check .NET-Anti-Debug coverage

[mike-hunhoff]

https://github.com/Outbuilt/.NET-Anti-Debug

[williballenthin]

• md5: new System.Security.Cryptography.MD5CryptoServiceProvider(), ComputeHash
• reference self file: System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName, Assembly.GetEntryAssembly().Location
• is administrator:

        private static bool IsAdministrator()
        {
            var identity = WindowsIdentity.GetCurrent();
            var principal = new WindowsPrincipal(identity);
            return principal.IsInRole(WindowsBuiltInRole.Administrator);
        }

• sandboxie detection: SbieDll.dll
• enumerate PIDs: new PerformanceCounterCategory("Process");, GetInstanceNames, GetCounters, CounterName, "ID Process"
• system proxy: Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings, ProxyEnable, ProxyServer
• spawn process: new System.Diagnostics.ProcessStartInfo, System.Diagnostics.Process
• timing: Environment.TickCount, Thread.Sleep
• anti vm: Select * from Win32_ComputerSystem, virtual, vmware, virtualbox
• anti vm: SELECT * FROM Win32_VideoController, vmware, vbox
• cpuid: Win32_Processor, UniqueID, ProcessorID, Name, Manufacturer
• biosid: Win32_BIOS, Manufacturer, SMBIOSBIOSVersion,IdentificationCode,SerialNumber,ReleaseDate,Version
• diskid: Win32_DiskDrive,Model,Manufacturer,Signature,TotalHeads
• motherboard id: Win32_BaseBoard,Model,Manufacturer,Name,SerialNumber
• video id: Win32_VideoController,DriverVersion,Name
• macid: Win32_NetworkAdapterConfiguration,MACAddress,IPEnabled

[komen205]

Hello everyone,

This issue appears to not have any progress since January, so I decided to contribute with my own rule.

• komen205@6654612

The field that I targeted is : "anti vm: Select * from Win32_ComputerSystem, virtual, vmware, virtualbox"

I left the "examples" field empty as I'm not sure if any example is already on the capa-testfiles repo, if not, I can provide the EXE that I created and using to test the rules.

I can also provide all the other rules if you let me take the issue.

I hope it helps, thanks!

[mr-tz]

Great, would be great if you want to tackle more rules here and contribute a PR. If there's no examples, you can provide them or place the rules in the nursery directory. Please also note the potential overlap with related rules, e.g., reference anti-VM strings targeting VMWare.

[komen205]

Hello,

Thanks for assigning the task to me.

The following rules mentioned are already done and I don't think there's any need to modify them.
sandboxie detection:

capa-rules/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml

Line 23 in 1fee68e

- string: /sbiedll\.dll/i

md5: new System.Security.Cryptography.MD5CryptoServiceProvider(), ComputeHash

is administrator:

capa-rules/host-interaction/session/get-session-integrity-level.yml

Line 19 in 95dc5eb

- api: System.Security.Principal.WindowsPrincipal::IsInRole

I added the whole CPU information at host-interaction/hardware/cpu/get-cpu-information.yml, for reference: f2da1d4

Regarding the rules the following rules, I will add them in their respective file, I don't think there's a need to create a new one and also I will target dotnet to prevent overlap's.
anti vm: Select * from Win32_ComputerSystem, virtual, vmware, virtualbox
anti vm: SELECT * FROM Win32_VideoController, vmware, vbox

For the rules targeting macid and Environment.TickCount, I have no idea where to put them so I will add them to nursery later on.

Thanks :)

[mr-tz]

Great, thanks for your work here!