diff --git a/pafish/Makefile.win b/pafish/Makefile.win index a828a90..e92100b 100644 --- a/pafish/Makefile.win +++ b/pafish/Makefile.win @@ -1,15 +1,15 @@ - + CC = gcc.exe LINK = gcc.exe WINDRES = windres.exe -OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \ +OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \ Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \ Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res LINKOBJ = $(OBJ) LIBS = -L"C:/MinGW32/lib" -lwsock32 -liphlpapi -lsetupapi -lmpr -s INCS = -I"C:/MinGW32/include" BIN = Output/MingW/pafish.exe -CFLAGS = $(INCS) $(DEFINES) -O0 +CFLAGS = $(INCS) $(DEFINES) -O1 all: $(BIN) @@ -27,6 +27,9 @@ Objects/MingW/main.o: $(GLOBALDEPS) main.c Objects/MingW/common.o: $(GLOBALDEPS) common.c $(CC) -c common.c -o Objects/MingW/common.o $(CFLAGS) +Objects/MingW/utils.o: $(GLOBALDEPS) utils.c + $(CC) -c utils.c -o Objects/MingW/utils.o $(CFLAGS) + Objects/MingW/debuggers.o: $(GLOBALDEPS) debuggers.c $(CC) -c debuggers.c -o Objects/MingW/debuggers.o $(CFLAGS) diff --git a/pafish/common.c b/pafish/common.c index a409821..7b68f9c 100644 --- a/pafish/common.c +++ b/pafish/common.c @@ -1,65 +1,59 @@ - -#include -#include -#include -#include - -#include "common.h" - -int analysis_result = 0; - -void init_cmd_colors() { - HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); - SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); -} - -void print_header() { - HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); - printf("* Pafish ("); - SetConsoleTextAttribute(handler, 11); - printf("Paranoid fish"); - SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); - printf(") *\n\n"); - printf("Some anti(debugger/VM/sandbox) tricks\n"); - printf("used by malware for the general public.\n\n"); -} - -void print_traced() { - HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); - SetConsoleTextAttribute(handler, 207); - printf("traced!\n"); - SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); - analysis_result = 2; -} - -void print_not_traced() { - HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); - SetConsoleTextAttribute(handler, 10); - printf("OK\n"); - SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); -} - -void print_suspicious() { - HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); - SetConsoleTextAttribute(handler, 207); - printf("suspicious\n"); - SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); - if (analysis_result == 0) { - analysis_result = 1; - } -} - -void write_log(char msg[]) { - FILE *log; - char logstr[1024]; - snprintf(logstr, sizeof(logstr), "\n[pafish] %s", msg); - log = fopen("pafish.log", "a"); - fputs(logstr, log); - fclose(log); -} - -void write_trace(char product[]) { - FILE *trace; - trace = fopen(product, "a"); - fclose(trace); -} + +#include +#include +#include +#include + +#include "common.h" + +void init_cmd_colors() { + HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); + SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); +} + +void print_header() { + HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); + printf("* Pafish ("); + SetConsoleTextAttribute(handler, 11); + printf("Paranoid fish"); + SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); + printf(") *\n\n"); + printf("Some anti(debugger/VM/sandbox) tricks\n"); + printf("used by malware for the general public.\n\n"); +} + +void print_traced() { + HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); + SetConsoleTextAttribute(handler, 207); + printf("traced!\n"); + SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); +} + +void print_not_traced() { + HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); + SetConsoleTextAttribute(handler, 10); + printf("OK\n"); + SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); +} + +void print_suspicious() { + HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); + SetConsoleTextAttribute(handler, 207); + printf("suspicious\n"); + SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); +} + +void write_log(char msg[]) { + FILE *log; + char logstr[1024]; + snprintf(logstr, sizeof(logstr), "\n[pafish] %s", msg); + log = fopen("pafish.log", "a"); + fputs(logstr, log); + fclose(log); +} + +void write_trace(char product[]) { + FILE *trace; + trace = fopen(product, "a"); + fclose(trace); +} diff --git a/pafish/common.h b/pafish/common.h index 4545e50..a685aa8 100644 --- a/pafish/common.h +++ b/pafish/common.h @@ -1,21 +1,19 @@ - -#ifndef COMM_H -#define COMM_H - -void init_cmd_colors(); - -void print_header(); - -void print_traced(); - -void print_not_traced(); - -void print_suspicious(); - -void write_log(char msg[]); - -void write_trace(char product[]); - -extern int analysis_result; - -#endif + +#ifndef COMM_H +#define COMM_H + +void init_cmd_colors(); + +void print_header(); + +void print_traced(); + +void print_not_traced(); + +void print_suspicious(); + +void write_log(char msg[]); + +void write_trace(char product[]); + +#endif diff --git a/pafish/debuggers.c b/pafish/debuggers.c index 1b4d1f6..f6cfbab 100644 --- a/pafish/debuggers.c +++ b/pafish/debuggers.c @@ -1,42 +1,41 @@ - -#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */ - -#include - -#include "debuggers.h" - -int debug_isdebuggerpresent() { - if (IsDebuggerPresent()) { - return 0; - } - else { - return 1; - } -} - -/* This function is not used because it isn't reliable in - some new environments */ -int debug_checkremotedebuggerpresent() { - BOOL isdebug = FALSE; - CheckRemoteDebuggerPresent(GetCurrentProcess(), &isdebug); - if (isdebug) { - return 0; - } - else { - return 1; - } -} - -int debug_outputdebugstring() { - DWORD err = 99; /* Random error */ - SetLastError(err); - /* If we're been debugging, this shouldn't - drop an error. */ - OutputDebugString("useless"); - if (GetLastError() == err){ - return 0; - } - else { - return 1; - } -} + +#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */ + +#include + +#include "debuggers.h" +#include "types.h" + +int debug_isdebuggerpresent() { + if (IsDebuggerPresent()) + return TRUE; + else + return FALSE; +} + +/* This function is not used because it isn't reliable in +some new environments */ +int debug_checkremotedebuggerpresent() { + BOOL isdebug = FALSE; + CheckRemoteDebuggerPresent(GetCurrentProcess(), &isdebug); + if (isdebug) { + return TRUE; + } + else { + return FALSE; + } +} + +int debug_outputdebugstring() { + DWORD err = 99; /* Random error */ + SetLastError(err); + /* If we're been debugging, this shouldn't + drop an error. */ + OutputDebugString("useless"); + if (GetLastError() == err){ + return TRUE; + } + else { + return FALSE; + } +} diff --git a/pafish/debuggers.h b/pafish/debuggers.h index f0863da..b738b4f 100644 --- a/pafish/debuggers.h +++ b/pafish/debuggers.h @@ -1,11 +1,11 @@ - -#ifndef DEBUG_H -#define DEBUG_H - -int debug_isdebuggerpresent(); - -int debug_checkremotedebuggerpresent(); - -int debug_outputdebugstring(); - -#endif + +#ifndef DEBUG_H +#define DEBUG_H + +int debug_isdebuggerpresent(); + +int debug_checkremotedebuggerpresent(); + +int debug_outputdebugstring(); + +#endif diff --git a/pafish/gensandbox.c b/pafish/gensandbox.c index a5bb73a..3682fcb 100644 --- a/pafish/gensandbox.c +++ b/pafish/gensandbox.c @@ -1,105 +1,95 @@ - -#include -#include -#include - -#include "gensandbox.h" - -int gensandbox_mouse_act() { - POINT position1, position2; - GetCursorPos(&position1); - Sleep(1750); /* Sleep time */ - GetCursorPos(&position2); - if ((position1.x == position2.x) && (position1.y == position2.y)) { - /* No mouse activity during the sleep */ - return 0; - } - else { - /* Mouse activity during the sleep */ - return 1; - } -} - -int gensandbox_username() { - char username[200]; - int i; - DWORD usersize = sizeof(username); - GetUserName(username, &usersize); - for (i = 0; i < strlen(username); i++) { /* case-insensitive */ - username[i] = toupper(username[i]); - } - if (strstr(username, "SANDBOX") != NULL) { - return 0; - } - if (strstr(username, "VIRUS") != NULL) { - return 0; - } - if (strstr(username, "MALWARE") != NULL) { - return 0; - } - return 1; -} - -int gensandbox_path() { - char path[500]; - int i; - DWORD pathsize = sizeof(path); - GetModuleFileName(NULL, path, pathsize); - for (i = 0; i < strlen(path); i++) { /* case-insensitive */ - path[i] = toupper(path[i]); - } - if (strstr(path, "\\SAMPLE") != NULL) { - return 0; - } - if (strstr(path, "\\VIRUS") != NULL) { - return 0; - } - if (strstr(path, "SANDBOX") != NULL) { - return 0; - } - return 1; -} - -int gensandbox_drive_size() { - HANDLE drive; - BOOL result; - GET_LENGTH_INFORMATION size; - DWORD lpBytesReturned; - - drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); - if (drive == INVALID_HANDLE_VALUE) { - // Someone is playing tricks. Or not enough privileges. - CloseHandle(drive); - return 1; - } - result = DeviceIoControl(drive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size, - sizeof(GET_LENGTH_INFORMATION), &lpBytesReturned, NULL); - CloseHandle(drive); - if (result != 0) { - if (size.Length.QuadPart / 1073741824 <= 50) { /* <= 50 GB */ - return 0; - } - } - return 1; -} - - -int gensandbox_drive_size2() { - ULARGE_INTEGER bytes_available; - ULARGE_INTEGER total_bytes; - ULARGE_INTEGER total_number_free_bytes; - - if (GetDiskFreeSpaceExA("C:\\", &bytes_available, &total_bytes, &total_number_free_bytes)) - { - if (bytes_available.QuadPart / 1073741824 <= 60) { /* <= 60 GB */ - return 0; - } - if (total_bytes.QuadPart / 1073741824 <= 60) { /* <= 60 GB */ - return 0; - } - if (total_number_free_bytes.QuadPart / 1073741824 <= 60) { /* <= 60 GB */ - return 0; - } - } - return 1; -} + +#include +#include +#include + +#include "types.h" +#include "gensandbox.h" + +int gensandbox_mouse_act() { + POINT position1, position2; + GetCursorPos(&position1); + Sleep(2000); /* Sleep time */ + GetCursorPos(&position2); + if ((position1.x == position2.x) && (position1.y == position2.y)) { + /* No mouse activity during the sleep */ + return TRUE; + } + else { + /* Mouse activity during the sleep */ + return FALSE; + } +} + +int gensandbox_username() { + char username[200]; + int i; + DWORD usersize = sizeof(username); + GetUserName(username, &usersize); + for (i = 0; i < strlen(username); i++) { /* case-insensitive */ + username[i] = toupper(username[i]); + } + if (strstr(username, "SANDBOX") != NULL) { + return TRUE; + } + if (strstr(username, "VIRUS") != NULL) { + return TRUE; + } + if (strstr(username, "MALWARE") != NULL) { + return TRUE; + } + return FALSE; +} + +int gensandbox_path() { + char path[500]; + int i; + DWORD pathsize = sizeof(path); + GetModuleFileName(NULL, path, pathsize); + for (i = 0; i < strlen(path); i++) { /* case-insensitive */ + path[i] = toupper(path[i]); + } + if (strstr(path, "\\SAMPLE") != NULL) { + return TRUE; + } + if (strstr(path, "\\VIRUS") != NULL) { + return TRUE; + } + if (strstr(path, "SANDBOX") != NULL) { + return TRUE; + } + return FALSE; +} + +int gensandbox_drive_size() { + HANDLE drive; + BOOL result; + GET_LENGTH_INFORMATION size; + DWORD lpBytesReturned; + + drive = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); + if (drive == INVALID_HANDLE_VALUE) { + // Someone is playing tricks. Or not enough privileges. + CloseHandle(drive); + return FALSE; + } + result = DeviceIoControl(drive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size, + sizeof(GET_LENGTH_INFORMATION), &lpBytesReturned, NULL); + CloseHandle(drive); + if (result != 0) { + if (size.Length.QuadPart / 1073741824 <= 60) /* <= 60 GB */ + return TRUE; + } + return FALSE; +} + +int gensandbox_drive_size2() { + ULARGE_INTEGER total_bytes; + + if (GetDiskFreeSpaceExA("C:\\", NULL, &total_bytes, NULL)) + { + if (total_bytes.QuadPart / 1073741824 <= 60) /* <= 60 GB */ + return TRUE; + } + return FALSE; +} diff --git a/pafish/gensandbox.h b/pafish/gensandbox.h index df1197b..804e721 100644 --- a/pafish/gensandbox.h +++ b/pafish/gensandbox.h @@ -1,15 +1,15 @@ - -#ifndef GENSAND_H -#define GENSAND_H - -int gensandbox_mouse_act(); - -int gensandbox_username(); - -int gensandbox_path(); - -int gensandbox_drive_size(); - -int gensandbox_drive_size2(); - -#endif + +#ifndef GENSAND_H +#define GENSAND_H + +int gensandbox_mouse_act(); + +int gensandbox_username(); + +int gensandbox_path(); + +int gensandbox_drive_size(); + +int gensandbox_drive_size2(); + +#endif diff --git a/pafish/hooks.c b/pafish/hooks.c index 1b35276..7099e99 100644 --- a/pafish/hooks.c +++ b/pafish/hooks.c @@ -1,26 +1,27 @@ - -#include - -#include "hooks.h" - -/* Thx Inaki for this! (@virtualminds_es) */ -int check_hook_DeleteFileW_m1() { - DWORD *dwAddress = (DWORD *)DeleteFileW; - BYTE *b = (BYTE *)dwAddress; - if ((*b == 0xff) && (*(b+1) == 0x25)) { - b++; b++; - dwAddress = (DWORD *)b; - DWORD *c = (DWORD *)(*dwAddress); - BYTE *op = (BYTE *)*c; - - if ((*op == 0x8b) && (*(op+1) == 0xff)) { - return 1; - } - else { - return 0; - } - } - else { - return 1; - } -} + +#include + +#include "hooks.h" +#include "types.h" + +/* Thx Inaki for this! (@virtualminds_es) */ +int check_hook_DeleteFileW_m1() { + DWORD *dwAddress = (DWORD *)DeleteFileW; + BYTE *b = (BYTE *)dwAddress; + if ((*b == 0xff) && (*(b+1) == 0x25)) { + b++; b++; + dwAddress = (DWORD *)b; + DWORD *c = (DWORD *)(*dwAddress); + BYTE *op = (BYTE *)*c; + + if ((*op == 0x8b) && (*(op+1) == 0xff)) { + return FALSE; + } + else { + return TRUE; + } + } + else { + return FALSE; + } +} diff --git a/pafish/hooks.h b/pafish/hooks.h index 4b52483..2a54931 100644 --- a/pafish/hooks.h +++ b/pafish/hooks.h @@ -1,7 +1,7 @@ - -#ifndef HOOKS_H -#define HOOKS_H - -int check_hook_DeleteFileW_m1(); - -#endif + +#ifndef HOOKS_H +#define HOOKS_H + +int check_hook_DeleteFileW_m1(); + +#endif diff --git a/pafish/main.c b/pafish/main.c index 2a0b5d8..6cd5634 100644 --- a/pafish/main.c +++ b/pafish/main.c @@ -4,6 +4,7 @@ #include #include +#include "types.h" #include "common.h" #include "debuggers.h" @@ -16,380 +17,316 @@ #include "qemu.h" /* - Pafish (Paranoid fish) + Pafish (Paranoid fish) - All code from this project, including - functions, procedures and the main program - is licensed under GNU/GPL version 3. + All code from this project, including + functions, procedures and the main program + is licensed under GNU/GPL version 3. - So, if you are going to use functions or - procedures from this project to develop - your malware, you have to release the - source code as well :) + So, if you are going to use functions or + procedures from this project to develop + your malware, you have to release the + source code as well :) - - Alberto Ortega + - Alberto Ortega */ int main(int argc, char *argv[]) { - char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024]; - OSVERSIONINFO winver; + char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024]; + OSVERSIONINFO winver; - write_log("Start"); + write_log("Start"); - init_cmd_colors(); - print_header(); + init_cmd_colors(); + print_header(); - winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); - GetVersionEx(&winver); - snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber); + winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + GetVersionEx(&winver); + snprintf(winverstr, sizeof(winverstr)-sizeof(winverstr[0]), "%d.%d build %d", + winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber); - printf("[*] Windows version: %s\n", winverstr); - snprintf(aux, sizeof(aux), "Windows version: %s", winverstr); - write_log(aux); + printf("[*] Windows version: %s\n", winverstr); + snprintf(aux, sizeof(aux)-sizeof(aux[0]), "Windows version: %s", winverstr); + write_log(aux); - printf("[*] Running checks ...\n"); + printf("[*] Running checks ...\n"); - /* Debuggers detection tricks */ - printf("\n[-] Debuggers detection\n"); - printf("[*] Using IsDebuggerPresent() ... "); - if (debug_isdebuggerpresent() == 0) { - write_log("Debugger traced using IsDebuggerPresent()"); - print_traced(); - write_trace("hi_debugger_isdebuggerpresent"); - } - else { - print_not_traced(); - } - /* This is only working on MS Windows systems prior to Vista */ - if (winver.dwMajorVersion < 6) { - printf("[*] Using OutputDebugString() ... "); - if (debug_outputdebugstring() == 0) { - write_log("Debugger traced using OutputDebugString()"); - print_traced(); - write_trace("hi_debugger_outputdebugstring"); - } - else { - print_not_traced(); - } - } - - /* Generic sandbox detection tricks */ - printf("\n[-] Generic sandbox detection\n"); - printf("[*] Using mouse activity ... "); - if (gensandbox_mouse_act() == 0) { - print_traced(); - write_log("Sandbox traced using mouse activity"); - write_trace("hi_sandbox_mouse_act"); - } - else { - print_not_traced(); - } - printf("[*] Checking username ... "); - if (gensandbox_username() == 0) { - print_traced(); - write_log("Sandbox traced by checking username"); - write_trace("hi_sandbox_username"); - } - else { - print_not_traced(); - } - printf("[*] Checking file path ... "); - if (gensandbox_path() == 0) { - print_traced(); - write_log("Sandbox traced by checking file path"); - write_trace("hi_sandbox_path"); - } - else { - print_not_traced(); - } - printf("[*] Checking if disk size <= 50GB ... "); - if (gensandbox_drive_size() == 0) { - print_traced(); - write_log("Sandbox traced by checking disk size <= 50GB"); - write_trace("hi_sandbox_drive_size"); - } - else { - print_not_traced(); - } - - printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... "); - if (gensandbox_drive_size2() == 0) { - print_traced(); - write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB"); - write_trace("hi_sandbox_drive_size_2"); - } - else { - print_not_traced(); - } - - /* Hooks detection tricks */ - printf("\n[-] Hooks detection\n"); - printf("[*] Checking function DeleteFileW method 1 ... "); - if (check_hook_DeleteFileW_m1() == 0) { - print_traced(); - write_log("Hooks traced using DeleteFileW method 1"); - write_trace("hi_hooks_deletefile_m1"); - } - else { - print_not_traced(); - } - - /* Sandboxie detection tricks */ - printf("\n[-] Sandboxie detection\n"); - printf("[*] Using sbiedll.dll ... "); - if (sboxie_detect_sbiedll() == 0) { - write_log("Sandboxie traced using sbiedll.dll"); - print_traced(); - write_trace("hi_sandboxie"); - } - else { - print_not_traced(); - } - - /* Wine detection tricks */ - printf("\n[-] Wine detection\n"); - printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... "); - if (wine_detect_get_unix_file_name() == 0) { - write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll"); - print_traced(); - write_trace("hi_wine"); - } - else { - print_not_traced(); - } - - /* VirtualBox detection tricks */ - printf("\n[-] VirtualBox detection\n"); - printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); - if (vbox_reg_key1() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); - if (vbox_reg_key2() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... "); - if (vbox_reg_key3() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... "); - if (vbox_reg_key4() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... "); - if (vbox_reg_key5() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__"); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... "); - if (vbox_reg_key6() == 0) { + /* Debuggers detection tricks */ + printf("\n[-] Debuggers detection\n"); + printf("[*] Using IsDebuggerPresent() ... "); + if (debug_isdebuggerpresent() == TRUE) { + write_log("Debugger traced using IsDebuggerPresent()"); print_traced(); - } - else { - print_not_traced(); - } + write_trace("hi_debugger_isdebuggerpresent"); + } + else print_not_traced(); - printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... "); - if (vbox_reg_key7() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__"); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... "); - if (vbox_reg_key8() == 0) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__"); - print_traced(); - write_trace("hi_virtualbox"); - } - else { - print_not_traced(); - } - - printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... "); - if (vbox_reg_key9() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - if (vbox_sysfile1() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - if (vbox_sysfile2() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for MAC "); - if (vbox_mac() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for pseudo device "); - if (vbox_pseudodev() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for pipe "); - if (vbox_pipe() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for VBox tray tool window "); - if (vbox_traywindow() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for VBox network share "); - if (vbox_network_share() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for VBox processes "); - if (vbox_processes() == 0) { - print_traced(); - } - else { - print_not_traced(); - } - - printf("[*] Looking for guest tools "); - if (vbox_guest_tools() == 0) { - print_traced(); + /* This is only working on MS Windows systems prior to Vista */ + if (winver.dwMajorVersion < 6) { + printf("[*] Using OutputDebugString() ... "); + if (debug_outputdebugstring() == TRUE) { + write_log("Debugger traced using OutputDebugString()"); + print_traced(); + write_trace("hi_debugger_outputdebugstring"); + } + else print_not_traced(); } - printf("[*] Looking for VBox devices "); - if (vbox_devices() == 0) { + /* Generic sandbox detection tricks */ + printf("\n[-] Generic sandbox detection\n"); + printf("[*] Using mouse activity ... "); + if (gensandbox_mouse_act() == TRUE) { print_traced(); - } - else { - print_not_traced(); - } + write_log("Sandbox traced using mouse activity"); + write_trace("hi_sandbox_mouse_act"); + } + else print_not_traced(); - /* VMware detection tricks */ - printf("\n[-] VMware detection\n"); - printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); - if (vmware_reg_key1() == 0) { - write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); - print_traced(); - write_trace("hi_vmware"); - } - else { - print_not_traced(); - } - printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... "); - if (vmware_reg_key2() == 0) { - write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"); - print_traced(); - write_trace("hi_vmware"); - } - else { - print_not_traced(); - } - printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... "); - if (vmware_sysfile1() == 0) { - write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); - print_traced(); - write_trace("hi_vmware"); - } - else { - print_not_traced(); - } - printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... "); - if (vmware_sysfile2() == 0) { - write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); - print_traced(); - write_trace("hi_vmware"); - } - else { - print_not_traced(); - } + printf("[*] Checking username ... "); + if (gensandbox_username() == TRUE) { + print_traced(); + write_log("Sandbox traced by checking username"); + write_trace("hi_sandbox_username"); + } + else print_not_traced(); - /* Qemu detection tricks */ - printf("\n[-] Qemu detection\n"); - printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); - if (qemu_reg_key1() == 0) { - write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); - print_traced(); - write_trace("hi_qemu"); - } - else { - print_not_traced(); - } - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); - if (qemu_reg_key2() == 0) { - write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); - print_traced(); - write_trace("hi_qemu"); - } - else { - print_not_traced(); - } + printf("[*] Checking file path ... "); + if (gensandbox_path() == TRUE) { + print_traced(); + write_log("Sandbox traced by checking file path"); + write_trace("hi_sandbox_path"); + } + else print_not_traced(); - printf("\n\n"); - printf("[-] Finished, feel free to RE me."); + printf("[*] Checking if disk size <= 60GB via DeviceIoControl() ... "); + if (gensandbox_drive_size() == TRUE) { + print_traced(); + write_log("Sandbox traced by checking disk size <= 60GB via DeviceIoControl()"); + write_trace("hi_sandbox_drive_size"); + } + else print_not_traced(); - write_log("End"); + printf("[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... "); + if (gensandbox_drive_size2() == TRUE) { + print_traced(); + write_log("Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()"); + write_trace("hi_sandbox_drive_size2"); + } + else print_not_traced(); - fflush(stdin); + /* Hooks detection tricks */ + printf("\n[-] Hooks detection\n"); + printf("[*] Checking function DeleteFileW method 1 ... "); + if (check_hook_DeleteFileW_m1() == TRUE) { + print_traced(); + write_log("Hooks traced using DeleteFileW method 1"); + write_trace("hi_hooks_deletefile_m1"); + } + else print_not_traced(); + + /* Sandboxie detection tricks */ + printf("\n[-] Sandboxie detection\n"); + printf("[*] Using GetModuleHandle(sbiedll.dll) ... "); + if (sboxie_detect_sbiedll() == TRUE) { + write_log("Sandboxie traced using GetModuleHandle(sbiedll.dll)"); + print_traced(); + write_trace("hi_sandboxie"); + } + else print_not_traced(); + + /* Wine detection tricks */ + printf("\n[-] Wine detection\n"); + printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... "); + if (wine_detect_get_unix_file_name() == TRUE) { + write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll"); + print_traced(); + write_trace("hi_wine"); + } + else print_not_traced(); + + /* VirtualBox detection tricks */ + printf("\n[-] VirtualBox detection\n"); + printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); + if (vbox_reg_key1() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); + if (vbox_reg_key2() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... "); + if (vbox_reg_key3() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... "); + if (vbox_reg_key4() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\""); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... "); + if (vbox_reg_key5() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... "); + if (vbox_reg_key7() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... "); + if (vbox_reg_key8() == TRUE) { + write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... "); + if (vbox_reg_key9(TRUE) == TRUE) { + /* Log written inside function */ + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Driver files in C:\\WINDOWS\\system32\\drivers\\VBox* ... "); + if (vbox_sysfile1(TRUE) == TRUE) { + /* Log written inside function */ + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Additional system files ... "); + if (vbox_sysfile2(TRUE) == TRUE) { + /* Log written inside function */ + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Looking for a MAC address starting with 08:00:27 ... "); + if (vbox_mac() == TRUE) { + write_log("VirtualBox traced using MAC address starting with 08:00:27"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Looking for pseudo devices ... "); + if (vbox_devices(TRUE) == TRUE) { + /* Log written inside function */ + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Looking for VBoxTray windows ... "); + if (vbox_traywindow() == TRUE) { + write_log("VirtualBox traced using VBoxTray windows"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Looking for VBox network share ... "); + if (vbox_network_share() == TRUE) { + write_log("VirtualBox traced using its network share"); + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + printf("[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... "); + if (vbox_processes(TRUE) == TRUE) { + /* Log written inside function */ + print_traced(); + write_trace("hi_virtualbox"); + } + else print_not_traced(); + + /* VMware detection tricks */ + printf("\n[-] VMware detection\n"); + printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); + if (vmware_reg_key1() == TRUE) { + write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); + print_traced(); + write_trace("hi_vmware"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... "); + if (vmware_reg_key2() == TRUE) { + write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"); + print_traced(); + write_trace("hi_vmware"); + } + else print_not_traced(); + + printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... "); + if (vmware_sysfile1() == TRUE) { + write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); + print_traced(); + write_trace("hi_vmware"); + } + else print_not_traced(); + + printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... "); + if (vmware_sysfile2() == TRUE) { + write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); + print_traced(); + write_trace("hi_vmware"); + } + else print_not_traced(); + + /* Qemu detection tricks */ + printf("\n[-] Qemu detection\n"); + printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); + if (qemu_reg_key1() == TRUE) { + write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); + print_traced(); + write_trace("hi_qemu"); + } + else print_not_traced(); + + printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); + if (qemu_reg_key2() == TRUE) { + write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); + print_traced(); + write_trace("hi_qemu"); + } + else print_not_traced(); + + printf("\n\n"); + printf("[-] Feel free to RE me, check log file for more information."); + + write_log("End"); + + fflush(stdin); getchar(); - return 0; + return 0; } diff --git a/pafish/qemu.c b/pafish/qemu.c index 942f717..e74802c 100644 --- a/pafish/qemu.c +++ b/pafish/qemu.c @@ -1,67 +1,68 @@ - -#include -#include - -#include "qemu.h" - -int qemu_reg_key1() { - HKEY regkey; - LONG retu; - char value[1024]; - int i; - DWORD size; - - size = sizeof(value); - retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key); - if (retu == ERROR_SUCCESS) { - retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size); - if (retu == ERROR_SUCCESS) { - for (i = 0; i < strlen(value); i++) { /* case-insensitive */ - value[i] = toupper(value[i]); - } - if (strstr(value, "QEMU") != NULL) { - return 0; - } - else { - return 1; - } - } - else { - return 1; - } - } - else { - return 1; - } -} - -int qemu_reg_key2() { - HKEY regkey; - LONG retu; - char value[1024]; - int i; - DWORD size; - - size = sizeof(value); - retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, ®key); - if (retu == ERROR_SUCCESS) { - retu = RegQueryValueEx(regkey, "SystemBiosVersion", NULL, NULL, (BYTE*)value, &size); - if (retu == ERROR_SUCCESS) { - for (i = 0; i < strlen(value); i++) { /* case-insensitive */ - value[i] = toupper(value[i]); - } - if (strstr(value, "QEMU") != NULL) { - return 0; - } - else { - return 1; - } - } - else { - return 1; - } - } - else { - return 1; - } -} + +#include +#include + +#include "qemu.h" +#include "types.h" + +int qemu_reg_key1() { + HKEY regkey; + LONG retu; + char value[1024]; + int i; + DWORD size; + + size = sizeof(value); + retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key); + if (retu == ERROR_SUCCESS) { + retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size); + if (retu == ERROR_SUCCESS) { + for (i = 0; i < strlen(value); i++) { /* case-insensitive */ + value[i] = toupper(value[i]); + } + if (strstr(value, "QEMU") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} + +int qemu_reg_key2() { + HKEY regkey; + LONG retu; + char value[1024]; + int i; + DWORD size; + + size = sizeof(value); + retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, ®key); + if (retu == ERROR_SUCCESS) { + retu = RegQueryValueEx(regkey, "SystemBiosVersion", NULL, NULL, (BYTE*)value, &size); + if (retu == ERROR_SUCCESS) { + for (i = 0; i < strlen(value); i++) { /* case-insensitive */ + value[i] = toupper(value[i]); + } + if (strstr(value, "QEMU") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} diff --git a/pafish/qemu.h b/pafish/qemu.h index a832b80..53ee250 100644 --- a/pafish/qemu.h +++ b/pafish/qemu.h @@ -1,9 +1,9 @@ - -#ifndef QEMU_H -#define QEMU_H - -int qemu_reg_key1(); - -int qemu_reg_key2(); - -#endif + +#ifndef QEMU_H +#define QEMU_H + +int qemu_reg_key1(); + +int qemu_reg_key2(); + +#endif diff --git a/pafish/sandboxie.c b/pafish/sandboxie.c index 3c0aa1f..5f6bffe 100644 --- a/pafish/sandboxie.c +++ b/pafish/sandboxie.c @@ -1,13 +1,14 @@ - -#include - -#include "sandboxie.h" - -int sboxie_detect_sbiedll() { - if (GetModuleHandle("sbiedll.dll") != NULL) { - return 0; - } - else { - return 1; - } -} + +#include + +#include "sandboxie.h" +#include "types.h" + +int sboxie_detect_sbiedll() { + if (GetModuleHandle("sbiedll.dll") != NULL) { + return TRUE; + } + else { + return FALSE; + } +} diff --git a/pafish/sandboxie.h b/pafish/sandboxie.h index 383a26e..abebe6f 100644 --- a/pafish/sandboxie.h +++ b/pafish/sandboxie.h @@ -1,7 +1,7 @@ - -#ifndef SANBOXIE_H -#define SANBOXIE_H - -int sboxie_detect_sbiedll(); - -#endif + +#ifndef SANBOXIE_H +#define SANBOXIE_H + +int sboxie_detect_sbiedll(); + +#endif diff --git a/pafish/types.h b/pafish/types.h new file mode 100644 index 0000000..3fd1fee --- /dev/null +++ b/pafish/types.h @@ -0,0 +1,10 @@ + +#ifndef TYPES_H +#define TYPES_H + +#define TRUE 1 +#define FALSE 0 + +typedef char * string; + +#endif diff --git a/pafish/utils.c b/pafish/utils.c new file mode 100644 index 0000000..4bab7f0 --- /dev/null +++ b/pafish/utils.c @@ -0,0 +1,30 @@ + +#include +#include +#include + +#include "utils.h" +#include "types.h" + +inline int pafish_exists_regkey(HKEY hKey, char * regkey_s) { + HKEY regkey; + LONG ret; + + ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key); + if (ret == ERROR_SUCCESS) { + RegCloseKey(regkey); + return TRUE; + } + else + return FALSE; +} + +inline int pafish_exists_file(char * filename) { + DWORD ret; + + ret = GetFileAttributes(filename); + if (ret != INVALID_FILE_ATTRIBUTES) + return TRUE; + else + return FALSE; +} diff --git a/pafish/utils.h b/pafish/utils.h new file mode 100644 index 0000000..83a84a9 --- /dev/null +++ b/pafish/utils.h @@ -0,0 +1,9 @@ + +#ifndef UTILS_H +#define UTILS_H + +inline int pafish_exists_regkey(HKEY hKey, char * regkey); + +inline int pafish_exists_file(char * filename); + +#endif diff --git a/pafish/vbox.c b/pafish/vbox.c index 4767de0..9ce3a16 100644 --- a/pafish/vbox.c +++ b/pafish/vbox.c @@ -1,700 +1,354 @@ - -#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "vbox.h" - -typedef char * string; - -void ToUpper(unsigned char* Pstr) { - char* P=(char*)Pstr; - unsigned long length; - unsigned long i; - - if (Pstr == NULL) - return; - - length=strlen(P); - - for(i=0;iPhysicalAddressLength==0x6){ - memcpy(mac,ppalist->PhysicalAddress,6); - if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27 - write_log("VirtualBox traced using MAC starting with 08:00:27"); - res = 0; - } - } - - ppalist = ppalist->Next; - } - LocalFree(palist); - } - } - if (res == 0){ - print_traced(); - write_trace("hi_virtualbox"); - } - - WSACleanup(); - } - - return res; -} - -/** -* Checking for the VirtualBox pseudo device VBoxMiniRdrDN -* https://twitter.com/waleedassar -**/ -int vbox_pseudodev() { - int res=1; - HANDLE h; - - h = CreateFile("\\\\.\\VBoxMiniRdrDN", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if (h != INVALID_HANDLE_VALUE){ - write_log("VBoxMiniRdrDN pseudo device detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - CloseHandle(h); - } - - return res; -} - -/** -* Checking for the VirtualBox pipe -* https://twitter.com/waleedassar -**/ -int vbox_pipe() { - int res=1; - HANDLE h; - - h = CreateFile("\\\\.\\pipe\\VBoxTrayIPC", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if (h != INVALID_HANDLE_VALUE){ - write_log("VirtualBox VBoxTrayIPC pipe detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - CloseHandle(h); - } - - return res; - -} - -/** -* Checking for Tray window -* https://twitter.com/waleedassar -**/ -int vbox_traywindow() { - int res=1; - HWND h1; - HWND h2; - - h1 = FindWindow("VBoxTrayToolWndClass", 0); - h2 = FindWindow(0, "VBoxTrayToolWnd"); - - if (h1 || h2){ - write_log("VirtualBox Tray tool window detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - } - - return res; -} - - -/** -* Checking network shared -* https://twitter.com/waleedassar -**/ -int vbox_network_share() { - int res=1; - - unsigned long pnsize=0x1000; - - char * provider=(char *)LocalAlloc(LMEM_ZEROINIT, pnsize); - int retv = WNetGetProviderName(WNNC_NET_RDR2SAMPLE, provider, &pnsize); - if (retv==NO_ERROR){ - if (lstrcmpi(provider, "VirtualBox Shared Folders") == 0){ - write_log("VirtualBox shared folder detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - } - } - - return res; -} - -/** -* Checking for virtual box processes -**/ -int vbox_processes() { - int res=1; - HANDLE hpSnap; - PROCESSENTRY32 pentry; - - hpSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); - if (hpSnap != INVALID_HANDLE_VALUE){ - pentry.dwSize = sizeof (PROCESSENTRY32); - } - - if( !Process32First( hpSnap, &pentry ) ){ - CloseHandle(hpSnap); - return 0; - } - - do { - if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0){ - write_log("vboxservice.exe process detected"); - res = 0; - } - if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0){ - write_log("vboxtray.exe process detected"); - res = 0; - } - } while( Process32Next( hpSnap, &pentry ) ); - - if (res == 0){ - print_traced(); - write_trace("hi_virtualbox"); - } - return res; -} - -/** -* Checking for the VBoxControl and other vbox tools -**/ -int vbox_guest_tools() { - int res=1; - HANDLE h; - - h = CreateFile("c:\\windows\\system32\\VBoxControl.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if (h != INVALID_HANDLE_VALUE){ - write_log("VirtualBox VBoxControl.exe detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - CloseHandle(h); - } - - h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxDrvInst.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if (h != INVALID_HANDLE_VALUE){ - write_log("VirtualBox VBoxDrvInst.exe detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - CloseHandle(h); - } - - h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxWHQLFake.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if (h != INVALID_HANDLE_VALUE){ - write_log("VirtualBox VBoxWHQLFake.exe detected"); - print_traced(); - write_trace("hi_virtualbox"); - res = 0; - CloseHandle(h); - } - - return res; - -} - - -/** -* Helper function to get device propery. Free return buffer after use ! Only for REG_SZ data -* -* -**/ -LPTSTR device_property(HDEVINFO hDevInfo, SP_DEVINFO_DATA DevInfoData, DWORD property){ - - LPTSTR buffer = NULL; - DWORD buffersize = 0; - DWORD DataT; - - while (!SetupDiGetDeviceRegistryProperty( - hDevInfo, - &DevInfoData, - property, - &DataT, - (PBYTE) buffer, - buffersize, - &buffersize - )){ - - if (GetLastError () == ERROR_INSUFFICIENT_BUFFER){ - if (buffer) LocalFree(buffer); - buffer = LocalAlloc (LPTR, buffersize * 2); - } - else - { - break; - } - } - - return buffer; -} - -/** -* VBox devices -* -* http://support.microsoft.com/kb/259695/EN-US -**/ -int vbox_devices() { - int res=1; - HDEVINFO hDevInfo; - DWORD i; - SP_DEVINFO_DATA DevInfoData; - - hDevInfo = SetupDiGetClassDevs(NULL, 0, 0, DIGCF_PRESENT | DIGCF_ALLCLASSES); - - if (hDevInfo == INVALID_HANDLE_VALUE){ - return res; - } - - DevInfoData.cbSize = sizeof(SP_DEVINFO_DATA); - - // Enum devices - for (i=0; SetupDiEnumDeviceInfo(hDevInfo, i, &DevInfoData); i++){ - - LPTSTR buffer = NULL; - - - DWORD properties[] = {SPDRP_CLASS, SPDRP_CLASSGUID, SPDRP_DEVICEDESC, SPDRP_ENUMERATOR_NAME, SPDRP_FRIENDLYNAME, SPDRP_LOCATION_INFORMATION, SPDRP_MFG, SPDRP_PHYSICAL_DEVICE_OBJECT_NAME, SPDRP_SERVICE}; - int prop; - const int max_prop = 9; - char * message; - - for (prop=0; prop < max_prop ; prop ++){ - buffer = device_property(hDevInfo, DevInfoData, properties[prop]); - if (buffer != NULL){ - ToUpper(buffer); - if ((strstr((char *)buffer, "VBOX")) || - (strstr((char *)buffer, "VIRTUALBOX"))){ - message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(buffer)+200); - if (message) { - sprintf(message, "VBOX traced by device property %s ", buffer); - write_log(message); - LocalFree(message); - } - res = 0; - } - LocalFree(buffer); - buffer = NULL; - } - } - } - - // Cleanup - SetupDiDestroyDeviceInfoList(hDevInfo); - - if (res == 0){ - print_traced(); - write_trace("hi_virtualbox"); - } - return res; -} + +#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */ + +#include +#include +#include +#include +#include + +#include "vbox.h" +#include "utils.h" +#include "types.h" + +/** +* SCSI registry key check +**/ +int vbox_reg_key1() { + HKEY regkey; + LONG retu; + char value[1024]; + int i; + DWORD size; + + size = sizeof(value); + retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key); + if (retu == ERROR_SUCCESS) { + retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size); + if (retu == ERROR_SUCCESS) { + for (i = 0; i < strlen(value); i++) { /* case-insensitive */ + value[i] = toupper(value[i]); + } + if (strstr(value, "VBOX") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} + +/** +* SystemBiosVersion registry key check +**/ +int vbox_reg_key2() { + HKEY regkey; + LONG retu; + char value[1024]; + int i; + DWORD size; + + size = sizeof(value); + retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, ®key); + if (retu == ERROR_SUCCESS) { + retu = RegQueryValueEx(regkey, "SystemBiosVersion", NULL, NULL, (BYTE*)value, &size); + if (retu == ERROR_SUCCESS) { + for (i = 0; i < strlen(value); i++) { /* case-insensitive */ + value[i] = toupper(value[i]); + } + if (strstr(value, "VBOX") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} + +/** +* VirtualBox Guest Additions key check +**/ +int vbox_reg_key3() { + return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions"); +} + +/** +* VideoBiosVersion key check +**/ +int vbox_reg_key4() { + HKEY regkey; + LONG retu; + char value[1024]; + int i; + DWORD size; + + size = sizeof(value); + retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, ®key); + if (retu == ERROR_SUCCESS) { + retu = RegQueryValueEx(regkey, "VideoBiosVersion", NULL, NULL, (BYTE*)value, &size); + if (retu == ERROR_SUCCESS) { + for (i = 0; i < strlen(value); i++) { /* case-insensitive */ + value[i] = toupper(value[i]); + } + if (strstr(value, "VIRTUALBOX") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} + +/** +* ACPI Regkey detection +**/ +int vbox_reg_key5() { + return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__"); +} + +/** +* FADT ACPI Regkey detection +**/ +int vbox_reg_key7() { + return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__"); +} + +/** +* RSDT ACPI Regkey detection +**/ +int vbox_reg_key8() { + return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__"); +} + +/** +* VirtualBox Services Regkey detection +**/ +int vbox_reg_key9(int writelogs) { + int res = FALSE, i; + const int count = 5; + char message[200]; + + string strs[count]; + strs[0] = "SYSTEM\\ControlSet001\\Services\\VBoxGuest"; + strs[1] = "SYSTEM\\ControlSet001\\Services\\VBoxMouse"; + strs[2] = "SYSTEM\\ControlSet001\\Services\\VBoxService"; + strs[3] = "SYSTEM\\ControlSet001\\Services\\VBoxSF"; + strs[4] = "SYSTEM\\ControlSet001\\Services\\VBoxVideo"; + for (i=0; i < count; i++) { + if (pafish_exists_regkey(HKEY_LOCAL_MACHINE, strs[i])) { + snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using Reg key HKLM\\%s", strs[i]); + if (writelogs) write_log(message); + res = TRUE; + } + } + return res; +} + +/** +* VirtualBox driver files in \\WINDOWS\\system32\\drivers\\ +**/ +int vbox_sysfile1(int writelogs) { + DWORD ret; + const int count = 4; + string strs[count]; + int res = FALSE, i = 0; + char message[200]; + + strs[0] = "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys"; + strs[1] = "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys"; + strs[2] = "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys"; + strs[3] = "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys"; + for (i=0; i < count; i++) { + if (pafish_exists_file(strs[i])) { + snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using driver file %s", strs[i]); + if (writelogs) write_log(message); + res = TRUE; + } + } + return res; +} + +/** +* VirtualBox other system files +**/ +int vbox_sysfile2(int writelogs) { + DWORD ret; + const int count = 14; + string strs[count]; + int res = FALSE, i = 0; + char message[200]; + + strs[0] = "C:\\WINDOWS\\system32\\vboxdisp.dll"; + strs[1] = "C:\\WINDOWS\\system32\\vboxhook.dll"; + strs[2] = "C:\\WINDOWS\\system32\\vboxmrxnp.dll"; + strs[3] = "C:\\WINDOWS\\system32\\vboxogl.dll"; + strs[4] = "C:\\WINDOWS\\system32\\vboxoglarrayspu.dll"; + strs[5] = "C:\\WINDOWS\\system32\\vboxoglcrutil.dll"; + strs[6] = "C:\\WINDOWS\\system32\\vboxoglerrorspu.dll"; + strs[7] = "C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll"; + strs[8] = "C:\\WINDOWS\\system32\\vboxoglpackspu.dll"; + strs[9] = "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll"; + strs[10] = "C:\\WINDOWS\\system32\\vboxservice.exe"; + strs[11] = "C:\\WINDOWS\\system32\\vboxtray.exe"; + strs[12] = "C:\\WINDOWS\\system32\\VBoxControl.exe"; + strs[13] = "C:\\program files\\oracle\\virtualbox guest additions\\"; + for (i = 0; i < count; i++) { + if (pafish_exists_file(strs[i])) { + snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using system file %s", strs[i]); + if (writelogs) write_log(message); + res = TRUE; + } + } + return res; +} + +/** +* NIC MAC check +**/ +int vbox_mac() { + WSADATA WSD; + int res = FALSE; + char mac[6]={0}; + + if(!WSAStartup(MAKEWORD(2,2),&WSD)){ + unsigned long alist_size = 0; + int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size); + if(ret==ERROR_BUFFER_OVERFLOW) { + IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size); + if(palist) { + ret=GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size); + IP_ADAPTER_ADDRESSES* ppalist=palist; + while (ppalist){ + if (ppalist->PhysicalAddressLength==0x6){ + memcpy(mac,ppalist->PhysicalAddress,0x6); + if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27 + res = TRUE; + break; + } + } + ppalist = ppalist->Next; + } + LocalFree(palist); + } + } + WSACleanup(); + } + return res; +} + +/** +* VirtualBox devices +**/ +int vbox_devices(int writelogs) { + HANDLE h; + const int count = 4; + string strs[count]; + int res = FALSE, i = 0; + char message[200]; + + /* Got this list from https://github.com/cuckoobox/community/blob/master/modules/signatures/antivm_vbox_devices.py */ + strs[0] = "\\\\.\\VBoxMiniRdrDN"; + strs[1] = "\\\\.\\pipe\\VBoxMiniRdDN"; + strs[2] = "\\\\.\\VBoxTrayIPC"; + strs[3] = "\\\\.\\pipe\\VBoxTrayIPC"; + for (i=0; i < count; i++) { + h = CreateFile(strs[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (h != INVALID_HANDLE_VALUE) { + snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using device %s", strs[i]); + if (writelogs) write_log(message); + res = TRUE; + } + } + return res; +} + +/** +* Checking for Tray window +* https://twitter.com/waleedassar +**/ +int vbox_traywindow() { + HWND h1, h2; + h1 = FindWindow("VBoxTrayToolWndClass", NULL); + h2 = FindWindow(NULL, "VBoxTrayToolWnd"); + if (h1 || h2) return TRUE; + else return FALSE; +} + +/** +* Checking network shared +* https://twitter.com/waleedassar +**/ +int vbox_network_share() { + unsigned long pnsize = 0x1000; + char provider[pnsize]; + /* a0rtega : any reason for this to be in the heap :?, changed to stack */ + //char * provider = (char *)LocalAlloc(LMEM_ZEROINIT, pnsize); + + int retv = WNetGetProviderName(WNNC_NET_RDR2SAMPLE, provider, &pnsize); + if (retv == NO_ERROR) { + if (lstrcmpi(provider, "VirtualBox Shared Folders") == 0) { + //LocalFree(provider); + return TRUE; + } + else { + //LocalFree(provider); + return FALSE; + } + } + return FALSE; +} + +/** +* Checking for virtual box processes +**/ +int vbox_processes(int writelogs) { + int res = FALSE; + HANDLE hpSnap; + PROCESSENTRY32 pentry; + + hpSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); + if (hpSnap != INVALID_HANDLE_VALUE) { + pentry.dwSize = sizeof (PROCESSENTRY32); + } + else { + return FALSE; + } + + if(!Process32First(hpSnap, &pentry)) { + CloseHandle(hpSnap); + return FALSE; + } + + do { + if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0) { + write_log("VirtualBox traced using vboxservice.exe process"); + res = TRUE; + } + if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0) { + write_log("VirtualBox traced using vboxtray.exe process"); + res = TRUE; + } + } while (Process32Next(hpSnap, &pentry)); + return res; +} diff --git a/pafish/vbox.h b/pafish/vbox.h index c0b9117..2d96514 100644 --- a/pafish/vbox.h +++ b/pafish/vbox.h @@ -3,41 +3,25 @@ #define VBOX_H int vbox_reg_key1(); - int vbox_reg_key2(); - int vbox_reg_key3(); - int vbox_reg_key4(); - int vbox_reg_key5(); - -int vbox_reg_key6(); - int vbox_reg_key7(); - int vbox_reg_key8(); +int vbox_reg_key9(int writelogs); -int vbox_reg_key9(); - -int vbox_sysfile1(); - -int vbox_sysfile2(); +int vbox_sysfile1(int writelogs); +int vbox_sysfile2(int writelogs); int vbox_mac(); -int vbox_pseudodev(); - -int vbox_pipe(); +int vbox_devices(int writelogs); int vbox_traywindow(); int vbox_network_share(); -int vbox_processes(); - -int vbox_guest_tools(); - -int vbox_devices(); +int vbox_processes(int writelogs); #endif diff --git a/pafish/vmware.c b/pafish/vmware.c index ffef470..fe3bbd1 100644 --- a/pafish/vmware.c +++ b/pafish/vmware.c @@ -1,70 +1,50 @@ - -#include -#include - -#include "vmware.h" - -int vmware_reg_key1() { - HKEY regkey; - LONG retu; - char value[1024]; - int i; - DWORD size; - - size = sizeof(value); - retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key); - if (retu == ERROR_SUCCESS) { - retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size); - if (retu == ERROR_SUCCESS) { - for (i = 0; i < strlen(value); i++) { /* case-insensitive */ - value[i] = toupper(value[i]); - } - if (strstr(value, "VMWARE") != NULL) { - return 0; - } - else { - return 1; - } - } - else { - return 1; - } - } - else { - return 1; - } -} - -int vmware_reg_key2() { - HKEY regkey; - LONG retu; - retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, ®key); - if (retu == ERROR_SUCCESS) { - return 0; - } - else { - return 1; - } -} - -int vmware_sysfile1() { - DWORD ret; - ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); - if (ret != INVALID_FILE_ATTRIBUTES) { - return 0; - } - else { - return 1; - } -} - -int vmware_sysfile2() { - DWORD ret; - ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); - if (ret != INVALID_FILE_ATTRIBUTES) { - return 0; - } - else { - return 1; - } -} + +#include +#include + +#include "vmware.h" +#include "types.h" +#include "utils.h" + +int vmware_reg_key1() { + HKEY regkey; + LONG retu; + char value[1024]; + int i; + DWORD size; + + size = sizeof(value); + retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key); + if (retu == ERROR_SUCCESS) { + retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size); + if (retu == ERROR_SUCCESS) { + for (i = 0; i < strlen(value); i++) { /* case-insensitive */ + value[i] = toupper(value[i]); + } + if (strstr(value, "VMWARE") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} + +int vmware_reg_key2() { + return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools"); +} + +int vmware_sysfile1() { + return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); +} + +int vmware_sysfile2() { + return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); +} diff --git a/pafish/vmware.h b/pafish/vmware.h index c209fdb..15a0226 100644 --- a/pafish/vmware.h +++ b/pafish/vmware.h @@ -1,13 +1,13 @@ - -#ifndef VMWARE_H -#define VMWARE_H - -int vmware_reg_key1(); - -int vmware_reg_key2(); - -int vmware_sysfile1(); - -int vmware_sysfile2(); - -#endif + +#ifndef VMWARE_H +#define VMWARE_H + +int vmware_reg_key1(); + +int vmware_reg_key2(); + +int vmware_sysfile1(); + +int vmware_sysfile2(); + +#endif diff --git a/pafish/wine.c b/pafish/wine.c index 6452053..a5405fd 100644 --- a/pafish/wine.c +++ b/pafish/wine.c @@ -1,20 +1,21 @@ - -#include - -#include "wine.h" - -int wine_detect_get_unix_file_name() { - HMODULE k32; - k32 = GetModuleHandle("kernel32.dll"); - if (k32 != NULL) { - if (GetProcAddress(k32, "wine_get_unix_file_name") != NULL) { - return 0; - } - else { - return 1; - } - } - else { - return 1; - } -} + +#include + +#include "wine.h" +#include "types.h" + +int wine_detect_get_unix_file_name() { + HMODULE k32; + k32 = GetModuleHandle("kernel32.dll"); + if (k32 != NULL) { + if (GetProcAddress(k32, "wine_get_unix_file_name") != NULL) { + return TRUE; + } + else { + return FALSE; + } + } + else { + return FALSE; + } +} diff --git a/pafish/wine.h b/pafish/wine.h index 0914236..21d81f2 100644 --- a/pafish/wine.h +++ b/pafish/wine.h @@ -1,7 +1,7 @@ - -#ifndef WINE_H -#define WINE_H - -int wine_detect_get_unix_file_name(); - -#endif + +#ifndef WINE_H +#define WINE_H + +int wine_detect_get_unix_file_name(); + +#endif