沙箱对抗之反沙箱技巧

2023-11-06 17:20
文章标签 技巧 沙箱 对抗 之反

本文主要是介绍沙箱对抗之反沙箱技巧,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

前言

我们经常会在红蓝对抗中遇到这种场景,离线免杀,但是10分钟又被杀,这就是云查杀的威力,而云查杀可以分为下列两种:
1.静态分析
2.动态分析
静态分析就是分析样本的结构,导入表,等等来判定是否是恶意程序,或者使用AI等其他算法来聚类分析,看它整体的代码结构是否和其他病毒相似,既程序没有运行下来判定病毒,而动态分析则是样本运行起来后,它的API调用序列,内存特征,外联地址,流量特征,都是在静态的情况下无法捕获的,那么如果需要绕过他们,则需要识别沙箱的特征,进而来绕过沙箱不运行自己的样本,来完成绕过沙箱的目的。

反沙箱方法

本质上就是找到沙箱特征值,来区别沙箱和真机,例如如下方法
1.进程中包含vmtoolsd.exe
2.利用真机和沙箱API调用结果不同来绕过,例如获取gpu温度,而沙箱肯定获取不到该值
3.获取最近打开文件,或者temp文件小于10则被认为是沙箱
可以看到,我们的本质就是收集特征,那么下面我们写一个程序,获取沙箱的各种特征回传,来看看市面上主流的沙箱特征是什么样,进而针对绕过。

沙箱特征收集

我们主要收集如下特征:
1.主机名
2.用户名
3.UID
4.GID
5.平台
6.平台家族
7.平台版本
8.安装日期
9.启动时间
10.磁盘
11.所有网卡MAC
12.进程数目
13.进程名列表
14.临时文件名字
15.桌面文件
16.磁盘空余,可用,总大小

微X在线

WIN 7 32位分析系统

 
  1. {
  2. "Hostname": "DESKTOP-R0ASNAA",
  3. "Username": "DESKTOP-R0ASNAA\\Admin",
  4. "Uid": "S-1-5-21-2946486835-2728351130-1651602021-1000",
  5. "Gid": "S-1-5-21-2946486835-2728351130-1651602021-513",
  6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658185174",
  11. "UpTime": "34862",
  12. "Disk": "C: ",
  13. "Mac": ["Local Area Connection 52:54:00:c5:0f:7c", "isatap.{1141D443-46F3-4C40-8D6C-D57632F2B3B2} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "51",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe AcrylicService.exe svchost.exe dwm.exe taskhost.exe explorer.exe WeChat.exe rundll32.exe taskhost.exe taskhost.exe WinSAT.exe conhost.exe WeChat.exe aYdKcbVzZt.exe unsecapp.exe WmiPrvSE.exe WeChat.exe ShellExperienceHost.exe GoogleUpdateSetup.exe QQ.exe svchost.exe WUDFHost.exe taskhostw.exe GoogleUpdate.exe sihost.exe backgroundTaskHost.exe Detonate.exe RemindersServer.exe WmiPrvSE.exe audiodg.exe BackgroundTransferHost.exe main.exe ",
  16. "TempFiles": ["!!!!tnQGd", "ASPNETSetup_00000.log", "ArmUI.ini", "CVR8BDF.tmp.cvr", "DMI3F89.tmp", "FXSAPIDebugLogFile.txt", "Low", "RGI6BC7.tmp-tmp", "WPDNSE", "acro_rd_dir", "acrord32_sbx", "au-descriptor-1.8.0_171-b11.xml", "dd_vcredistMSI3185.txt", "gen_py", "jawshtml.html", "log_de-0.log", "log_de.log", "moz-update-new-backup-update.log", "moz-update-new-last-update.log", "mozilla-temp-files", "tmpaddon", "vbccsb.bmp", "wmsetup.log"],
  17. "DesktopFiles": ["desktop.ini"],
  18. "DiskInfos": [" free 28 MB avail 28 MB total 494 MB "]
  19. }

WIN 7 64位分析系统

 
  1. {
  2. "Hostname": "DESKTOP-RSILDVX",
  3. "Username": "DESKTOP-RSILDVX\\Admin",
  4. "Uid": "S-1-5-21-1129413703-3462700907-1341486384-1000",
  5. "Gid": "S-1-5-21-1129413703-3462700907-1341486384-513",
  6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658190894",
  11. "UpTime": "28888",
  12. "Disk": "C: ",
  13. "Mac": ["Local Area Connection 52:54:00:30:56:0f", "isatap.{43AC80D5-D666-4C30-8995-823B98B4E2BF} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "47",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe explorer.exe svchost.exe svchost.exe WeChat.exe taskhost.exe WeChat.exe KrlwNxbURe.exe unsecapp.exe WmiPrvSE.exe ShellExperienceHost.exe GoogleUpdateSetup.exe WeChat.exe svchost.exe WUDFHost.exe Detonate.exe backgroundTaskHost.exe taskhostw.exe audiodg.exe GoogleUpdate.exe RemindersServer.exe QQ.exe sihost.exe WmiPrvSE.exe BackgroundTransferHost.exe main.exe ",
  16. "TempFiles": ["!!!!OTVcUgAZCWtFUh", "ASPNETSetup_00005.log", "ArmUI.ini", "CVR45E1.tmp.cvr", "FXSAPIDebugLogFile.txt", "Low", "RGI64B.tmp-tmp", "WPDNSE", "acrord32_sbx", "chrome_installer.log", "gen_py", "jawshtml.html", "log_de-0.log", "log_de.log", "tmpaddon", "wmsetup.log"],
  17. "DesktopFiles": ["Sticky Notes.lnk", "desktop.ini"],
  18. "DiskInfos": [" free -725 MB avail -725 MB total 494 MB "]
  19. }

Win10分析系统

 
  1. {
  2. "Hostname": "DESKTOP-H9URB7T",
  3. "Username": "DESKTOP-H9URB7T\\Administrator",
  4. "Uid": "S-1-5-21-984825153-1336012551-2928140700-500",
  5. "Gid": "S-1-5-21-984825153-1336012551-2928140700-513",
  6. "Platform": "Microsoft Windows 10 Pro",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "10.0.18362 Build 18362",
  9. "Cpu": "4",
  10. "BootTime": "1658197215",
  11. "UpTime": "21692",
  12. "Disk": "C: ",
  13. "Mac": ["Ethernet 52:54:00:9d:94:82"],
  14. "Procs": "126",
  15. "Process": "[System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe AcrylicService.exe svchost.exe svchost.exe svchost.exe svchost.exe sppsvc.exe svchost.exe dasHost.exe svchost.exe SppExtComObj.Exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe taskhostw.exe svchost.exe ctfmon.exe explorer.exe svchost.exe ChsIME.exe svchost.exe StartMenuExperienceHost.exe svchost.exe svchost.exe RuntimeBroker.exe ApplicationFrameHost.exe MicrosoftEdge.exe browser_broker.exe svchost.exe Windows.WARP.JITService.exe dllhost.exe RuntimeBroker.exe MicrosoftEdgeCP.exe MicrosoftEdgeSH.exe WeChat.exe taskhostw.exe svchost.exe svchost.exe svchost.exe usocoreworker.exe AppHostRegistrationVerifier.exe TrustedInstaller.exe TiWorker.exe svchost.exe WmiPrvSE.exe WmiPrvSE.exe WeChat.exe oLDThMtHHL.exe unsecapp.exe svchost.exe svchost.exe WeChat.exe svchost.exe ShellExperienceHost.exe GoogleUpdateSetup.exe QQ.exe RemindersServer.exe backgroundTaskHost.exe GoogleUpdate.exe WUDFHost.exe taskhostw.exe svchost.exe WmiPrvSE.exe Detonate.exe sihost.exe audiodg.exe BackgroundTransferHost.exe dllhost.exe main.exe ",
  16. "TempFiles": ["!!!!QXnShWaDY", "gen_py", "log_de-0.log", "log_de.log"],
  17. "DesktopFiles": ["Microsoft Edge.lnk", "desktop.ini"],
  18. "DiskInfos": [" free 526 MB avail 526 MB total 494 MB "]
  19. }

any.run

 
  1. {
  2. "Hostname": "User-PC",
  3. "Username": "USER-PC\\admin",
  4. "Uid": "S-1-5-21-1302019708-1500728564-335382590-1000",
  5. "Gid": "S-1-5-21-1302019708-1500728564-335382590-513",
  6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658219380",
  11. "UpTime": "1071",
  12. "Disk": "C: ",
  13. "Mac": ["Connection 12:03:33:4a:04:af", "isatap.{4040CF00-1B3E-486A-B407-FA14C56B6FC0} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "32",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe IMEDICTUPDATE.EXE svchost.exe taskhost.exe taskeng.exe dwm.exe explorer.exe ctfmon.exe SearchIndexer.exe SearchProtocolHost.exe SearchFilterHost.exe main.exe ",
  16. "TempFiles": ["2hwflycr.wxy", "44fgwpug.l3b", "4h4bvyg0.zv1", "4hzyndia.i0b", "4u05srcx.2tm", "5cajz215.cyn", "DMI326A.tmp", "DMI5D92.tmp", "FXSAPIDebugLogFile.txt", "WPDNSE", "ae1197f8-1fef-485f-bd41-961d8cc76a3d.ps1", "be451b0w.oss", "io1vk3bc.a5o", "kdxz5yzf.q5x", "main.exe", "my5mdnsv.hzi", "nlkcainm.pwo", "qfgod4ch.wmc", "sotg2snm.etk", "wylivac0.ox4", "yn2xdy3b.fnw", "ytaotkcy.ydz"],
  17. "DesktopFiles": ["buttonforeign.rtf", "checkimportant.rtf", "consumershare.rtf", "desktop.ini", "generalthought.rtf", "localsociety.png", "mrc.jpg", "plansvillage.jpg", "reservedrisk.rtf", "roomwestern.jpg", "teachersure.png", "telephonealong.png", "xxxworldwide.png"],
  18. "DiskInfos": [" free -851 MB avail -851 MB total -51 MB "]
  19. }

奇X信

 
  1. {
  2. "Hostname": "WIN-IVE99JTTEQ6",
  3. "Username": "WIN-IVE99JTTEQ6\\Administrator",
  4. "Uid": "S-1-5-21-170072326-1450976669-2659344978-500",
  5. "Gid": "S-1-5-21-170072326-1450976669-2659344978-513",
  6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "4",
  10. "BootTime": "1658222038",
  11. "UpTime": "96",
  12. "Disk": "C: ",
  13. "Mac": ["Local Area Connection 2 6c:4b:90:45:7b:66"],
  14. "Procs": "58",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe OSPPSVC.EXE taskhost.exe dwm.exe explorer.exe reader_sl.exe svchost.exe taskhost.exe sdclt.exe sc.exe QQ.exe conhost.exe Timwp.exe conhost.exe TIM.exe conhost.exe WeChat.exe conhost.exe Skype.exe conhost.exe LxMainNew.exe conhost.exe navicat.exe conhost.exe IDMan.exe conhost.exe Everything.exe conhost.exe Code.exe conhost.exe BSPrintNotify.exe conhost.exe Postman.exe conhost.exe TOTALCMD64.EXE conhost.exe dllhost.exe main.exe conhost.exe ",
  16. "TempFiles": ["ASPNETSetup_00000.log", "Administrator.bmp", "BSPrintNotify.exe", "CVR4A69.tmp.cvr", "Code.exe", "Everything.exe", "FXSAPIDebugLogFile.txt", "IDMan.exe", "JavaDeployReg.log", "Low", "LxMainNew.exe", "MSI301d8.LOG", "MSI31bd8.LOG", "MSI358b2.LOG", "MSI36f67.LOG", "Microsoft .NET Framework 4.5.1 Setup_20190507_174334109.html", "Postman.exe", "QQ.exe", "RGIDD45.tmp", "RGIDD45.tmp-tmp", "SetupExe(201905071747259A8).log", "Skype.exe", "TCDA77F.tmp", "TCDA87B.tmp", "TCDA8BC.tmp", "TCDAAA2.tmp", "TCDAB60.tmp", "TCDABBF.tmp", "TCDAC3E.tmp", "TCDACAE.tmp", "TCDAD3C.tmp", "TCDADAC.tmp", "TCDAE3A.tmp", "TCDAF85.tmp", "TCDB081.tmp", "TCDB0D1.tmp", "TCDB1EC.tmp", "TCDB24C.tmp", "TCDB377.tmp", "TCDB388.tmp", "TCDB5DC.tmp", "TCDB699.tmp", "TCDB7F3.tmp", "TCDB8FF.tmp", "TCDB96E.tmp", "TCDBAF7.tmp", "TCDBB18.tmp", "TCDBCDF.tmp", "TCDBE29.tmp", "TCDBE4B.tmp", "TCDBF75.tmp", "TCDBFB6.tmp", "TCDC016.tmp", "TCDC047.tmp", "TCDC133.tmp", "TCDC1F0.tmp", "TCDC379.tmp", "TIM.exe", "TOTALCMD64.EXE", "Timwp.exe", "VBE", "WPDNSE", "WeChat.exe", "dd_vcredist_x86_20190507025919.log", "dd_vcredist_x86_20190507025919_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20190507025919_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20190507025958.log", "dd_vcredist_x86_20190507025958_001_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20190507025958_002_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20190507030029.log", "hsperfdata_Administrator", "jawshtml.html", "jusched.log", "main.exe", "navicat.exe", "outlook logging", "tmp0dgy8u", "wsa123.exe", "{1C306CB1-771E-4B4B-A902-86E897877F5B}.jpg", "~DF8644E64CA01A218F.TMP"],
  17. "DesktopFiles": ["DsGaLSzflu.docx", "desktop.ini", "kgnGFCzxsHo.ppt", "saDFoZCLTCK.pptx", "uNPPMKXOmp.pptx", "xaYfucvcptb.ppt"],
  18. "DiskInfos": [" free -328 MB avail -328 MB total -913 MB "]
  19. }

3x0

Windows 7 SP1 Pro 32

 
  1. {
  2. "Hostname": "WIN-3AI1DIQI7NN",
  3. "Username": "WIN-3AI1DIQI7NN\\Administrator",
  4. "Uid": "S-1-5-21-4209391066-2031757954-2950908010-500",
  5. "Gid": "S-1-5-21-4209391066-2031757954-2950908010-513",
  6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "1",
  10. "BootTime": "1658221348",
  11. "UpTime": "133",
  12. "Disk": "C: D: ",
  13. "Mac": ["本地连接 2 00:16:3e:eb:ca:65", "isatap.{ACF86E96-BF0F-433A-BE2B-29CE9110C5C6} 00:00:00:00:00:00:00:e0"],
  14. "Procs": "40",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dwm.exe explorer.exe spoolsv.exe svchost.exe taskhost.exe liteagent.exe WmiPrvSE.exe svchost.exe svchost.exe SearchIndexer.exe wmpnetwk.exe svchost.exe taskhost.exe mobsync.exe WmiPrvSE.exe dllhost.exe mscorsvw.exe sppsvc.exe SearchProtocolHost.exe SearchFilterHost.exe 8frufytb_829929069.exe ",
  16. "TempFiles": ["28299290697e835af887eeffd55331f9", "ASPNETSetup_00000.log", "AUCHECK_PARSER.txt", "CVR1A53.tmp.cvr", "DMI7C7F.tmp", "DMI7CCE.tmp", "DMI7D7A.tmp", "FXSAPIDebugLogFile.txt", "IME2010imeklmg00000001.log", "IME2010imeklmg00000002.log", "IME2010imeklmg00000003.log", "JAUReg.log", "Kno6F74.tmp", "Kno7CFB.tmp", "Kno7D59.tmp", "Low", "Microsoft .NET Framework 4 Setup_20200721_203001434-MSI_netfx_Core_x86.msi.txt", "Microsoft .NET Framework 4 Setup_20200721_203001434-MSI_netfx_Extended_x86.msi.txt", "Microsoft .NET Framework 4 Setup_20200721_203001434.html", "Microsoft .NET Framework 4 Setup_4.0.30319", "Microsoft Visual C 2010 x86 Redistributable Setup_10.0.30319", "Microsoft Visual C 2010 x86 Redistributable Setup_20200716_172954925-MSI_vc_red.msi.txt", "Microsoft Visual C 2010 x86 Redistributable Setup_20200716_172954925.html", "OneNoteRuntimeCache", "OneNote_MigrationLog.txt", "RGI390F.tmp", "RGI390F.tmp-tmp", "Rar$EXa0.016", "Rar$EXa0.428", "Rar$EXa0.529", "Rar$EXa0.859", "Rar$EXa0.911", "Setup000002e0", "Setup00000dd0", "SetupExe(20200721191235F90).log", "SetupExe(20200721191520DCC).log", "SetupExe(202007211923372E0).log", "SetupExe(20200721193448BC8).log", "SetupExe(20200721193623DD0).log", "SetupExe(20200721193828F1C).log", "SetupExe(20200721194221B08).log", "SetupExe(20200721194303BC0).log", "Ultra$ISO", "UserInfoSetup(20200721193828F1C).log", "UserInfoSetup(20200721194221B08).log", "UserInfoSetup(20200721194303BC0).log", "VBE", "WPDNSE", "config.model.xml", "configModel.xml", "dd_SetupUtility.txt", "dd_dotnet_decompression_log.txt", "dd_vcredistMSI0508.txt", "dd_vcredistUI0508.txt", "dd_vcredist_x86_20200716173003.log", "dd_vcredist_x86_20200716173003_0_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173003_1_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173015.log", "dd_vcredist_x86_20200716173015_0_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173015_1_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173026.log", "dd_vcredist_x86_20200716173026_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173026_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173047.log", "dd_vcredist_x86_20200716173047_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173047_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173109.log", "dd_wcf_CA_smci_20200721_123142_475.txt", "hsperfdata_Administrator", "java_install.log", "java_install_reg.log", "jusched.log", "langs.model.xml", "langsModel.xml", "nppLocalization", "ose00000.exe", "outlook logging", "stylers.model.xml", "stylers_remove.xml", "stylesGlobalModel.xml", "stylesLexerModel.xml", "vKHzvAZ", "wmplog00.sqm", "wmplog01.sqm", "wmsetup.log", "xmlUpdater.exe", "~DF3E206C0835443121.TMP"],
  17. "DesktopFiles": ["Internet Explorer.lnk", "Microsoft Excel 2010.lnk", "Microsoft OneNote 2010.lnk", "Microsoft Outlook 2010.lnk", "Microsoft PowerPoint 2010.lnk", "Microsoft Word 2010.lnk", "My Document.doc", "My Document.docx", "My Document.ppt", "My Document.pptx", "My Document.rtf", "My Document.txt", "My Document.xls", "My Document.xlsx", "desktop.ini"],
  18. "DiskInfos": [" free 37 MB avail 37 MB total -51 MB ", " free -48 MB avail -48 MB total -1 MB "]
  19. }

hybird分析

 
  1. {
  2. "Hostname": "HAPUBWS-PC",
  3. "Username": "7vVtzvDKth\\DIXkeMT",
  4. "Uid": "S-1-5-21-2092356043-4041700817-663127204-1001",
  5. "Gid": "S-1-5-21-2092356043-4041700817-663127204-513",
  6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
  7. "PlatformFamily": "Standalone Workstation",
  8. "PlatformVersion": "6.1.7601 Build 7601",
  9. "Cpu": "2",
  10. "BootTime": "1657307906",
  11. "UpTime": "907360",
  12. "Disk": "C: Z: ",
  13. "Mac": ["Local Area Connection 62:58:52:95:75:56", "isatap.scl3.dc 00:00:00:00:00:00:00:e0"],
  14. "Procs": "39",
  15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe explorer.exe svchost.exe svchost.exe conhost.exe WmiPrvSE.exe OSPPSVC.EXE conhost.exe conhost.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe dllhost.exe main.exe mobsync.exe ",
  16. "TempFiles": ["10D5CC3F-71C4-40D7-8173-E990C25C1412.Diagnose.Admin.0.etl", "99F9947D-30DB-4640-92C7-6BB2A24B05F1.Diagnose.Admin.0.etl", "AA7D7BE8-CE8F-4570-A39C-1992F0466AAE.Diagnose.Admin.0.etl", "ASPNETSetup_00001.log", "ASPNETSetup_00002.log", "AdobeARM.log", "AdobeARM_NotLocked.log", "AdobeSFX.log", "Adobe_ADMLogs", "CVR640E.tmp.cvr", "CVR78E9.tmp.cvr", "CVRC166.tmp.cvr", "CVRE8FB.tmp.cvr", "FXSAPIDebugLogFile.txt", "HAPUBWS-PC-20171203-1827.log", "HAPUBWS-PC-20171203-1827a.log", "HAPUBWS-PC-20171203-1827b.log", "HAPUBWS-PC-20171204-1724.log", "HNCDownload", "HShow90", "HancomESD", "Hnc", "HncUpdate.txt", "Hwp80", "Hwp90", "JavaDeployReg.log", "Low", "Microsoft .NET Framework 4.7.1 Setup_20171203_174215874-MSI_netfx_Full_x86.msi.txt", "Microsoft .NET Framework 4.7.1 Setup_20171203_174215874.html", "Microsoft .NET Framework 4.8 Setup_20200214_151530609-MSI_netfx_Full_x86.msi.txt", "Microsoft .NET Framework 4.8 Setup_20200214_151530609.html", "NDFDiag.tmp", "PrinterSetup.log", "ProcessList.txt", "Python 3.6.3 (32-bit)_20171204192711.log", "Python 3.6.3 (32-bit)_20171204192711_000_core_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_001_dev_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_002_exe_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_003_lib_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_004_test_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_005_doc_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_006_tools_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_007_tcltk_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_008_launcher_AllUsers.log", "Python 3.6.3 (32-bit)_20171204192711_009_pip_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_010_path_JustForMe.log", "RGI7358.tmp", "RGI7358.tmp-tmp", "RGIA802.tmp", "RGIA802.tmp-tmp", "Setup00000588", "Setup00000ab0", "Setup00000adc", "SetupExe(2017120417370864C).log", "SetupExe(20180717121800DF8).log", "SetupExe(20180717122451248).log", "SetupExe(201807171224585BC).log", "SetupExe(20180717122536ADC).log", "SetupExe(20180717123728CF4).log", "SetupExe(20190129154611C6C).log", "SetupExe(2019012916352912C).log", "SetupExe(20190129164246588).log", "SetupExe(20190129164731D68).log", "SetupExe(20210127110003AB0).log", "SetupExe(20210127110250AC4).log", "Silverlight0.log", "SilverlightMSI.log", "TCD7656.tmp", "TCD7657.tmp", "TCD7658.tmp", "TCD7659.tmp", "TCD765A.tmp", "TCD765B.tmp", "TCD765C.tmp", "TCD765D.tmp", "TCD767C.tmp", "TCD7687.tmp", "TCD769D.tmp", "TCD769F.tmp", "TCD76AB.tmp", "TCD76B7.tmp", "TCD76B9.tmp", "TCD76C5.tmp", "TCD76DB.tmp", "TCD76E7.tmp", "TCD76F3.tmp", "TCD76FF.tmp", "TCD770B.tmp", "TCD7717.tmp", "TCD7723.tmp", "TCD772F.tmp", "TCD773B.tmp", "TCD7747.tmp", "TCD7749.tmp", "TCD7755.tmp", "TCD7761.tmp", "TCD7763.tmp", "TCD776F.tmp", "TCD777B.tmp", "TCD777D.tmp", "TCD7789.tmp", "TCD7795.tmp", "TFRAE69.tmp", "UserInfoSetup(20180717121800DF8).log", "VBE", "VBoxGuestAdditions", "VirtualBox Dropped Files", "WPDNSE", "ccversion.tag", "chromesetup.msi", "dat17FA.tmp", "dat17FB.tmp", "dat2336.tmp", "dat4FD7.tmp", "dat4FF7.tmp", "dat5008.tmp", "dat558A.tmp", "dat558B.tmp", "dat558C.tmp", "dat680B.tmp", "dat681B.tmp", "dat681C.tmp", "dat71C3.tmp", "dat7824.tmp", "dat7825.tmp", "dat7836.tmp", "dat81B.tmp", "dat9021.tmp", "dat9022.tmp", "dat9355.tmp", "dat95C7.tmp", "dat9CFD.tmp", "datB64D.tmp", "datBB64.tmp", "datC673.tmp", "datC783.tmp", "datC794.tmp", "datC795.tmp", "datC796.tmp", "datCB0D.tmp", "datCB0E.tmp", "datCB0F.tmp", "datCB10.tmp", "datD4D6.tmp", "datDE99.tmp", "datDE9A.tmp", "datDEAB.tmp", "dd_NDP471-KB4033342-x86-x64-AllOS-ENU_decompression_log.txt", "dd_SetupUtility.txt", "dd_dotnet48_decompression_log.txt", "dd_vcredistMSI32CB.txt", "dd_vcredistUI32CB.txt", "dd_vcredist_x86_20171203174931.log", "dd_vcredist_x86_20171203174931_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20171203174931_001_vcRuntimeAdditional_x86.log", "dd_wcf_CA_smci_20171203_164234_020.txt", "dd_wcf_CA_smci_20200214_141755_312.txt", "hsperfdata_HAPUBWS", "jawshtml.html", "jusched.log", "lilo.1028", "mozilla-temp-files", "msdtadmin", "ose00000.exe", "outlook logging", "tmpaddon", "tmpaddon-9dca54", "vxaction.log", "{1C306CB1-771E-4B4B-A902-86E897877F5B}.jpg", "~DF0143E214B8C9E6AE.TMP", "~DF077413B5F655E35F.TMP", "~DF07B80DBE1CCF0C79.TMP", "~DF07FD0640D4EA82C9.TMP", "~DF08090ACC356DFC21.TMP", "~DF093490451CAE83AB.TMP", "~DF0ED01EC732FDAFA2.TMP", "~DF0EF0E18548EEA293.TMP", "~DF0F0F234644F49DE2.TMP", "~DF101308F7E81C54F4.TMP", "~DF116385E86BED55F5.TMP", "~DF1B5DF0D392F9E6C7.TMP", "~DF1F0DDC5F8B609DE8.TMP", "~DF271EE0B23449FD12.TMP", "~DF2771B7C2AFD95939.TMP", "~DF337C0FE6AA3638C9.TMP", "~DF3585DA09B06D7E6D.TMP", "~DF398875B6755A22D2.TMP", "~DF3998002D6736F250.TMP", "~DF3BF1549098C3A3EF.TMP", "~DF3CC3C2F6C7776C4B.TMP", "~DF3FDA0C963CDEAEE4.TMP", "~DF40B648C0F2208FD2.TMP", "~DF41FFA924ADD67CE9.TMP", "~DF441C00F9EB6EB3CD.TMP", "~DF49006E350003EDAC.TMP", "~DF4B7C162F8F1CD972.TMP", "~DF4EE8A3A5CC156CE0.TMP", "~DF57339DF37D21BCD5.TMP", "~DF592AE2FC335E9F76.TMP", "~DF5B01072A4E03E492.TMP", "~DF5F0721D3B42DE902.TMP", "~DF62BF266AE832DD48.TMP", "~DF636ACE35E31011D2.TMP", "~DF6441493643A1F3A5.TMP", "~DF666651D70D3DA7EE.TMP", "~DF683666592FDF2EB3.TMP", "~DF756849845F24A090.TMP", "~DF757013ED8B56164D.TMP", "~DF7637732D3A85F269.TMP", "~DF790314186277E4A2.TMP", "~DF7B7DE2DED068BC09.TMP", "~DF89A65B2040F30C8F.TMP", "~DF8D37FE8D880D3185.TMP", "~DF8F0345C6CD888054.TMP", "~DF9182A01DA4D935FB.TMP", "~DF95FD6AF88DCD1AFB.TMP", "~DFA8A2B36753303ED2.TMP", "~DFA9EA58B172B43D82.TMP", "~DFAA50C5778E3DE2B9.TMP", "~DFB0FC97C4D2D510EB.TMP", "~DFB3F2CC227B95F4E7.TMP", "~DFB99F8C31CBB44EE4.TMP", "~DFBC669D44D419653F.TMP", "~DFC2B5D92B6664FFF1.TMP", "~DFC6A6CC22E4ED1D84.TMP", "~DFC95AC5F598668FBA.TMP", "~DFCDD6CF39DA6E89FA.TMP", "~DFD526B1CA2A67FC42.TMP", "~DFD7D5A4DE136CCB0E.TMP", "~DFD9FDF3F6C945C7B5.TMP", "~DFDA7311B468259D69.TMP", "~DFE12EE24DED8F1C5B.TMP", "~DFE8A1E01BFAFF2921.TMP", "~DFEA5B20C0E8F490C2.TMP", "~DFF0D25BB8135B3015.TMP", "~DFF45532CAEBA50EC9.TMP", "~DFF83E0CB58F7C7DB8.TMP", "~DFF8D79AF7CFF50FF8.TMP", "~DFFC4CABF8DB22D782.TMP", "~DFFEB1D8F752EE02C2.TMP"],
  17. "DesktopFiles": ["desktop.ini"],
  18. "DiskInfos": [" free 888 MB avail 888 MB total 0 MB ", " free 888 MB avail 888 MB total 0 MB "]
  19. }

桌面特征

我们对桌面进行截图后,某些沙箱会的桌面如下所示
沙箱1:
 


沙箱2:

特征提取

我们可以看到上面的沙箱大致特征如下
1.MAC存在00:00:00:00:00:00:00:e0
2.部分只有C盘
3.带负数大小的沙箱

总结

由此可见,大部分沙箱特征都十分明显,我们针对提取出的特征,代码中做判断即可

推荐个项目

https://github.com/LordNoteworthy/al-khaser

这篇关于沙箱对抗之反沙箱技巧的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/357989

相关文章

电脑报错cxcore100.dll丢失怎么办? 多种免费修复缺失的cxcore100.dll文件的技巧

《电脑报错cxcore100.dll丢失怎么办?多种免费修复缺失的cxcore100.dll文件的技巧》你是否也遇到过“由于找不到cxcore100.dll,无法继续执行代码,重新安装程序可能会解... 当电脑报错“cxcore100.dll未找到”时,这通常意味着系统无法找到或加载这编程个必要的动态链接库

如何关闭 Mac 触发角功能或设置修饰键? mac电脑防止误触设置技巧

《如何关闭Mac触发角功能或设置修饰键?mac电脑防止误触设置技巧》从Windows换到iOS大半年来,触发角是我觉得值得吹爆的MacBook效率神器,成为一大说服理由,下面我们就来看看mac电... MAC 的「触发角」功能虽然提高了效率,但过于灵敏也让不少用户感到头疼。特别是在关键时刻,一不小心就可能触

SpringBoot基于沙箱环境实现支付宝支付教程

《SpringBoot基于沙箱环境实现支付宝支付教程》本文介绍了如何使用支付宝沙箱环境进行开发测试,包括沙箱环境的介绍、准备步骤、在SpringBoot项目中结合支付宝沙箱进行支付接口的实现与测试... 目录一、支付宝沙箱环境介绍二、沙箱环境准备2.1 注册入驻支付宝开放平台2.2 配置沙箱环境2.3 沙箱

前端bug调试的方法技巧及常见错误

《前端bug调试的方法技巧及常见错误》:本文主要介绍编程中常见的报错和Bug,以及调试的重要性,调试的基本流程是通过缩小范围来定位问题,并给出了推测法、删除代码法、console调试和debugg... 目录调试基本流程调试方法排查bug的两大技巧如何看控制台报错前端常见错误取值调用报错资源引入错误解析错误

mysql线上查询之前要性能调优的技巧及示例

《mysql线上查询之前要性能调优的技巧及示例》文章介绍了查询优化的几种方法,包括使用索引、避免不必要的列和行、有效的JOIN策略、子查询和派生表的优化、查询提示和优化器提示等,这些方法可以帮助提高数... 目录避免不必要的列和行使用有效的JOIN策略使用子查询和派生表时要小心使用查询提示和优化器提示其他常

Apache伪静态(Rewrite).htaccess文件详解与配置技巧

《Apache伪静态(Rewrite).htaccess文件详解与配置技巧》Apache伪静态(Rewrite).htaccess是一个纯文本文件,它里面存放着Apache服务器配置相关的指令,主要的... 一、.htAccess的基本作用.htaccess是一个纯文本文件,它里面存放着Apache服务器

Spring中@Lazy注解的使用技巧与实例解析

《Spring中@Lazy注解的使用技巧与实例解析》@Lazy注解在Spring框架中用于延迟Bean的初始化,优化应用启动性能,它不仅适用于@Bean和@Component,还可以用于注入点,通过将... 目录一、@Lazy注解的作用(一)延迟Bean的初始化(二)与@Autowired结合使用二、实例解

前端 CSS 动态设置样式::class、:style 等技巧(推荐)

《前端CSS动态设置样式::class、:style等技巧(推荐)》:本文主要介绍了Vue.js中动态绑定类名和内联样式的两种方法:对象语法和数组语法,通过对象语法,可以根据条件动态切换类名或样式;通过数组语法,可以同时绑定多个类名或样式,此外,还可以结合计算属性来生成复杂的类名或样式对象,详细内容请阅读本文,希望能对你有所帮助...

Pandas中多重索引技巧的实现

《Pandas中多重索引技巧的实现》Pandas中的多重索引功能强大,适用于处理多维数据,本文就来介绍一下多重索引技巧,具有一定的参考价值,感兴趣的可以了解一下... 目录1.多重索引概述2.多重索引的基本操作2.1 选择和切片多重索引2.2 交换层级与重设索引3.多重索引的高级操作3.1 多重索引的分组聚

Redis多种内存淘汰策略及配置技巧分享

《Redis多种内存淘汰策略及配置技巧分享》本文介绍了Redis内存满时的淘汰机制,包括内存淘汰机制的概念,Redis提供的8种淘汰策略(如noeviction、volatile-lru等)及其适用场... 目录前言一、什么是 Redis 的内存淘汰机制?二、Redis 内存淘汰策略1. pythonnoe