Site icon API Security Blog

Bypass-Sandbox-Evasion – Bypass Malware Sandbox Evasion Ram Check

[![](https://blogger.googleusercontent.com/img/a/AVvXsEj2tTiSJYVtHsUsygJcmPjh3RYf3xCxgCF9EaaiX9IcIgqsA_I3qYMjVXn2O3hn18zl9GGT_iW7xxkZPuKceVqfOW0g5_dNFvUOgfsc5WsJTt0daGBfqflGsy_Uiao2regl1a2weZpHuk1kWnZAsK7nZdmHRjoM1zV-EvEVkSnU3QBv44I91ixPZALk6w=w640-h460)]()

Sandboxes are commonly used to analyze malware. They provide a temporary, isolated, and secure environment in which to observe whether a suspicious file exhibits any malicious behavior. However, [malware]( “malware” ) developers have also developed methods to evade sandboxes and [analysis]( “analysis” ) environments. One such method is to perform checks to determine whether the machine the malware is being executed on is being operated by a real user. One such check is the RAM size. If the RAM size is unrealistically small (e.g., 1GB), it may indicate that the machine is a sandbox. If the malware detects a sandbox, it will not execute its true malicious behavior and may appear to be a benign file

# Details

* The `GetPhysicallyInstalledSystemMemory` API retrieves the amount of RAM that is physically installed on the computer from the SMBIOS [firmware]( “firmware” ) tables. It takes a `PULONGLONG` parameter and returns `TRUE` if the function succeeds, setting the `TotalMemoryInKilobytes` to a nonzero value. If the function fails, it returns `FALSE`.

[]( “Bypass Malware Sandbox Evasion Ram check (4)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEg5vI7Z0oucFnnHM4-_xudw4m9YZPbJJ-8mNE_yAeCFcjelE3TkvYQONPUEN3VwTdjsoxlZQ_V7UmoQ-bgdVqIGPmQvIwWlPijUJ-BzleZ5TSAjUdqh_BjmY6l652wHxYr6ddsTTW4705SiUpXuY2IdWEY6UjOZrvbpPk4k9lJEkpyxfIV0v_w8WNGk-w=w640-h272)]() []( “Bypass Malware Sandbox Evasion Ram check (5)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEgcafjbV6NQJzSaDkmFTghhONeojDcPhUx_LaPUtXH6PrLutHh9kPNG_u9lK6WJ2aeSdsQO1HXeJw60ZqCjABa7Wlc7_Bjxg0f77v1odA8oYmXn8t9onMVDWdl4UrEuZGYcCHZtqbeXobS-tgYL12EE1wOeR17wAsSfFCOJLZOzvKFhWk5Q-TnAT7zjSA=w640-h54)]()

* The amount of physical [memory]( “memory” ) retrieved by the `GetPhysicallyInstalledSystemMemory` function must be equal to or greater than the amount reported by the `GlobalMemoryStatusEx` function; if it is less, the SMBIOS data is malformed and the function fails with `ERROR_INVALID_DATA`, [Malformed]( “Malformed” ) SMBIOS data may indicate a problem with the user’s computer .

[]( “Bypass Malware Sandbox Evasion Ram check (8)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEj2tTiSJYVtHsUsygJcmPjh3RYf3xCxgCF9EaaiX9IcIgqsA_I3qYMjVXn2O3hn18zl9GGT_iW7xxkZPuKceVqfOW0g5_dNFvUOgfsc5WsJTt0daGBfqflGsy_Uiao2regl1a2weZpHuk1kWnZAsK7nZdmHRjoM1zV-EvEVkSnU3QBv44I91ixPZALk6w=w640-h460)]()

* The register `rcx` holds the parameter `TotalMemoryInKilobytes`. To overwrite the jump address of `GetPhysicallyInstalledSystemMemory`, I use the following opcodes: `mov qword ptr ss:[rcx],4193B840`. This moves the value `4193B840` (or 1.1 TB) to `rcx`. Then, the ret instruction is used to pop the return address off the stack and jump to it, Therefore, whenever `GetPhysicallyInstalledSystemMemory` is called, it will set `rcx` to the custom value.”

[]( “Bypass Malware Sandbox Evasion Ram check (9)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEjUhpzwPkRmSwutRlx_6rOZsVbBlkN2yKAy-BWAbnMazAipzlhVWgkACZ5i9g9KUIuMVxRRyOBNP1N86mJSDJYRtvZ8m7JAmNxgimzmci7FueIlnJp89233CBYROeZJWmkhqbd-NGCto-rICdO3DaTAGkPfnREs6n5sHX16c-SLZjOq5jvsqKWtDn9UXg=w640-h38)]()

**[Download Bypass-Sandbox-Evasion]( “Download Bypass-Sandbox-Evasion” )**Read More

Exit mobile version