mirrors/pafish
1
0
Fork 0
mirror of https://github.com/a0rtega/pafish synced 2024-11-22 14:21:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

Huge refactor, TRUE FALSE types added, utils functions added, fix encoding, trailing spaces, CRLF removed

Browse Source
This commit is contained in:
Alberto Ortega 2014-12-31 20:24:11 +01:00
parent 6912bb1565
commit 02a6590271
23 changed files with 1164 additions and 1572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pafish/Makefile.win
View File

@ -1,15 +1,15 @@

CC = gcc.exe CC = gcc.exe
LINK = gcc.exe LINK = gcc.exe
WINDRES = windres.exe WINDRES = windres.exe
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \ OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \ Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ) LINKOBJ = $(OBJ)
LIBS = -L"C:/MinGW32/lib" -lwsock32 -liphlpapi -lsetupapi -lmpr -s LIBS = -L"C:/MinGW32/lib" -lwsock32 -liphlpapi -lsetupapi -lmpr -s
INCS = -I"C:/MinGW32/include" INCS = -I"C:/MinGW32/include"
BIN = Output/MingW/pafish.exe BIN = Output/MingW/pafish.exe
CFLAGS = $(INCS) $(DEFINES) -O0 CFLAGS = $(INCS) $(DEFINES) -O1
all: $(BIN) all: $(BIN)
@ -27,6 +27,9 @@ Objects/MingW/main.o: $(GLOBALDEPS) main.c
Objects/MingW/common.o: $(GLOBALDEPS) common.c Objects/MingW/common.o: $(GLOBALDEPS) common.c
$(CC) -c common.c -o Objects/MingW/common.o $(CFLAGS) $(CC) -c common.c -o Objects/MingW/common.o $(CFLAGS)
Objects/MingW/utils.o: $(GLOBALDEPS) utils.c
$(CC) -c utils.c -o Objects/MingW/utils.o $(CFLAGS)
Objects/MingW/debuggers.o: $(GLOBALDEPS) debuggers.c Objects/MingW/debuggers.o: $(GLOBALDEPS) debuggers.c
$(CC) -c debuggers.c -o Objects/MingW/debuggers.o $(CFLAGS) $(CC) -c debuggers.c -o Objects/MingW/debuggers.o $(CFLAGS)

6
pafish/common.c
View File

@ -6,8 +6,6 @@
#include "common.h" #include "common.h"
int analysis_result = 0;
void init_cmd_colors() { void init_cmd_colors() {
HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE); HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY);
@ -29,7 +27,6 @@ void print_traced() {
SetConsoleTextAttribute(handler, 207); SetConsoleTextAttribute(handler, 207);
printf("traced!\n"); printf("traced!\n");
SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY);
analysis_result = 2;
} }
void print_not_traced() { void print_not_traced() {
@ -44,9 +41,6 @@ void print_suspicious() {
SetConsoleTextAttribute(handler, 207); SetConsoleTextAttribute(handler, 207);
printf("suspicious\n"); printf("suspicious\n");
SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY); SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY);
if (analysis_result == 0) {
analysis_result = 1;
}
} }
void write_log(char msg[]) { void write_log(char msg[]) {

2
pafish/common.h
View File

@ -16,6 +16,4 @@ void write_log(char msg[]);
void write_trace(char product[]); void write_trace(char product[]);
extern int analysis_result;
#endif #endif

21
pafish/debuggers.c
View File

@ -4,26 +4,25 @@
#include <windows.h> #include <windows.h>
#include "debuggers.h" #include "debuggers.h"
#include "types.h"
int debug_isdebuggerpresent() { int debug_isdebuggerpresent() {
if (IsDebuggerPresent()) { if (IsDebuggerPresent())
return 0; return TRUE;
} else
else { return FALSE;
return 1;
}
} }
/* This function is not used because it isn't reliable in /* This function is not used because it isn't reliable in
some new environments */ some new environments */
int debug_checkremotedebuggerpresent() { int debug_checkremotedebuggerpresent() {
BOOL isdebug = FALSE; BOOL isdebug = FALSE;
CheckRemoteDebuggerPresent(GetCurrentProcess(), &isdebug); CheckRemoteDebuggerPresent(GetCurrentProcess(), &isdebug);
if (isdebug) { if (isdebug) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
@ -34,9 +33,9 @@ int debug_outputdebugstring() {
drop an error. */ drop an error. */
OutputDebugString("useless"); OutputDebugString("useless");
if (GetLastError() == err){ if (GetLastError() == err){
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }

50
pafish/gensandbox.c
View File

@ -3,20 +3,21 @@
#include <winioctl.h> #include <winioctl.h>
#include <string.h> #include <string.h>
#include "types.h"
#include "gensandbox.h" #include "gensandbox.h"
int gensandbox_mouse_act() { int gensandbox_mouse_act() {
POINT position1, position2; POINT position1, position2;
GetCursorPos(&position1); GetCursorPos(&position1);
Sleep(1750); /* Sleep time */ Sleep(2000); /* Sleep time */
GetCursorPos(&position2); GetCursorPos(&position2);
if ((position1.x == position2.x) && (position1.y == position2.y)) { if ((position1.x == position2.x) && (position1.y == position2.y)) {
/* No mouse activity during the sleep */ /* No mouse activity during the sleep */
return 0; return TRUE;
} }
else { else {
/* Mouse activity during the sleep */ /* Mouse activity during the sleep */
return 1; return FALSE;
} }
} }
@ -29,15 +30,15 @@ int gensandbox_username() {
username[i] = toupper(username[i]); username[i] = toupper(username[i]);
} }
if (strstr(username, "SANDBOX") != NULL) { if (strstr(username, "SANDBOX") != NULL) {
return 0; return TRUE;
} }
if (strstr(username, "VIRUS") != NULL) { if (strstr(username, "VIRUS") != NULL) {
return 0; return TRUE;
} }
if (strstr(username, "MALWARE") != NULL) { if (strstr(username, "MALWARE") != NULL) {
return 0; return TRUE;
} }
return 1; return FALSE;
} }
int gensandbox_path() { int gensandbox_path() {
@ -49,15 +50,15 @@ int gensandbox_path() {
path[i] = toupper(path[i]); path[i] = toupper(path[i]);
} }
if (strstr(path, "\\SAMPLE") != NULL) { if (strstr(path, "\\SAMPLE") != NULL) {
return 0; return TRUE;
} }
if (strstr(path, "\\VIRUS") != NULL) { if (strstr(path, "\\VIRUS") != NULL) {
return 0; return TRUE;
} }
if (strstr(path, "SANDBOX") != NULL) { if (strstr(path, "SANDBOX") != NULL) {
return 0; return TRUE;
} }
return 1; return FALSE;
} }
int gensandbox_drive_size() { int gensandbox_drive_size() {
@ -70,36 +71,25 @@ int gensandbox_drive_size() {
if (drive == INVALID_HANDLE_VALUE) { if (drive == INVALID_HANDLE_VALUE) {
// Someone is playing tricks. Or not enough privileges. // Someone is playing tricks. Or not enough privileges.
CloseHandle(drive); CloseHandle(drive);
return 1; return FALSE;
} }
result = DeviceIoControl(drive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size, result = DeviceIoControl(drive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size,
sizeof(GET_LENGTH_INFORMATION), &lpBytesReturned, NULL); sizeof(GET_LENGTH_INFORMATION), &lpBytesReturned, NULL);
CloseHandle(drive); CloseHandle(drive);
if (result != 0) { if (result != 0) {
if (size.Length.QuadPart / 1073741824 <= 50) { /* <= 50 GB */ if (size.Length.QuadPart / 1073741824 <= 60) /* <= 60 GB */
return 0; return TRUE;
} }
} return FALSE;
return 1;
} }
int gensandbox_drive_size2() { int gensandbox_drive_size2() {
ULARGE_INTEGER bytes_available;
ULARGE_INTEGER total_bytes; ULARGE_INTEGER total_bytes;
ULARGE_INTEGER total_number_free_bytes;
if (GetDiskFreeSpaceExA("C:\\", &bytes_available, &total_bytes, &total_number_free_bytes)) if (GetDiskFreeSpaceExA("C:\\", NULL, &total_bytes, NULL))
{ {
if (bytes_available.QuadPart / 1073741824 <= 60) { /* <= 60 GB */ if (total_bytes.QuadPart / 1073741824 <= 60) /* <= 60 GB */
return 0; return TRUE;
} }
if (total_bytes.QuadPart / 1073741824 <= 60) { /* <= 60 GB */ return FALSE;
return 0;
}
if (total_number_free_bytes.QuadPart / 1073741824 <= 60) { /* <= 60 GB */
return 0;
}
}
return 1;
} }

7
pafish/hooks.c
View File

@ -2,6 +2,7 @@
#include <windows.h> #include <windows.h>
#include "hooks.h" #include "hooks.h"
#include "types.h"
/* Thx Inaki for this! (@virtualminds_es) */ /* Thx Inaki for this! (@virtualminds_es) */
int check_hook_DeleteFileW_m1() { int check_hook_DeleteFileW_m1() {
@ -14,13 +15,13 @@ int check_hook_DeleteFileW_m1() {
BYTE *op = (BYTE *)*c; BYTE *op = (BYTE *)*c;
if ((*op == 0x8b) && (*(op+1) == 0xff)) { if ((*op == 0x8b) && (*(op+1) == 0xff)) {
return 1; return FALSE;
} }
else { else {
return 0; return TRUE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }

273
pafish/main.c
View File

@ -4,6 +4,7 @@
#include <string.h> #include <string.h>
#include <windows.h> #include <windows.h>
#include "types.h"
#include "common.h" #include "common.h"
#include "debuggers.h" #include "debuggers.h"
@ -43,10 +44,11 @@ int main(int argc, char *argv[])
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&winver); GetVersionEx(&winver);
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber); snprintf(winverstr, sizeof(winverstr)-sizeof(winverstr[0]), "%d.%d build %d",
winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
printf("[*] Windows version: %s\n", winverstr); printf("[*] Windows version: %s\n", winverstr);
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr); snprintf(aux, sizeof(aux)-sizeof(aux[0]), "Windows version: %s", winverstr);
write_log(aux); write_log(aux);
printf("[*] Running checks ...\n"); printf("[*] Running checks ...\n");
@ -54,337 +56,272 @@ int main(int argc, char *argv[])
/* Debuggers detection tricks */ /* Debuggers detection tricks */
printf("\n[-] Debuggers detection\n"); printf("\n[-] Debuggers detection\n");
printf("[*] Using IsDebuggerPresent() ... "); printf("[*] Using IsDebuggerPresent() ... ");
if (debug_isdebuggerpresent() == 0) { if (debug_isdebuggerpresent() == TRUE) {
write_log("Debugger traced using IsDebuggerPresent()"); write_log("Debugger traced using IsDebuggerPresent()");
print_traced(); print_traced();
write_trace("hi_debugger_isdebuggerpresent"); write_trace("hi_debugger_isdebuggerpresent");
} }
else { else print_not_traced();
print_not_traced();
}
/* This is only working on MS Windows systems prior to Vista */ /* This is only working on MS Windows systems prior to Vista */
if (winver.dwMajorVersion < 6) { if (winver.dwMajorVersion < 6) {
printf("[*] Using OutputDebugString() ... "); printf("[*] Using OutputDebugString() ... ");
if (debug_outputdebugstring() == 0) { if (debug_outputdebugstring() == TRUE) {
write_log("Debugger traced using OutputDebugString()"); write_log("Debugger traced using OutputDebugString()");
print_traced(); print_traced();
write_trace("hi_debugger_outputdebugstring"); write_trace("hi_debugger_outputdebugstring");
} }
else { else print_not_traced();
print_not_traced();
}
} }
/* Generic sandbox detection tricks */ /* Generic sandbox detection tricks */
printf("\n[-] Generic sandbox detection\n"); printf("\n[-] Generic sandbox detection\n");
printf("[*] Using mouse activity ... "); printf("[*] Using mouse activity ... ");
if (gensandbox_mouse_act() == 0) { if (gensandbox_mouse_act() == TRUE) {
print_traced(); print_traced();
write_log("Sandbox traced using mouse activity"); write_log("Sandbox traced using mouse activity");
write_trace("hi_sandbox_mouse_act"); write_trace("hi_sandbox_mouse_act");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Checking username ... "); printf("[*] Checking username ... ");
if (gensandbox_username() == 0) { if (gensandbox_username() == TRUE) {
print_traced(); print_traced();
write_log("Sandbox traced by checking username"); write_log("Sandbox traced by checking username");
write_trace("hi_sandbox_username"); write_trace("hi_sandbox_username");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Checking file path ... "); printf("[*] Checking file path ... ");
if (gensandbox_path() == 0) { if (gensandbox_path() == TRUE) {
print_traced(); print_traced();
write_log("Sandbox traced by checking file path"); write_log("Sandbox traced by checking file path");
write_trace("hi_sandbox_path"); write_trace("hi_sandbox_path");
} }
else { else print_not_traced();
print_not_traced();
} printf("[*] Checking if disk size <= 60GB via DeviceIoControl() ... ");
printf("[*] Checking if disk size <= 50GB ... "); if (gensandbox_drive_size() == TRUE) {
if (gensandbox_drive_size() == 0) {
print_traced(); print_traced();
write_log("Sandbox traced by checking disk size <= 50GB"); write_log("Sandbox traced by checking disk size <= 60GB via DeviceIoControl()");
write_trace("hi_sandbox_drive_size"); write_trace("hi_sandbox_drive_size");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... "); printf("[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... ");
if (gensandbox_drive_size2() == 0) { if (gensandbox_drive_size2() == TRUE) {
print_traced(); print_traced();
write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB"); write_log("Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()");
write_trace("hi_sandbox_drive_size_2"); write_trace("hi_sandbox_drive_size2");
}
else {
print_not_traced();
} }
else print_not_traced();
/* Hooks detection tricks */ /* Hooks detection tricks */
printf("\n[-] Hooks detection\n"); printf("\n[-] Hooks detection\n");
printf("[*] Checking function DeleteFileW method 1 ... "); printf("[*] Checking function DeleteFileW method 1 ... ");
if (check_hook_DeleteFileW_m1() == 0) { if (check_hook_DeleteFileW_m1() == TRUE) {
print_traced(); print_traced();
write_log("Hooks traced using DeleteFileW method 1"); write_log("Hooks traced using DeleteFileW method 1");
write_trace("hi_hooks_deletefile_m1"); write_trace("hi_hooks_deletefile_m1");
} }
else { else print_not_traced();
print_not_traced();
}
/* Sandboxie detection tricks */ /* Sandboxie detection tricks */
printf("\n[-] Sandboxie detection\n"); printf("\n[-] Sandboxie detection\n");
printf("[*] Using sbiedll.dll ... "); printf("[*] Using GetModuleHandle(sbiedll.dll) ... ");
if (sboxie_detect_sbiedll() == 0) { if (sboxie_detect_sbiedll() == TRUE) {
write_log("Sandboxie traced using sbiedll.dll"); write_log("Sandboxie traced using GetModuleHandle(sbiedll.dll)");
print_traced(); print_traced();
write_trace("hi_sandboxie"); write_trace("hi_sandboxie");
} }
else { else print_not_traced();
print_not_traced();
}
/* Wine detection tricks */ /* Wine detection tricks */
printf("\n[-] Wine detection\n"); printf("\n[-] Wine detection\n");
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... "); printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
if (wine_detect_get_unix_file_name() == 0) { if (wine_detect_get_unix_file_name() == TRUE) {
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll"); write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
print_traced(); print_traced();
write_trace("hi_wine"); write_trace("hi_wine");
} }
else { else print_not_traced();
print_not_traced();
}
/* VirtualBox detection tricks */ /* VirtualBox detection tricks */
printf("\n[-] VirtualBox detection\n"); printf("\n[-] VirtualBox detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vbox_reg_key1() == 0) { if (vbox_reg_key1() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (vbox_reg_key2() == 0) { if (vbox_reg_key2() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... "); printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
if (vbox_reg_key3() == 0) { if (vbox_reg_key3() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"); write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... "); printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
if (vbox_reg_key4() == 0) { if (vbox_reg_key4() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\""); write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... "); printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
if (vbox_reg_key5() == 0) { if (vbox_reg_key5() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__"); write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... ");
if (vbox_reg_key6() == 0) {
print_traced();
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... "); printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
if (vbox_reg_key7() == 0) { if (vbox_reg_key7() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__"); write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... "); printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
if (vbox_reg_key8() == 0) { if (vbox_reg_key8() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__"); write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
print_traced(); print_traced();
write_trace("hi_virtualbox"); write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... "); printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
if (vbox_reg_key9() == 0) { if (vbox_reg_key9(TRUE) == TRUE) {
/* Log written inside function */
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
if (vbox_sysfile1() == 0) { printf("[*] Driver files in C:\\WINDOWS\\system32\\drivers\\VBox* ... ");
if (vbox_sysfile1(TRUE) == TRUE) {
/* Log written inside function */
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
if (vbox_sysfile2() == 0) { printf("[*] Additional system files ... ");
if (vbox_sysfile2(TRUE) == TRUE) {
/* Log written inside function */
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for MAC "); printf("[*] Looking for a MAC address starting with 08:00:27 ... ");
if (vbox_mac() == 0) { if (vbox_mac() == TRUE) {
write_log("VirtualBox traced using MAC address starting with 08:00:27");
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for pseudo device "); printf("[*] Looking for pseudo devices ... ");
if (vbox_pseudodev() == 0) { if (vbox_devices(TRUE) == TRUE) {
/* Log written inside function */
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for pipe "); printf("[*] Looking for VBoxTray windows ... ");
if (vbox_pipe() == 0) { if (vbox_traywindow() == TRUE) {
write_log("VirtualBox traced using VBoxTray windows");
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for VBox tray tool window "); printf("[*] Looking for VBox network share ... ");
if (vbox_traywindow() == 0) { if (vbox_network_share() == TRUE) {
write_log("VirtualBox traced using its network share");
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for VBox network share "); printf("[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... ");
if (vbox_network_share() == 0) { if (vbox_processes(TRUE) == TRUE) {
/* Log written inside function */
print_traced(); print_traced();
write_trace("hi_virtualbox");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for VBox processes ");
if (vbox_processes() == 0) {
print_traced();
}
else {
print_not_traced();
}
printf("[*] Looking for guest tools ");
if (vbox_guest_tools() == 0) {
print_traced();
}
printf("[*] Looking for VBox devices ");
if (vbox_devices() == 0) {
print_traced();
}
else {
print_not_traced();
}
/* VMware detection tricks */ /* VMware detection tricks */
printf("\n[-] VMware detection\n"); printf("\n[-] VMware detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vmware_reg_key1() == 0) { if (vmware_reg_key1() == TRUE) {
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced(); print_traced();
write_trace("hi_vmware"); write_trace("hi_vmware");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... "); printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
if (vmware_reg_key2() == 0) { if (vmware_reg_key2() == TRUE) {
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"); write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
print_traced(); print_traced();
write_trace("hi_vmware"); write_trace("hi_vmware");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... "); printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
if (vmware_sysfile1() == 0) { if (vmware_sysfile1() == TRUE) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
print_traced(); print_traced();
write_trace("hi_vmware"); write_trace("hi_vmware");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... "); printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
if (vmware_sysfile2() == 0) { if (vmware_sysfile2() == TRUE) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
print_traced(); print_traced();
write_trace("hi_vmware"); write_trace("hi_vmware");
} }
else { else print_not_traced();
print_not_traced();
}
/* Qemu detection tricks */ /* Qemu detection tricks */
printf("\n[-] Qemu detection\n"); printf("\n[-] Qemu detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (qemu_reg_key1() == 0) { if (qemu_reg_key1() == TRUE) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced(); print_traced();
write_trace("hi_qemu"); write_trace("hi_qemu");
} }
else { else print_not_traced();
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (qemu_reg_key2() == 0) { if (qemu_reg_key2() == TRUE) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced(); print_traced();
write_trace("hi_qemu"); write_trace("hi_qemu");
} }
else { else print_not_traced();
print_not_traced();
}
printf("\n\n"); printf("\n\n");
printf("[-] Finished, feel free to RE me."); printf("[-] Feel free to RE me, check log file for more information.");
write_log("End"); write_log("End");

17
pafish/qemu.c
View File

@ -3,6 +3,7 @@
#include <string.h> #include <string.h>
#include "qemu.h" #include "qemu.h"
#include "types.h"
int qemu_reg_key1() { int qemu_reg_key1() {
HKEY regkey; HKEY regkey;
@ -20,18 +21,18 @@ int qemu_reg_key1() {
value[i] = toupper(value[i]); value[i] = toupper(value[i]);
} }
if (strstr(value, "QEMU") != NULL) { if (strstr(value, "QEMU") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
@ -51,17 +52,17 @@ int qemu_reg_key2() {
value[i] = toupper(value[i]); value[i] = toupper(value[i]);
} }
if (strstr(value, "QEMU") != NULL) { if (strstr(value, "QEMU") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }

5
pafish/sandboxie.c
View File

@ -2,12 +2,13 @@
#include <windows.h> #include <windows.h>
#include "sandboxie.h" #include "sandboxie.h"
#include "types.h"
int sboxie_detect_sbiedll() { int sboxie_detect_sbiedll() {
if (GetModuleHandle("sbiedll.dll") != NULL) { if (GetModuleHandle("sbiedll.dll") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }

10
pafish/types.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef TYPES_H
#define TYPES_H
#define TRUE 1
#define FALSE 0
typedef char * string;
#endif

30
pafish/utils.c Normal file
View File

@ -0,0 +1,30 @@
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "utils.h"
#include "types.h"
inline int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
inline int pafish_exists_file(char * filename) {
DWORD ret;
ret = GetFileAttributes(filename);
if (ret != INVALID_FILE_ATTRIBUTES)
return TRUE;
else
return FALSE;
}

9
pafish/utils.h Normal file
View File

@ -0,0 +1,9 @@
#ifndef UTILS_H
#define UTILS_H
inline int pafish_exists_regkey(HKEY hKey, char * regkey);
inline int pafish_exists_file(char * filename);
#endif

552
pafish/vbox.c
View File

@ -1,34 +1,15 @@
#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */ #define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
#include <winsock2.h>
#include <windows.h> #include <windows.h>
#include <winnetwk.h>
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
#include <iphlpapi.h> #include <iphlpapi.h>
#include <tlhelp32.h> #include <tlhelp32.h>
#include <setupapi.h>
#include <devguid.h>
#include <regstr.h>
#include "vbox.h" #include "vbox.h"
#include "utils.h"
typedef char * string; #include "types.h"
void ToUpper(unsigned char* Pstr) {
char* P=(char*)Pstr;
unsigned long length;
unsigned long i;
if (Pstr == NULL)
return;
length=strlen(P);
for(i=0;i<length;i++) P[i]=toupper(P[i]);
return;
}
/** /**
* SCSI registry key check * SCSI registry key check
@ -49,18 +30,18 @@ int vbox_reg_key1() {
value[i] = toupper(value[i]); value[i] = toupper(value[i]);
} }
if (strstr(value, "VBOX") != NULL) { if (strstr(value, "VBOX") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
@ -83,34 +64,26 @@ int vbox_reg_key2() {
value[i] = toupper(value[i]); value[i] = toupper(value[i]);
} }
if (strstr(value, "VBOX") != NULL) { if (strstr(value, "VBOX") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
/** /**
* GuestAdditions key check * VirtualBox Guest Additions key check
**/ **/
int vbox_reg_key3() { int vbox_reg_key3() {
HKEY regkey; return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions");
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
} }
/** /**
@ -132,18 +105,18 @@ int vbox_reg_key4() {
value[i] = toupper(value[i]); value[i] = toupper(value[i]);
} }
if (strstr(value, "VIRTUALBOX") != NULL) { if (strstr(value, "VIRTUALBOX") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
@ -151,153 +124,28 @@ int vbox_reg_key4() {
* ACPI Regkey detection * ACPI Regkey detection
**/ **/
int vbox_reg_key5() { int vbox_reg_key5() {
HKEY regkey; return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__");
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
}
/**
* IDE Registry key scanning
* http://0xmalware.blogspot.de/2013/10/cuckoo-sandbox-hardening-virtualbox.html
* https://twitter.com/waleedassar
**/
int vbox_reg_key6() {
HKEY HK=0;
int res=1;
unsigned long i;
char * message;
DWORD ValType;
long error;
char* subkey="SYSTEM\\CurrentControlSet\\Enum\\IDE";
if( (ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_READ,&HK)) && HK ){
unsigned long n_subkeys=0;
unsigned long max_subkey_length=0;
if(ERROR_SUCCESS==RegQueryInfoKey(HK,0,0,0,&n_subkeys,&max_subkey_length,0,0,0,0,0,0)){
if(n_subkeys) { //Usually n_subkeys are 2
char* pNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,max_subkey_length+1);
for(i=0;i<n_subkeys;i++) { //Usually n_subkeys are 2
memset(pNewKey,0,max_subkey_length+1);
HKEY HKK=0;
if(ERROR_SUCCESS==RegEnumKey(HK,i,pNewKey,max_subkey_length+1)) {
if((RegOpenKeyEx(HK,pNewKey,0,KEY_READ,&HKK)==ERROR_SUCCESS) && HKK) {
unsigned long nn=0;
unsigned long maxlen=0;
RegQueryInfoKey(HKK,0,0,0,&nn,&maxlen,0,0,0,0,0,0);
char* pNewNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,maxlen+1);
if(RegEnumKey(HKK,0,pNewNewKey,maxlen+1)==ERROR_SUCCESS) {
HKEY HKKK=0;
if(RegOpenKeyEx(HKK,pNewNewKey,0,KEY_READ,&HKKK)==ERROR_SUCCESS) {
unsigned long size=0xFFFF;
unsigned char ValName[0x10000]={0};
if(RegQueryValueEx(HKKK,"FriendlyName",0,0,ValName,&size)==ERROR_SUCCESS) {
ToUpper(ValName);
if(strstr((char*)ValName,"VBOX")) {
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(ValName)+200);
if (message) {
sprintf(message, "VBOX traced in IDE Registry based on FriendlyName containing VBOX %s ", ValName);
write_log(message);
LocalFree(message);
}
res = 0;
}
}
size = 0xFFFF;
error = RegQueryValueEx(HKKK,"HardwareID",0,&ValType,ValName,&size);
if(error==ERROR_SUCCESS) {
if (ValType == REG_MULTI_SZ){
char * sp = ValName;
while(strlen(sp)){
ToUpper(sp);
if(strstr((char*)sp,"VBOX")) {
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(sp)+200);
if (message) {
sprintf(message, "VBOX traced in IDE Registry based on HardwareID containing VBOX %s ", sp);
write_log(message);
LocalFree(message);
}
res = 0;
}
sp = sp + strlen(sp) + 1;
}
}
}
else{
message = (char*)LocalAlloc(LMEM_ZEROINIT,200);
sprintf(message, "%d", error);
write_log(message);
LocalFree(message);
}
RegCloseKey(HKKK);
}
}
LocalFree(pNewNewKey);
RegCloseKey(HKK);
}
}
}
LocalFree(pNewKey);
}
}
RegCloseKey(HK);
}
if (res == 0) {
print_traced();
write_trace("hi_virtualbox");
}
return res;
} }
/** /**
* FADT ACPI Regkey detection * FADT ACPI Regkey detection
**/ **/
int vbox_reg_key7() { int vbox_reg_key7() {
HKEY regkey; return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
} }
/** /**
* RSDT ACPI Regkey detection * RSDT ACPI Regkey detection
**/ **/
int vbox_reg_key8() { int vbox_reg_key8() {
HKEY regkey; return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__");
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
} }
/** /**
* Service Regkey detection * VirtualBox Services Regkey detection
**/ **/
int vbox_reg_key9() { int vbox_reg_key9(int writelogs) {
HKEY regkey; int res = FALSE, i;
int res = 1;
LONG retu;
int i;
const int count = 5; const int count = 5;
char message[200]; char message[200];
@ -307,71 +155,49 @@ int vbox_reg_key9() {
strs[2] = "SYSTEM\\ControlSet001\\Services\\VBoxService"; strs[2] = "SYSTEM\\ControlSet001\\Services\\VBoxService";
strs[3] = "SYSTEM\\ControlSet001\\Services\\VBoxSF"; strs[3] = "SYSTEM\\ControlSet001\\Services\\VBoxSF";
strs[4] = "SYSTEM\\ControlSet001\\Services\\VBoxVideo"; strs[4] = "SYSTEM\\ControlSet001\\Services\\VBoxVideo";
for (i=0; i < count; i++) {
for (i=0;i<count; i++){ if (pafish_exists_regkey(HKEY_LOCAL_MACHINE, strs[i])) {
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, strs[i], 0, KEY_READ, &regkey); snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using Reg key HKLM\\%s", strs[i]);
if (retu == ERROR_SUCCESS) { if (writelogs) write_log(message);
sprintf(message, "VirtualBox traced registry key %s", strs[i]); res = TRUE;
write_log(message);
res = 0;
} }
} }
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
return res; return res;
} }
/** /**
* VirtualBox Driver files in windows/system32 * VirtualBox driver files in \\WINDOWS\\system32\\drivers\\
**/ **/
int vbox_sysfile1() { int vbox_sysfile1(int writelogs) {
DWORD ret; DWORD ret;
const int count = 4; const int count = 4;
string strs[count]; string strs[count];
int res = 1; int res = FALSE, i = 0;
char message[200]; char message[200];
int i=0;
strs[0] = "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys"; strs[0] = "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys";
strs[1] = "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys"; strs[1] = "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys";
strs[2] = "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys"; strs[2] = "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys";
strs[3] = "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys"; strs[3] = "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys";
for (i=0; i < count; i++) {
if (pafish_exists_file(strs[i])) {
for (i=0; i < count; i++){ snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using driver file %s", strs[i]);
sprintf(message, "[*] Looking for %s ... ", strs[i]); if (writelogs) write_log(message);
printf(message); res = TRUE;
ret = GetFileAttributes(strs[i]);
if (ret != INVALID_FILE_ATTRIBUTES) {
sprintf(message, "VirtualBox traced using driver file %s", strs[i]);
write_log(message);
print_traced();
write_trace("hi_virtualbox");
res = 0;
} }
} }
return res; return res;
} }
/** /**
* VirtualBox files in windows/system32 * VirtualBox other system files
**/ **/
int vbox_sysfile2() { int vbox_sysfile2(int writelogs) {
DWORD ret; DWORD ret;
const int count = 14;
const int count = 12;
string strs[count]; string strs[count];
int res = 1; int res = FALSE, i = 0;
char message[200]; char message[200];
int i=0;
strs[0] = "C:\\WINDOWS\\system32\\vboxdisp.dll"; strs[0] = "C:\\WINDOWS\\system32\\vboxdisp.dll";
strs[1] = "C:\\WINDOWS\\system32\\vboxhook.dll"; strs[1] = "C:\\WINDOWS\\system32\\vboxhook.dll";
@ -385,19 +211,16 @@ int vbox_sysfile2() {
strs[9] = "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll"; strs[9] = "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll";
strs[10] = "C:\\WINDOWS\\system32\\vboxservice.exe"; strs[10] = "C:\\WINDOWS\\system32\\vboxservice.exe";
strs[11] = "C:\\WINDOWS\\system32\\vboxtray.exe"; strs[11] = "C:\\WINDOWS\\system32\\vboxtray.exe";
strs[12] = "C:\\WINDOWS\\system32\\VBoxControl.exe";
for (i=0; i < count; i++){ strs[13] = "C:\\program files\\oracle\\virtualbox guest additions\\";
sprintf(message, "[*] Looking for %s ... ", strs[i]); for (i = 0; i < count; i++) {
printf(message); if (pafish_exists_file(strs[i])) {
ret = GetFileAttributes(strs[i]); snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using system file %s", strs[i]);
if (ret != INVALID_FILE_ATTRIBUTES) { if (writelogs) write_log(message);
sprintf(message, "VirtualBox traced using file %s", strs[i]); res = TRUE;
write_log(message);
print_traced();
write_trace("hi_virtualbox");
res = 0;
} }
} }
return res;
} }
/** /**
@ -405,83 +228,59 @@ int vbox_sysfile2() {
**/ **/
int vbox_mac() { int vbox_mac() {
WSADATA WSD; WSADATA WSD;
int res=1; int res = FALSE;
char mac[6]={0}; char mac[6]={0};
if(!WSAStartup(MAKEWORD(2,2),&WSD)){ if(!WSAStartup(MAKEWORD(2,2),&WSD)){
unsigned long alist_size=0; unsigned long alist_size = 0;
// getting the size of the adapter list
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size); int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
if(ret==ERROR_BUFFER_OVERFLOW) { if(ret==ERROR_BUFFER_OVERFLOW) {
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size); IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
if(palist) { if(palist) {
ret=GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size); ret=GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
IP_ADAPTER_ADDRESSES* ppalist=palist; IP_ADAPTER_ADDRESSES* ppalist=palist;
while (ppalist){ while (ppalist){
if (ppalist->PhysicalAddressLength==0x6){ if (ppalist->PhysicalAddressLength==0x6){
memcpy(mac,ppalist->PhysicalAddress,6); memcpy(mac,ppalist->PhysicalAddress,0x6);
if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27 if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27
write_log("VirtualBox traced using MAC starting with 08:00:27"); res = TRUE;
res = 0; break;
} }
} }
ppalist = ppalist->Next; ppalist = ppalist->Next;
} }
LocalFree(palist); LocalFree(palist);
} }
} }
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
WSACleanup(); WSACleanup();
} }
return res; return res;
} }
/** /**
* Checking for the VirtualBox pseudo device VBoxMiniRdrDN * VirtualBox devices
* https://twitter.com/waleedassar
**/ **/
int vbox_pseudodev() { int vbox_devices(int writelogs) {
int res=1;
HANDLE h; HANDLE h;
const int count = 4;
string strs[count];
int res = FALSE, i = 0;
char message[200];
h = CreateFile("\\\\.\\VBoxMiniRdrDN", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); /* Got this list from https://github.com/cuckoobox/community/blob/master/modules/signatures/antivm_vbox_devices.py */
if (h != INVALID_HANDLE_VALUE){ strs[0] = "\\\\.\\VBoxMiniRdrDN";
write_log("VBoxMiniRdrDN pseudo device detected"); strs[1] = "\\\\.\\pipe\\VBoxMiniRdDN";
print_traced(); strs[2] = "\\\\.\\VBoxTrayIPC";
write_trace("hi_virtualbox"); strs[3] = "\\\\.\\pipe\\VBoxTrayIPC";
res = 0; for (i=0; i < count; i++) {
CloseHandle(h); h = CreateFile(strs[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE) {
snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using device %s", strs[i]);
if (writelogs) write_log(message);
res = TRUE;
} }
return res;
}
/**
* Checking for the VirtualBox pipe
* https://twitter.com/waleedassar
**/
int vbox_pipe() {
int res=1;
HANDLE h;
h = CreateFile("\\\\.\\pipe\\VBoxTrayIPC", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxTrayIPC pipe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
} }
return res; return res;
} }
/** /**
@ -489,212 +288,67 @@ int vbox_pipe() {
* https://twitter.com/waleedassar * https://twitter.com/waleedassar
**/ **/
int vbox_traywindow() { int vbox_traywindow() {
int res=1; HWND h1, h2;
HWND h1; h1 = FindWindow("VBoxTrayToolWndClass", NULL);
HWND h2; h2 = FindWindow(NULL, "VBoxTrayToolWnd");
if (h1 || h2) return TRUE;
h1 = FindWindow("VBoxTrayToolWndClass", 0); else return FALSE;
h2 = FindWindow(0, "VBoxTrayToolWnd");
if (h1 || h2){
write_log("VirtualBox Tray tool window detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
}
return res;
} }
/** /**
* Checking network shared * Checking network shared
* https://twitter.com/waleedassar * https://twitter.com/waleedassar
**/ **/
int vbox_network_share() { int vbox_network_share() {
int res=1; unsigned long pnsize = 0x1000;
char provider[pnsize];
/* a0rtega : any reason for this to be in the heap :?, changed to stack */
//char * provider = (char *)LocalAlloc(LMEM_ZEROINIT, pnsize);
unsigned long pnsize=0x1000;
char * provider=(char *)LocalAlloc(LMEM_ZEROINIT, pnsize);
int retv = WNetGetProviderName(WNNC_NET_RDR2SAMPLE, provider, &pnsize); int retv = WNetGetProviderName(WNNC_NET_RDR2SAMPLE, provider, &pnsize);
if (retv==NO_ERROR){ if (retv == NO_ERROR) {
if (lstrcmpi(provider, "VirtualBox Shared Folders") == 0){ if (lstrcmpi(provider, "VirtualBox Shared Folders") == 0) {
write_log("VirtualBox shared folder detected"); //LocalFree(provider);
print_traced(); return TRUE;
write_trace("hi_virtualbox"); }
res = 0; else {
//LocalFree(provider);
return FALSE;
} }
} }
return FALSE;
return res;
} }
/** /**
* Checking for virtual box processes * Checking for virtual box processes
**/ **/
int vbox_processes() { int vbox_processes(int writelogs) {
int res=1; int res = FALSE;
HANDLE hpSnap; HANDLE hpSnap;
PROCESSENTRY32 pentry; PROCESSENTRY32 pentry;
hpSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); hpSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if (hpSnap != INVALID_HANDLE_VALUE){ if (hpSnap != INVALID_HANDLE_VALUE) {
pentry.dwSize = sizeof (PROCESSENTRY32); pentry.dwSize = sizeof (PROCESSENTRY32);
} }
else {
return FALSE;
}
if( !Process32First( hpSnap, &pentry ) ){ if(!Process32First(hpSnap, &pentry)) {
CloseHandle(hpSnap); CloseHandle(hpSnap);
return 0; return FALSE;
} }
do { do {
if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0){ if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0) {
write_log("vboxservice.exe process detected"); write_log("VirtualBox traced using vboxservice.exe process");
res = 0; res = TRUE;
} }
if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0){ if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0) {
write_log("vboxtray.exe process detected"); write_log("VirtualBox traced using vboxtray.exe process");
res = 0; res = TRUE;
}
} while( Process32Next( hpSnap, &pentry ) );
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
return res;
}
/**
* Checking for the VBoxControl and other vbox tools
**/
int vbox_guest_tools() {
int res=1;
HANDLE h;
h = CreateFile("c:\\windows\\system32\\VBoxControl.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxControl.exe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxDrvInst.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxDrvInst.exe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxWHQLFake.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxWHQLFake.exe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
return res;
}
/**
* Helper function to get device propery. Free return buffer after use ! Only for REG_SZ data
*
*
**/
LPTSTR device_property(HDEVINFO hDevInfo, SP_DEVINFO_DATA DevInfoData, DWORD property){
LPTSTR buffer = NULL;
DWORD buffersize = 0;
DWORD DataT;
while (!SetupDiGetDeviceRegistryProperty(
hDevInfo,
&DevInfoData,
property,
&DataT,
(PBYTE) buffer,
buffersize,
&buffersize
)){
if (GetLastError () == ERROR_INSUFFICIENT_BUFFER){
if (buffer) LocalFree(buffer);
buffer = LocalAlloc (LPTR, buffersize * 2);
}
else
{
break;
}
}
return buffer;
}
/**
* VBox devices
*
* http://support.microsoft.com/kb/259695/EN-US
**/
int vbox_devices() {
int res=1;
HDEVINFO hDevInfo;
DWORD i;
SP_DEVINFO_DATA DevInfoData;
hDevInfo = SetupDiGetClassDevs(NULL, 0, 0, DIGCF_PRESENT | DIGCF_ALLCLASSES);
if (hDevInfo == INVALID_HANDLE_VALUE){
return res;
}
DevInfoData.cbSize = sizeof(SP_DEVINFO_DATA);
// Enum devices
for (i=0; SetupDiEnumDeviceInfo(hDevInfo, i, &DevInfoData); i++){
LPTSTR buffer = NULL;
DWORD properties[] = {SPDRP_CLASS, SPDRP_CLASSGUID, SPDRP_DEVICEDESC, SPDRP_ENUMERATOR_NAME, SPDRP_FRIENDLYNAME, SPDRP_LOCATION_INFORMATION, SPDRP_MFG, SPDRP_PHYSICAL_DEVICE_OBJECT_NAME, SPDRP_SERVICE};
int prop;
const int max_prop = 9;
char * message;
for (prop=0; prop < max_prop ; prop ++){
buffer = device_property(hDevInfo, DevInfoData, properties[prop]);
if (buffer != NULL){
ToUpper(buffer);
if ((strstr((char *)buffer, "VBOX")) ||
(strstr((char *)buffer, "VIRTUALBOX"))){
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(buffer)+200);
if (message) {
sprintf(message, "VBOX traced by device property %s ", buffer);
write_log(message);
LocalFree(message);
}
res = 0;
}
LocalFree(buffer);
buffer = NULL;
}
}
}
// Cleanup
SetupDiDestroyDeviceInfoList(hDevInfo);
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
} }
} while (Process32Next(hpSnap, &pentry));
return res; return res;
} }

26
pafish/vbox.h
View File

@ -3,41 +3,25 @@
#define VBOX_H #define VBOX_H
int vbox_reg_key1(); int vbox_reg_key1();
int vbox_reg_key2(); int vbox_reg_key2();
int vbox_reg_key3(); int vbox_reg_key3();
int vbox_reg_key4(); int vbox_reg_key4();
int vbox_reg_key5(); int vbox_reg_key5();
int vbox_reg_key6();
int vbox_reg_key7(); int vbox_reg_key7();
int vbox_reg_key8(); int vbox_reg_key8();
int vbox_reg_key9(int writelogs);
int vbox_reg_key9(); int vbox_sysfile1(int writelogs);
int vbox_sysfile2(int writelogs);
int vbox_sysfile1();
int vbox_sysfile2();
int vbox_mac(); int vbox_mac();
int vbox_pseudodev(); int vbox_devices(int writelogs);
int vbox_pipe();
int vbox_traywindow(); int vbox_traywindow();
int vbox_network_share(); int vbox_network_share();
int vbox_processes(); int vbox_processes(int writelogs);
int vbox_guest_tools();
int vbox_devices();
#endif #endif

38
pafish/vmware.c
View File

@ -3,6 +3,8 @@
#include <string.h> #include <string.h>
#include "vmware.h" #include "vmware.h"
#include "types.h"
#include "utils.h"
int vmware_reg_key1() { int vmware_reg_key1() {
HKEY regkey; HKEY regkey;
@ -20,51 +22,29 @@ int vmware_reg_key1() {
value[i] = toupper(value[i]); value[i] = toupper(value[i]);
} }
if (strstr(value, "VMWARE") != NULL) { if (strstr(value, "VMWARE") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }
int vmware_reg_key2() { int vmware_reg_key2() {
HKEY regkey; return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools");
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
} }
int vmware_sysfile1() { int vmware_sysfile1() {
DWORD ret; return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
if (ret != INVALID_FILE_ATTRIBUTES) {
return 0;
}
else {
return 1;
}
} }
int vmware_sysfile2() { int vmware_sysfile2() {
DWORD ret; return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
if (ret != INVALID_FILE_ATTRIBUTES) {
return 0;
}
else {
return 1;
}
} }

7
pafish/wine.c
View File

@ -2,19 +2,20 @@
#include <windows.h> #include <windows.h>
#include "wine.h" #include "wine.h"
#include "types.h"
int wine_detect_get_unix_file_name() { int wine_detect_get_unix_file_name() {
HMODULE k32; HMODULE k32;
k32 = GetModuleHandle("kernel32.dll"); k32 = GetModuleHandle("kernel32.dll");
if (k32 != NULL) { if (k32 != NULL) {
if (GetProcAddress(k32, "wine_get_unix_file_name") != NULL) { if (GetProcAddress(k32, "wine_get_unix_file_name") != NULL) {
return 0; return TRUE;
} }
else { else {
return 1; return FALSE;
} }
} }
else { else {
return 1; return FALSE;
} }
} }