid feature bits, which shows the presence of a hypervisor and/or VM vendor information. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check (B0009.012), Anti-Behavioral Analysis::Sandbox Detection::Human User Check (B0007.012) | Pafish checks for mouse movement (speed, clicking activity: single and double), and Pafish displays a dialog box to see whether a user responds to it.[1] |
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | Pafish identifies sandboxes by checking whether Sleep() has been patched using GetTickCount(), checking for common sandbox-related values for username (SANDBOX, VIRUS, MALWARE) and file path (\SAMPLE, \VIRUS, \SANDBOX), and looking for common sample names in root drives (sample.exe, malware.exe). [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Modern Specs Check - Drive size (B0009.015) | Pafish checks whether the hardware has modern characteristics. Sub-standard specs indicate a virtual environment. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Modern Specs Check - Processor count (B0009.018) | Pafish checks whether the hardware has modern characteristics. Single CPUs indicate a virtual environment. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Modern Specs Check - Total physical memory (B0009.014) | Pafish checks whether the hardware has modern characteristics. Physical memory less than 4 GB indicates a virtual environment. [1] |
| Anti-Behavioral Analysis::Sandbox Detection::Timing/Uptime Check (B0007.009) | Pafish uses the GetTickCount function to to check how long the system has been running (a short uptime indicates a sandbox). [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check (B0009.023) | Pafish checks IsNativeVhdBoot() to determine whether the OS was booted from a virtual hard drive. [1] |
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | Pafish checks whether the ShellExecuteExW or CreateProcessA functions have been hooked, indicating a sandbox. [1] |
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | Pafish checks whether the module sbiedll.dll (which is associated with Sandboxie) has been mapped into the address space of the process [1] |
| Anti-Behavioral Analysis::Emulator Detection (B0004) | Pafish detects Wine using GetProcAddress(wine_get_unix_file_name) from kernel32.dll [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Check Registry Keys (B0009.005) | Pafish checks the value of several registry keys to determine whether VWware, VitualBox, Bocks, or QEMU is running [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - MAC Address (B0009.028) | Pafish identifies VirtualBox by checking whether the MAC address starts with 08:00:27, and it identifies VMware by checking whether the MAC address starts with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Check Processes (B0009.004) | Pafish identifies VirtualBox by identifying the VBoxTray windows daemon. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Check File and Directory Artifacts (B0009.001) | Pafish checks for VirtualBox shared folders (network share). [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection (B0009) | Pafish uses Windows Management Instrumentation (WMI) to find a VirtualBox device identifier or a VMware serial number. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Check File and Directory Artifacts (B0009.001) | Pafish checks for particular files on the file system indicating the presence of VMware. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection (B0009) | Pafish uses GetAdaptersAddresses() to check whether an adapter is named "VMware," which indicates the presence of VMware. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - CPU Name (B0009.026) | Pafish checks the CPU name to identify virtualization. For example, Qemu is traced using the CPU brand string 'QEMU Virtual CPU', and Bochs is traced using either a typo in the CPU AMD processor name, a CPU AMD Easter egg, or a wrong value in the CPU Intel processor name. [1] |
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | Pafish checks the TLS hooks information structure (TLS_HOOK_INFO) to identify the presence of Cuckoo. [1] |