- Sandboxes are widely used to analyse malwares , They provide a temporary, isolated and secure environment to observe if a suspicious file attempts anything malicious. Of course, Over time malware developers have also added methods to avoid sandboxes and analysis environments by performing various checks to see if there is an actual user operating the machine the malware is being executed on, and one of those checks and the one that we will bypass is ram check eg an unrealistically small RAM size (e.g. 1GB) can be indicative of a sandbox ,If the malware detects a sandbox, it will not execute its true malicious behavior and therefore appears to be another benign file.
-
the
GetPhysicallyInstalledSystemMemory
API Retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables, it takesPULONGLONG
in parameters and returns TRUE if function succeeds and sets theTotalMemoryInKilobytes
to a nonzero value otherwise it returns FALSE. -
The amount of physical memory retrieved by the
GetPhysicallyInstalledSystemMemory
function must be equal to or greater than the amount reported by theGlobalMemoryStatusEx
function; if it is less, the SMBIOS data is malformed and the function fails withERROR_INVALID_DATA
, Malformed SMBIOS data may indicate a problem with the user's computer . -
the Register rcx hold our parameter
TotalMemoryInKilobytes
, so i overwrite the jump address ofGetPhysicallyInstalledSystemMemory
with our custom opcodesmov qword ptr ss:[rcx],4193B840
we mov value 4193B840 or 1,1 TB (you can change it with your needs) to rcx then we return ,ret
instruction will pops the return address off the stack then jumps to it ,so wheneverGetPhysicallyInstalledSystemMemory
gets called it will set rcx with our custom value .