Pafish (Paranoid Fish) is an open-source tool used to detect the presence of analysis environments, including debuggers, virtual machines, and sandboxes. Pafish does this by employing many of the same techniques also utilized by certain malware families “in the wild.” The Pafish tool can help testers to determine whether their analysis environments are well-implemented and functioning as intended.
The Pafish tool runs a host of checks to determine the potential presence of an analysis environment.
When executed, the Pafish tool begins by running rudimentary debugger detection using two simple API functions.
The Pafish tool then attempts to detect the presence of virtual machines. It begins by performing a pair of timestamp checks and compares the response time difference between them. A longer than usual response time for these checks may indicate the presence of a virtual machine hypervisor, which will intercept these executions by default. Similarly, The Pafish will also check the execution time of the cpuid instruction, as in most x86 based CPU environments, this will also trigger the hypervisor.
From this point, Pafish runs a final test in search of virtual machines by checking the CPU vendor string, looking for common vendor names, including KVM HYPER-V VMWARE and XEN.
Next, the Pafish tool proceeds to check for the presence of generic sandboxes by looking for artifacts that are byproducts of most artificial environments. For instance, the Pafish checks for abnormal mouse movements (or lack thereof), which might potentially indicate the absence of a physical user. It also examines usernames, file paths, and root directories for obvious names such as SAMPLE, VIRUS, or SANDBOX, which might also indicate that the environment is an artificial one.
Pafish also executes a hardware analysis, checking disk size, total system RAM, and the number of processors present
Finally, Pafish searches the system for evidence of specific virtual machine vendors, such as Wine, VMWare, Virtual Box, and Sandboxie by scanning for non-removable artifacts that these products may leave, such as registry keys or serial numbers.
In recent years Pafish has been a helpful tool used to harden malware analysis environments. However, virtual machine detection has greatly decreased in relevance within the malware sphere, and its relevance is likely to continue to diminish as system virtualization becomes more ubiquitous in production environments.
Pafish is an open-source tool written in C that can be built with MinGW (gcc + make). It is licensed under General Public License GNU/GPL version 3.
Autonomous Response to critical malware alerts
VMRay + Palo Alto Networks JOINT WEBINAR