Sandboxes are commonly used to analyze malware. They provide a temporary, isolated, and secure environment in which to observe whether a suspicious file exhibits any malicious behavior. However, malware developers have also developed methods to evade sandboxes and analysis environments. One such method is to perform checks to determine whether the machine the malware is being executed on is being operated by a real user. One such check is the RAM size. If the RAM size is unrealistically small (e.g., 1GB), it may indicate that the machine is a sandbox. If the malware detects a sandbox, it will not execute its true malicious behavior and may appear to be a benign file
-
The
GetPhysicallyInstalledSystemMemory
API retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables. It takes aPULONGLONG
parameter and returnsTRUE
if the function succeeds, setting theTotalMemoryInKilobytes
to a nonzero value. If the function fails, it returnsFALSE
. -
The amount of physical memory retrieved by the
GetPhysicallyInstalledSystemMemory
function must be equal to or greater than the amount reported by theGlobalMemoryStatusEx
function; if it is less, the SMBIOS data is malformed and the function fails withERROR_INVALID_DATA
, Malformed SMBIOS data may indicate a problem with the user's computer . -
The register
rcx
holds the parameterTotalMemoryInKilobytes
. To overwrite the jump address ofGetPhysicallyInstalledSystemMemory
, I use the following opcodes:mov qword ptr ss:[rcx],4193B840
. This moves the value4193B840
(or 1.1 TB) torcx
. Then, the ret instruction is used to pop the return address off the stack and jump to it, Therefore, wheneverGetPhysicallyInstalledSystemMemory
is called, it will setrcx
to the custom value."