Anti-VM: Screen Resolution

[Sqeegie]

While not a full-proof detection vector, using common default VM resolutions (I.e. 800x600 or 1024x768), could be a good test for default sandboxes.

https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/

[gsuberland]

Appears there are a bunch of potential artifacts we can use here:

• SM_CXSCREEN / SM_CYSCREEN from GetSystemMetrics (primary screen size)
• SM_CXVIRTUALSCREEN / SM_CYVIRTUALSCREEN from GetSystemMetrics (virtual desktop size, across all screens)
• SM_REMOTECONTROL from GetSystemMetrics (reveals if the session is associated with an active terminal services session)
• SPI_GETWORKAREA from SystemParametersInfo (size of the work area on the primary screen)
• DISPLAY_DEVICE.DeviceString from EnumDisplayDevices (display device name)
• EDID struct from from SetupDiEnumDeviceInfo / SetupDiOpenDevRegKey (all sorts of fun in here, needs some parsing)
• HORZRES / VERTRES from GetDeviceCaps (screen size of target monitor handle)
• DESKTOPHORZRES / DESKTOPVERTRES from GetDeviceCaps (desktop size of target monitor handle)
• HORZSIZE / VERTSIZE from GetDeviceCaps (EDID-reported physical panel dimensions of target monitor handle)
• LOGCOLORSPACE data from GetColorSpace / GetLogColorSpace (ICM profile data for target monitor handle)