Skip to content
Reverse Engineering
Anti-Analysisbeginner

Screen Resolution Sandbox Check

Querying the display size lets malware spot the small or unusual resolutions typical of headless automated sandboxes and refuse to run.

Automated sandboxes are usually headless or run with a default, never-resized virtual display. That leaves a fingerprint: a small resolution such as 800x600 or 1024x768, exact-power-of-two oddities, or a desktop with zero height. Real user machines almost always report larger, varied resolutions.

Malware reads the display size and bails when it looks synthetic. The check is trivially cheap and produces almost no suspicious API noise, which makes it popular in loaders and droppers as a first-stage gate.

How it works

On Windows the sample calls GetSystemMetrics with SM_CXSCREEN / SM_CYSCREEN (or GetDesktopWindow + GetWindowRect) and compares against a minimum threshold. Some families also reject suspiciously round dimensions or a width/height that does not match any common consumer panel.

c
int w = GetSystemMetrics(SM_CXSCREEN);
int h = GetSystemMetrics(SM_CYSCREEN);

// Refuse to run on tiny/headless sandbox displays.
if (w < 1024 || h < 768 || (w == 800 && h == 600)) {
    // Likely an automated sandbox — exit quietly.
    ExitProcess(0);
}

A variant combines resolution with colour depth or with the absence of multiple monitors (GetSystemMetrics(SM_CMONITORS)), since analysis VMs almost never have a second display.

c
if (GetSystemMetrics(SM_CMONITORS) < 1 || GetDeviceCaps(hdc, BITSPIXEL) < 24)
    vm_detected();

Detection & analysis

Static analysis: Flag GetSystemMetrics with the SM_CXSCREEN (0), SM_CYSCREEN (1), or SM_CMONITORS (80) constants, or GetDesktopWindow followed by GetWindowRect, when the result feeds a comparison against small literal dimensions like 800, 600, 1024, 768.

Dynamic analysis: In a debugger, set the resolution check's returned width and height to large realistic values (e.g. 1920x1080) before the comparison, or configure your sandbox VM to present a common consumer resolution. ProcMon and API monitors will show the metrics query immediately before an early exit.

Detection rule hint: Alert when a freshly-started process queries screen dimensions or monitor count and branches to ExitProcess/Sleep based on a comparison against hard-coded small resolutions — a high-signal sandbox-evasion pattern.

Votes

Comments(0)