Add common and windows to the paper

Author: hippwn

paper/20_virtualisation.md

@@ -14,7 +14,7 @@ storage to the networks.
 ## Isolation
 
 This is an old concept on Linux-based systems which has more recently appeared
-on Windows 10 (1803) . It is not really a virtualisation but more of a way of
+on Windows 10 (1803). It is not really a virtualisation but more of a way of
 running a process in an independent environment that we call *context*. The
 isolated process access and system calls are filtered so that it is not aware
 of the host he's running on. This is basically the way containers work (LXC,

paper/30_state_of_the_art.md

@@ -33,76 +33,3 @@ int swallow_redpill ()
   return (m[5]>0xd0) ? 1 : 0;
 }
 ```
-
-## Linux techniques
-
-### The DMI table
-
-DMI stands for *Desktop Management Interface*. It is a standard developed in 
-the 90' with de goal of uniforming the tracking of the components in a computer
-and abstracting them from the softwares supposed to run them. Parsing this
-table can reveal practical information on the hardware used by the operating
-system and possibly detect the presence of names specific to virtualized
-environment, such as *vbox*, *virtualbox*, *oracle*, *qemu*, *kvm* and so on.
-
-### Linux kernel's hypervisor detection
-
-Linux's kernel comes with an hypervisor detection feature that can be used to
-identify a potential hypervisor below the operating system. Based on this, we
-easily can listen for the kernel event to see if an hypervisor has been
-detected by the kernel:
-
-```c
-static inline const struct hypervisor_x86 * __init
-detect_hypervisor_vendor(void)
-{
-	const struct hypervisor_x86 *h = NULL, * const *p;
-	uint32_t pri, max_pri = 0;
-
-	for (p = hypervisors; p < hypervisors + ARRAY_SIZE(hypervisors); p++) {
-		if (unlikely(nopv) && !(*p)->ignore_nopv)
-			continue;
-
-		pri = (*p)->detect();
-		if (pri > max_pri) {
-			max_pri = pri;
-			h = *p;
-		}
-	}
-
-	if (h)
-        // this line prints the hypervisor in the `/dev/kmsg` file
-		pr_info("Hypervisor detected: %s\n", h->name);
-
-	return h;
-}
-```
-
-### Checking Linux's pseudo-filesystems
-
-Linux provides a lot of information via a certain type of files (mostly in
-`/proc`) that are generated at boot and modified during runtime. A lot of 
-binaries use this directory like `ps`, `uname`, `lspci` and so on. These
-information are really helpful when trying to identify wether or not you are
-in a virtualized environment, like UML for instance. UML refers to the
-aforementioned way of executing a Linux kernel in user-space. This can easily
-be verified by looking for the string "User Mode Linux" in the file
-`/proc/cpuinfo` which describes the CPU of the machine.
-
-In the same way, a lot of these virtual *files* can provide information on the
-environment, including &ndash; but not limited to &ndash; `/proc/sysinfo` (in
-which some distribution expose data about virtual machines),
-`/proc/device-tree` (that lists the devices on the machine), `/proc/xen` (a 
-file created by the *Xen Server*) or `/proc/modules` (that contains information
-about the loaded kernel modules, modules that are used by hypervisors to 
-optimize the guests).
-
-Like *procfs* (mounted in `/proc`), *sysfs* can be useful. Its role is to
-provide to the user an access to the devices and their drivers. The file
-`/sys/hypervisor/type`, for instance, is sometimes used to store information
-about the hypervisor Linux is running on.
-
-
-## Windows
-
-<!-- TODO -->

paper/31_common.md

@@ -0,0 +1,41 @@
+\newpage
+
+## Cross-platform solutions
+
+When developing a malware, people usually target an operating system, as it can
+be pretty difficult to build something that works as expected on each
+environment. Moreover, releasing variants of the same binary (compiled for the
+different environments) can facilitate the work of malware analysts. Despite 
+these considerations, we aimed our researches toward cross-platform solutions
+in order to mutualize efforts.
+
+### Networking
+
+Network adapters usually come with a MAC address (*MAC* stands for Media Access
+Control, referring to the lowest part of the OSI model) which can be used to
+identify its vendor. The first half of the address (the first 3 bytes) are
+booked by constructors with the IEEE (Institute of Electrical and Electronics
+Engineers, an international organisation dedicated to the writing of standards
+for new technologies) to make the OUI, an unique vendor identifier.
+
+Most hypervisors have an OUI so that it makes the network adapter easily
+recognizable for the guest system. So if the a system sees such an OUI on its
+network adapter, it is highly likely that it is a virtualized guest.
+
+### Using CPUID
+
+THe `CPUID` instruction has been introduced with Intel's *x86* architecture to
+allow CPU discovery by the operating system. This way, the system can adapt its
+behaviour to the characteristics of the processor. The use of this instruction
+has been extended in 2008 to allow the hypervisor to "interact" with the guest
+and thus optimizing its performance. By watching specific values of certain 
+registers – mostly EBX, ECX, EDX – we can deduce the hypervisor if 
+any.
+
+### Measuring resources availability
+
+Finally, low resources may be an indication that the operating system is
+running inside a sandbox or virtual machine. It surely cannot be used as the
+only clue but it can lead you to investigate: most sandboxes are ran on the
+laptop of the analyst, who often will give the fewest resources they can. That
+is why we look for resources below 3 vCPUs or 3 GB of RAM.

paper/32_linux.md

@@ -0,0 +1,70 @@
+\newpage
+
+## Linux techniques
+
+### The DMI table
+
+DMI stands for *Desktop Management Interface*. It is a standard developed in 
+the 90' with de goal of uniforming the tracking of the components in a computer
+and abstracting them from the softwares supposed to run them. Parsing this
+table can reveal practical information on the hardware used by the operating
+system and possibly detect the presence of names specific to virtualized
+environment, such as *vbox*, *virtualbox*, *oracle*, *qemu*, *kvm* and so on.
+
+### Linux kernel's hypervisor detection
+
+Linux's kernel comes with an hypervisor detection feature that can be used to
+identify a potential hypervisor below the operating system. Based on this, we
+easily can listen for the kernel event to see if an hypervisor has been
+detected by the kernel:
+
+```c
+static inline const struct hypervisor_x86 * __init
+detect_hypervisor_vendor(void)
+{
+	const struct hypervisor_x86 *h = NULL, * const *p;
+	uint32_t pri, max_pri = 0;
+
+	for (p = hypervisors; p < hypervisors + ARRAY_SIZE(hypervisors); p++) {
+		if (unlikely(nopv) && !(*p)->ignore_nopv)
+			continue;
+
+		pri = (*p)->detect();
+		if (pri > max_pri) {
+			max_pri = pri;
+			h = *p;
+		}
+	}
+
+	if (h)
+        // this line prints the hypervisor in the `/dev/kmsg` file
+		pr_info("Hypervisor detected: %s\n", h->name);
+
+	return h;
+}
+```
+
+### Checking Linux's pseudo-filesystems
+
+Linux provides a lot of information via a certain type of files (mostly in
+`/proc`) that are generated at boot and modified during runtime. A lot of 
+binaries use this directory like `ps`, `uname`, `lspci` and so on. These
+information are really helpful when trying to identify wether or not you are
+in a virtualized environment, like UML for instance. UML refers to the
+aforementioned way of executing a Linux kernel in user-space. This can easily
+be verified by looking for the string "User Mode Linux" in the file
+`/proc/cpuinfo` which describes the CPU of the machine.
+
+In the same way, a lot of these virtual *files* can provide information on the
+environment, including &ndash; but not limited to &ndash; `/proc/sysinfo` (in
+which some distribution expose data about virtual machines),
+`/proc/device-tree` (that lists the devices on the machine), `/proc/xen` (a 
+file created by the *Xen Server*) or `/proc/modules` (that contains information
+about the loaded kernel modules, modules that are used by hypervisors to 
+optimize the guests).
+
+Like *procfs* (mounted in `/proc`), *sysfs* can be useful. Its role is to
+provide to the user an access to the devices and their drivers. The file
+`/sys/hypervisor/type`, for instance, is sometimes used to store information
+about the hypervisor Linux is running on.
+

paper/33_windows.md

@@ -0,0 +1,32 @@
+\newpage
+
+## Windows
+
+On Windows, most configuration can be done through the *Registry Hive* –
+some kind of database that contains every configuration option about either the
+operating system itself, or any software that would like to store information
+in it. A lot of indicators of hypervisors can be stored there, especially if
+the *guest addons* (small pieces of software that are installed on the guest 
+to allow interoperability between the guest and the host, permitting shared
+clipboard, *drag'n'drop* and so on) are installed.
+
+Most keys will be installed inside the `HKEY_LOCAL_MACHINE` register which
+mostly contains information about hardware, security and such. Parsing its
+content looking for particular patterns is efficient enough and quite a good 
+indicator of the presence of an hypervisor if any. Here is an example of keys 
+that we are looking for:
+
+```golang
+virtualBoxKeys := []string{
+	`HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*`,
+	`HKLM\HARDWARE\ACPI\DSDT\VBOX__`,
+	`HKLM\HARDWARE\ACPI\FADT\VBOX__`,
+	`HKLM\HARDWARE\ACPI\RSDT\VBOX__`,
+	`HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions`,
+	`HKLM\SYSTEM\ControlSet001\Services\VBoxGuest`,	
+	`HKLM\SYSTEM\ControlSet001\Services\VBoxMouse`,
+	`HKLM\SYSTEM\ControlSet001\Services\VBoxService`,
+	`HKLM\SYSTEM\ControlSet001\Services\VBoxSF`,
+	`HKLM\SYSTEM\ControlSet001\Services\VBoxVideo`,
+}
+```