Dyre was found to be only executing if the NumberOfProcessors field o…

…f the PEB was > 1. In the analyzed sample, it also called GetSystemInfo which would have provided the same info, but it never used the result. For people too lazy to set up their VMs properly with more than one virtual CPU, let's just fake it. Also add a new config entry "no-stealth" which will disable these and the other anti-anti-VM/Sandbox tricks, as they're prone to anti-anti-anti-* etc.

config.c

@@ -125,6 +125,9 @@ int read_config(void)
 				strncpy(g_config.terminate_event_name, value,
 					ARRAYSIZE(g_config.terminate_event_name));
 			}
+			else if (!strcmp(key, "no-stealth")) {
+				g_config.no_stealth = value[0] == '1';
+			}
         }
     }
 

config.h

@@ -52,6 +52,9 @@ struct _g_config {
 	// do we want to ignore "file of interest" and other forms of log reduction?
 	int full_logs;
 
+	// should we attempt anti-anti-sandbox/VM tricks ?
+	int no_stealth;
+
     // how many milliseconds since startup
     unsigned int startup_time;
 

cuckoomon.c

@@ -290,6 +290,7 @@ static hook_t g_hooks[] = {
 	HOOK(user32, GetAsyncKeyState),
 	HOOK(ntdll, NtLoadDriver),
 	HOOK(ntdll, RtlDecompressBuffer),
+	HOOK(kernel32, GetSystemInfo),
 
 	//
     // Network Hooks
@@ -722,6 +723,15 @@ BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
 		// initialize context watchdog
 		//init_watchdog();
 
+#ifndef _WIN64
+		if (!g_config.no_stealth) {
+			/* for people too lazy to setup VMs properly */
+			PEB *peb = get_peb();
+			if (peb->NumberOfProcessors == 1)
+				peb->NumberOfProcessors = 2;
+		}
+#endif
+
 		notify_successful_load();
     }
     else if(dwReason == DLL_PROCESS_DETACH) {

hook_file.c

@@ -359,11 +359,11 @@ HOOKDEF(NTSTATUS, WINAPI, NtDeviceIoControlFile,
         "OutputBuffer", IoStatusBlock->Information, OutputBuffer);
 
 	/* Fake harddrive size to 256GB */
-	if (NT_SUCCESS(ret) && OutputBuffer && OutputBufferLength >= sizeof(GET_LENGTH_INFORMATION) && IoControlCode == IOCTL_DISK_GET_LENGTH_INFO) {
+	if (!g_config.no_stealth && NT_SUCCESS(ret) && OutputBuffer && OutputBufferLength >= sizeof(GET_LENGTH_INFORMATION) && IoControlCode == IOCTL_DISK_GET_LENGTH_INFO) {
 		((PGET_LENGTH_INFORMATION)OutputBuffer)->Length.QuadPart = 256060514304L;
 	}
 	/* fake model name */
-	if (NT_SUCCESS(ret) && IoControlCode == IOCTL_STORAGE_QUERY_PROPERTY && OutputBuffer && OutputBufferLength > 4) {
+	if (!g_config.no_stealth && NT_SUCCESS(ret) && IoControlCode == IOCTL_STORAGE_QUERY_PROPERTY && OutputBuffer && OutputBufferLength > 4) {
 		ULONG i;
 		for (i = 0; i < OutputBufferLength - 4; i++) {
 			if (!memcmp(&((PCHAR)OutputBuffer)[i], "QEMU", 4))
@@ -750,7 +750,7 @@ HOOKDEF(BOOL, WINAPI, GetVolumeNameForVolumeMountPointW,
 ) {
 	BOOL ret = Old_GetVolumeNameForVolumeMountPointW(lpszVolumeMountPoint, lpszVolumeName, cchBufferLength);
 	LOQ_bool("filesystem", "uu", "VolumeMountPoint", lpszVolumeMountPoint, "VolumeName", lpszVolumeName);
-	if (ret && lpszVolumeName && cchBufferLength > 4) {
+	if (!g_config.no_stealth && ret && lpszVolumeName && cchBufferLength > 4) {
 		DWORD i;
 		for (i = 0; i < cchBufferLength - 4; i++) {
 			if (!memcmp(&lpszVolumeName[i], L"QEMU", 8))

hook_misc.c

@@ -24,6 +24,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "misc.h"
 #include "hook_file.h"
 #include "hook_sleep.h"
+#include "config.h"
 
 HOOKDEF(HHOOK, WINAPI, SetWindowsHookExA,
     __in  int idHook,
@@ -150,11 +151,11 @@ HOOKDEF(BOOL, WINAPI, DeviceIoControl,
             lpOutBuffer);
 
 	/* Fake harddrive size to 256GB */
-	if (ret && lpOutBuffer && nOutBufferSize >= sizeof(GET_LENGTH_INFORMATION) && dwIoControlCode == IOCTL_DISK_GET_LENGTH_INFO) {
+	if (!g_config.no_stealth && ret && lpOutBuffer && nOutBufferSize >= sizeof(GET_LENGTH_INFORMATION) && dwIoControlCode == IOCTL_DISK_GET_LENGTH_INFO) {
 		((PGET_LENGTH_INFORMATION)lpOutBuffer)->Length.QuadPart = 256060514304L;
 	}
 	/* fake model name */
-	if (ret && dwIoControlCode == IOCTL_STORAGE_QUERY_PROPERTY && lpOutBuffer && nOutBufferSize > 4) {
+	if (!g_config.no_stealth && ret && dwIoControlCode == IOCTL_STORAGE_QUERY_PROPERTY && lpOutBuffer && nOutBufferSize > 4) {
 		ULONG i;
 		for (i = 0; i < nOutBufferSize - 4; i++) {
 			if (!memcmp(&((PCHAR)lpOutBuffer)[i], "QEMU", 4))
@@ -414,4 +415,19 @@ HOOKDEF(NTSTATUS, WINAPI, RtlDecompressBuffer,
 	LOQ_ntstatus("misc", "b", "UncompressedBuffer", ret ? 0 : *FinalUncompressedSize, UncompressedBuffer);
 
 	return ret;
+}
+
+HOOKDEF(void, WINAPI, GetSystemInfo,
+	__out LPSYSTEM_INFO lpSystemInfo
+) {
+	int ret = 0;
+
+	Old_GetSystemInfo(lpSystemInfo);
+
+	if (!g_config.no_stealth && lpSystemInfo->dwNumberOfProcessors == 1)
+		lpSystemInfo->dwNumberOfProcessors = 2;
+
+	LOQ_void("misc", "");
+
+	return;
 }

hook_reg.c

@@ -21,6 +21,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "hooking.h"
 #include "misc.h"
 #include "log.h"
+#include "config.h"
 
 HOOKDEF(LONG, WINAPI, RegOpenKeyExA,
     __in        HKEY hKey,
@@ -284,7 +285,7 @@ HOOKDEF(LONG, WINAPI, RegQueryValueExA,
 			"FullName", keypath);
 
 		// fake the vendor name
-		if (keypath && *lpcbData >= 13 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier") && !memcmp(lpData, "QEMU HARDDISK", 13)) {
+		if (!g_config.no_stealth && keypath && *lpcbData >= 13 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier") && !memcmp(lpData, "QEMU HARDDISK", 13)) {
 			memcpy(lpData, "DELL", 4);
 		}
 
@@ -325,7 +326,7 @@ HOOKDEF(LONG, WINAPI, RegQueryValueExW,
 			"FullName", keypath);
 
 		// fake the vendor name
-		if (keypath && *lpcbData >= 13 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier") && !memcmp(lpData, "QEMU HARDDISK", 13)) {
+		if (!g_config.no_stealth && keypath && *lpcbData >= 13 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier") && !memcmp(lpData, "QEMU HARDDISK", 13)) {
 			memcpy(lpData, "DELL", 4);
 		}
 

hook_reg_native.c

@@ -22,6 +22,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "log.h"
 #include "pipe.h"
 #include "misc.h"
+#include "config.h"
 
 HOOKDEF(NTSTATUS, WINAPI, NtCreateKey,
     __out       PHANDLE KeyHandle,
@@ -186,12 +187,12 @@ HOOKDEF(NTSTATUS, WINAPI, NtQueryValueKey,
 			"FullName", keypath);
 
 		// fake the vendor name
-		if (keypath && Data && DataLength >= 13 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier") && !memcmp(Data, "QEMU HARDDISK", 13)) {
+		if (!g_config.no_stealth && keypath && Data && DataLength >= 13 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\\Identifier") && !memcmp(Data, "QEMU HARDDISK", 13)) {
 			memcpy(Data, "DELL", 4);
 		}
 
 		// fake the manufacturer name
-		if (keypath && Data && DataLength >= 4 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer") && !memcmp(Data, "QEMU", 4)) {
+		if (!g_config.no_stealth && keypath && Data && DataLength >= 4 && !wcsicmp(keypath, L"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SystemInformation\\SystemManufacturer") && !memcmp(Data, "QEMU", 4)) {
 			memcpy(Data, "DELL", 4);
 		}
 

hooks.h

@@ -1090,6 +1090,10 @@ extern HOOKDEF(NTSTATUS, WINAPI, RtlCreateUserThread,
 // Misc Hooks
 //
 
+extern HOOKDEF(void, WINAPI, GetSystemInfo,
+	__out LPSYSTEM_INFO lpSystemInfo
+);
+
 extern HOOKDEF(NTSTATUS, WINAPI, RtlDecompressBuffer,
 	__in USHORT CompressionFormat,
 	__out PUCHAR UncompressedBuffer,