From 1842d1f937e1865f951706db045aa2dd63e84f98 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Mon, 29 Dec 2025 11:21:52 +0000
Subject: [PATCH 1/4] Add antivm_display signature

Add signature to detect use of EnumDisplayDevices such as in Pikabot (https://capesandbox.com/analysis/41245/#)
---
 modules/signatures/windows/antivm_display.py | 40 ++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 modules/signatures/windows/antivm_display.py

diff --git a/modules/signatures/windows/antivm_display.py b/modules/signatures/windows/antivm_display.py
new file mode 100644
index 00000000..e44ef726
--- /dev/null
+++ b/modules/signatures/windows/antivm_display.py
@@ -0,0 +1,40 @@
+# Copyright (C) 2025 Kevin Ross
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from lib.cuckoo.common.abstracts import Signature
+
+
+class QueriesDisplayDevices(Signature):
+    name = "queries_display_devices"
+    description = "Queries display devices"
+    severity = 2
+    categories = ["anti-vm"]
+    authors = ["Kevin Ross"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1082"]  # MITRE v6,7,8
+
+    filter_apinames = set(["EnumDisplayDevicesA", "EnumDisplayDevicesW"])
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.ret = False
+
+    def on_call(self, call, process):
+        self.mark_call()
+        self.ret = True
+
+    def on_complete(self):
+        return self.ret

From c542e18a9cb5197b3bae7ea730b958047a6c8f76 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Mon, 29 Dec 2025 11:22:54 +0000
Subject: [PATCH 2/4] Rename class to EnumeratesDisplayDevices

---
 modules/signatures/windows/antivm_display.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/signatures/windows/antivm_display.py b/modules/signatures/windows/antivm_display.py
index e44ef726..c6256b11 100644
--- a/modules/signatures/windows/antivm_display.py
+++ b/modules/signatures/windows/antivm_display.py
@@ -16,9 +16,9 @@
 from lib.cuckoo.common.abstracts import Signature
 
 
-class QueriesDisplayDevices(Signature):
-    name = "queries_display_devices"
-    description = "Queries display devices"
+class EnumeratesDisplayDevices(Signature):
+    name = "enumerates_display_devices"
+    description = "Enumerates display devices"
     severity = 2
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]

From 105af34b9d668dd70ecbf615c97ecd5549a1a48d Mon Sep 17 00:00:00 2001
From: doomedraven <doommedraven@gmail.com>
Date: Mon, 29 Dec 2025 14:25:23 +0100
Subject: [PATCH 3/4] Update modules/signatures/windows/antivm_display.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 modules/signatures/windows/antivm_display.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/signatures/windows/antivm_display.py b/modules/signatures/windows/antivm_display.py
index c6256b11..e3cb5b36 100644
--- a/modules/signatures/windows/antivm_display.py
+++ b/modules/signatures/windows/antivm_display.py
@@ -16,10 +16,10 @@
 from lib.cuckoo.common.abstracts import Signature
 
 
-class EnumeratesDisplayDevices(Signature):
-    name = "enumerates_display_devices"
-    description = "Enumerates display devices"
-    severity = 2
+class AntiVMDisplay(Signature):
+    name = "antivm_display"
+    description = "Attempts to query display device information, possibly to determine if the process is running in a virtualized environment"
+    severity = 3
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "1.3"

From 76db93f21f5be1e5aa0885fa909486bcd0a2fca0 Mon Sep 17 00:00:00 2001
From: doomedraven <doommedraven@gmail.com>
Date: Mon, 29 Dec 2025 14:25:46 +0100
Subject: [PATCH 4/4] Update modules/signatures/windows/antivm_display.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 modules/signatures/windows/antivm_display.py | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/modules/signatures/windows/antivm_display.py b/modules/signatures/windows/antivm_display.py
index e3cb5b36..54f30ac1 100644
--- a/modules/signatures/windows/antivm_display.py
+++ b/modules/signatures/windows/antivm_display.py
@@ -28,13 +28,8 @@ class AntiVMDisplay(Signature):
 
     filter_apinames = set(["EnumDisplayDevicesA", "EnumDisplayDevicesW"])
 
-    def __init__(self, *args, **kwargs):
-        Signature.__init__(self, *args, **kwargs)
-        self.ret = False
-
     def on_call(self, call, process):
         self.mark_call()
-        self.ret = True
 
     def on_complete(self):
-        return self.ret
+        return self.has_matches()