What to expect
In this blog post I'll be making a code snippet that showcases how to get the size of a computer's RAM in C. I will then convert this code into x64 assembly, mostly for me to practice writing in it, but also so that we can understand it better.
Checking the memory
The idea behind this evasion technique is simple. Most modern user machines will have at least around 4GB of RAM. Anything lower than that can be an indication that the machine is probably a sandbox (To save costs). While it's not exactly fool-proof, it can be used with other techniques to have a better idea of the machine.
There are two available APIs to get the memory size of a computer on Windows: GetPhysicallyInstalledSystemMemory and GlobalMemoryStatusEx. The former lists the physically installed RAM from the BIOS, while the latter lists the amount available for the operating system to use. Note that the values returned from these two functions will be different but from my tests the difference is only a few hundreds of bytes. Any of these two we can use for our purpose.
Using GetPhysicallyInstalledSystemMemory
Calling GetPhysicallyInstalledSystemMemory in C is simple:
#include <stdio.h>
#include <windows.h>
int main(void)
{
unsigned long long memory_size = 0;
GetPhysicallyInstalledSystemMemory(&memory_size);
printf("Memory size: %lld\n", memory_size);
}
Read more on article : https://www.accidentalrebel.com/malware-sandbox-evasion-in-x64-assembly-by-checking-ram-size-part-1.html
Malware Evasion Techniques
- https://unprotect.it/technique/api-obfuscation/
*Beware click the link!