Processes and libraries detection methods
1. Check specific running processes and loaded libraries
1.1. Check if specific processes are running
1.2. Check if specific libraries are loaded in the process address space
1.3. Check if specific functions are present in specific libraries
1.4. Countermeasures
2. Check if specific artifacts are present in process address space (Sandboxie only)
2.1. Countermeasures
Credits
Processes and libraries detection methods
WPE PRO is a Shareware software in the category Games & Entertainment developed by WPE PRO. The latest version of WPE PRO is currently unknown. It was initially added to our database on. WPE PRO runs on the following operating systems: Android/Windows. This video shows how to download wpe pro (winsock packet editor)here is the link to download: http://corneey.com/q3h4rC.
Virtual environment launches some specific helper processes which are not being executed in usual host OS. There are also some specific modules which are loaded into processes address spaces.
1. Check specific running processes and loaded libraries
1.1. Check if specific processes are running
Functions used:
- CreateToolhelp32Snapshot
- psapi.EnumProcesses (WinXP, Vista)
- kernel32.EnumProcesses (Win7+)
Code sample
Signature recommendations
Signature recommendations are not provided as it’s hard to say what exactly is queried in the processes’ snapshot.
Detections table
| Check if the following processes are running: | |
| Detect | Process |
|---|---|
| JoeBox | joeboxserver.exe |
| joeboxcontrol.exe | |
| Parallels | prl_cc.exe |
| prl_tools.exe | |
| VirtualBox | vboxservice.exe |
| vboxtray.exe | |
| VirtualPC | vmsrvc.exe |
| vmusrvc.exe | |
| VMWare | vmtoolsd.exe |
| vmacthlp.exe | |
| vmwaretray.exe | |
| vmwareuser.exe | |
| vmware.exe | |
| vmount2.exe | |
| Xen | xenservice.exe |
| xsvc_depriv.exe | |
| WPE Pro | WPE Pro.exe |
Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.
1.2. Check if specific libraries are loaded in the process address space
Functions used:
- GetModuleHandle
Code sample
Credits for this code sample: al-khaser project
Signature recommendations
If the following function contains its only argument from the table column `Library`:
- GetModuleHandle(module_name)
then it’s an indication of application trying to use this evasion technique.
Detections table
| Check if the following libraries are loaded in the process address space: | |
| Detect | Library |
|---|---|
| CWSandbox | api_log.dll |
| dir_watch.dll | |
| pstorec.dll | |
| Sandboxie | sbiedll.dll |
| ThreatExpert | dbghelp.dll |
| VirtualPC | vmcheck.dll |
| WPE Pro | wpespy.dll |
Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.
1.3. Check if specific functions are present in specific libraries
Functions used (see note about native functions):
- kernel32.GetProcAddress
- kernel32.LdrGetProcedureAddress (called internally)
- ntdll.LdrGetProcedureAddress
- ntdll.LdrpGetProcedureAddress (called internally)
Code sample
Credits for this code sample: al-khaser project
Signature recommendations
If the following functions contain 2nd argument from the table column “Function” and the 1st argument is the address of matching “Library” name from the table:
- kernel32.GetProcAddress(lib_handle, func_name)
- kernel32.LdrGetProcedureAddress(lib_handle, func_name)
- ntdll.LdrGetProcedureAddress(lib_handle, func_name)
- ntdll.LdrpGetProcedureAddress(lib_handle, func_name)
then it’s an indication of application trying to use this evasion technique.
Detections table
| Check if the following functions are present in the following libraries: | ||
| Detect | Library | Function |
|---|---|---|
| Wine | kernel32.dll | wine_get_unix_file_name |
| ntdll.dll | wine_get_version | |
1.4. Countermeasures
- for processes: exclude target processes from enumeration or terminate them;
- for libraries: exclude them from enumeration lists in PEB;
- for functions in libraries: hook appropriate functions and compare their arguments against target ones.
2. Check if specific artifacts are present in process address space (Sandboxie only)
Functions used:
- NtQueryVirtualMemory
Code sample
Take a look at VMDE project sources.
Signature recommendations
Signature recommendations are not provided as it’s hard to say what exactly is queried when memory buffer is being examined.
2.1. Countermeasures
Erase present artifacts from memory.
Credits
Credits go to open-source project from where code samples were taken:
- al-khaser project on github
- VMDE project on github
Though Check Point tool InviZzzible has them all implemented, due to modular structure of the code it would require more space to show a code sample from this tool for the same purposes. That’s why we’ve decided to use other great open-source projects for examples throughout the encyclopedia.
1. Get Wpe pro . here
2. Turn off Internet security. (Note if you have McAfee do the following: Open up task manager, go to processes and find McAfee and end process it; do the same with Windows Defender if you have Vista).
3.You do not have to end process AV if you know how to grant permissions.
4.(Note: For Vista Users) Run WPE Pro as an Administrator.
5.Run PERMEDIT as an Administrator (People seem to forget to do this). here
6.In PERMEDIT search for WPE and click on Grant Permissions.
7. Run wow.exe as an Administrator.
8.Select wow.exe in WPE (Target Program and search for wow.exe)
————-
Wpe Pro Download
1) open WPE PRO (after Granting Persmission)
Looks like this i hope
2) Double Click filter 1
Wpe Pro 1.3 Download
3) Now as u can see theres a scroll bar going left and right…. scroll to the right till u find number 28 for Offset like this!
4) Now enter this info like i did in offset 28!
Wpe Pro 1.3 Download
5) Click apply when you have filled in everything i did…
6) Tick this box as shown here
please note i am sorry but i didnt enter the filter name on the screenshots…. so u just double click No item cost or filter 1 depending if u filled in the name.
7) Press the on button located here
8) Open Wow.exe and load up your character…
9) Click Target program
Wpe Pro 1.3 Review
10) Find WoW.exe here and double click it.
Now this filter is for no item cost.. works on most servers…. go to a vendor and drag the item you want to your inventory!
credits to who ever found this 😛 ( i made the guide! )
there is alot of other filters… but listen up
Wpe Pro 1.3 Pro
FOR ALL YOU NOOBS OUT THERE, WPE WILL ALLWAYS WORK…… IF IT DOES NOT WORK THAT MEANS THAT IT HAS BEEN FIXED ON YOUR SERVER ( THE FILTER! )
To change frostbolt into fireball….. or other spells into other spells… go to http://www.wowhead.com
Wpe Pro 1.3
search frostbolt go to rank 14…… click it and this should be the link
http://www.wowhead.com/?spell=38697
the number at end…. 38697 is what we need… open windows calc…. put number into decimal….
then turn it into hex… its 9729… then we change it so …. it will be 2997…. then do the same for fireball…. go in wpe double click filter 1 in 07 08 offset search enter 2997 in modify put the fireball… go ingame cast frostbolt and bang!!
Please note : u cant change say frstbolt into a totem or a mage spell into a warrior spell etc… u can only change a class spell into a class spell like a shaman spell into a shaman spell.