- Sandboxes are widely used to analyse malwares , They provide a temporary, isolated and secure environment to observe if a suspicious file attempts anything malicious. Of course, Over time malware developers have also added methods to avoid sandboxes and analysis environments by performing various checks to see if there is an actual user operating the machine the malware is being executed on, and one of those checks and the one that we will bypass is ram check eg an unrealistically small RAM size (e.g. 1GB) can be indicative of a sandbox ,If the malware detects a sandbox, it will not execute its true malicious behavior and therefore appears to be another benign file.
-
the
GetPhysicallyInstalledSystemMemoryAPI Retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables, it takesPULONGLONGin parameters and returns TRUE if function succeeds and sets theTotalMemoryInKilobytesto a nonzero value otherwise it returns FALSE.
-
The amount of physical memory retrieved by the
GetPhysicallyInstalledSystemMemoryfunction must be equal to or greater than the amount reported by theGlobalMemoryStatusExfunction; if it is less, the SMBIOS data is malformed and the function fails withERROR_INVALID_DATA, Malformed SMBIOS data may indicate a problem with the user's computer .
-
the Register rcx hold our parameter
TotalMemoryInKilobytes, so i overwrite the jump address ofGetPhysicallyInstalledSystemMemorywith our custom opcodesmov qword ptr ss:[rcx],4193B840we mov value 4193B840 or 1,1 TB (you can change it with your needs) to rcx then we return ,retinstruction will pops the return address off the stack then jumps to it ,so wheneverGetPhysicallyInstalledSystemMemorygets called it will set rcx with our custom value .