From 01879489d456b32edf587eabdf56f70b4bae0028 Mon Sep 17 00:00:00 2001 From: Duarte Silva Date: Mon, 18 May 2015 15:20:20 +0100 Subject: [PATCH] Added extra checks for VMWare and Wine. --- pafish/main.c | 16 ++++++++++++++++ pafish/vmware.c | 22 ++++++++++++++++++++++ pafish/vmware.h | 2 ++ pafish/wine.c | 5 +++++ pafish/wine.h | 2 ++ 5 files changed, 47 insertions(+) diff --git a/pafish/main.c b/pafish/main.c index ac23e85..20a5cdd 100644 --- a/pafish/main.c +++ b/pafish/main.c @@ -221,6 +221,14 @@ int main(void) } else print_not_traced(); + printf("[*] Reg key (HKCU\\SOFTWARE\\Wine) ... "); + if (wine_reg_key1() == TRUE) { + write_log("Wine traced using Reg key HKCU\\SOFTWARE\\Wine"); + print_traced(); + write_trace("hi_wine"); + } + else print_not_traced(); + /* VirtualBox detection tricks */ printf("\n[-] VirtualBox detection\n"); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); @@ -385,6 +393,14 @@ int main(void) } else print_not_traced(); + printf("[*] Looking for pseudo devices ... "); + if (vmware_devices(TRUE) == TRUE) { + /* Log written inside function */ + print_traced(); + write_trace("hi_vmware"); + } + else print_not_traced(); + /* Qemu detection tricks */ printf("\n[-] Qemu detection\n"); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); diff --git a/pafish/vmware.c b/pafish/vmware.c index 0301505..13aedd4 100644 --- a/pafish/vmware.c +++ b/pafish/vmware.c @@ -1,10 +1,12 @@ #include #include +#include #include "vmware.h" #include "types.h" #include "utils.h" +#include "common.h" int vmware_reg_key1() { if ( pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMWARE") || @@ -27,3 +29,23 @@ int vmware_sysfile1() { int vmware_sysfile2() { return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); } + +int vmware_devices(int writelogs) { + HANDLE h; + const int count = 2; + string strs[count]; + int res = FALSE, i = 0; + char message[200]; + + strs[0] = "\\\\.\\HGFS"; + strs[1] = "\\\\.\\vmci"; + for (i=0; i < count; i++) { + h = CreateFile(strs[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (h != INVALID_HANDLE_VALUE) { + snprintf(message, sizeof(message)-sizeof(message[0]), "VMWare traced using device %s", strs[i]); + if (writelogs) write_log(message); + res = TRUE; + } + } + return res; +} diff --git a/pafish/vmware.h b/pafish/vmware.h index 15a0226..24da830 100644 --- a/pafish/vmware.h +++ b/pafish/vmware.h @@ -10,4 +10,6 @@ int vmware_sysfile1(); int vmware_sysfile2(); +int vmware_devices(); + #endif diff --git a/pafish/wine.c b/pafish/wine.c index a5405fd..8ec08c5 100644 --- a/pafish/wine.c +++ b/pafish/wine.c @@ -3,6 +3,7 @@ #include "wine.h" #include "types.h" +#include "utils.h" int wine_detect_get_unix_file_name() { HMODULE k32; @@ -19,3 +20,7 @@ int wine_detect_get_unix_file_name() { return FALSE; } } + +int wine_reg_key1() { + return pafish_exists_regkey(HKEY_CURRENT_USER, "SOFTWARE\\Wine"); +} diff --git a/pafish/wine.h b/pafish/wine.h index 21d81f2..7d9af76 100644 --- a/pafish/wine.h +++ b/pafish/wine.h @@ -4,4 +4,6 @@ int wine_detect_get_unix_file_name(); +int wine_reg_key1(); + #endif