mirrors/pafish
1
0
Fork 0
mirror of https://github.com/a0rtega/pafish synced 2024-11-22 06:11:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Huge refactor, TRUE FALSE types added, utils functions added, fix encoding, trailing spaces, CRLF removed

Browse Source
This commit is contained in:
Alberto Ortega 2014-12-31 20:24:11 +01:00
parent 6912bb1565
commit 02a6590271
23 changed files with 1164 additions and 1572 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pafish/Makefile.win
View File

@ -1,15 +1,15 @@

CC = gcc.exe
LINK = gcc.exe
WINDRES = windres.exe
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ)
LIBS = -L"C:/MinGW32/lib" -lwsock32 -liphlpapi -lsetupapi -lmpr -s
INCS = -I"C:/MinGW32/include"
BIN = Output/MingW/pafish.exe
CFLAGS = $(INCS) $(DEFINES) -O0
CFLAGS = $(INCS) $(DEFINES) -O1
all: $(BIN)
@ -27,6 +27,9 @@ Objects/MingW/main.o: $(GLOBALDEPS) main.c
Objects/MingW/common.o: $(GLOBALDEPS) common.c
$(CC) -c common.c -o Objects/MingW/common.o $(CFLAGS)
Objects/MingW/utils.o: $(GLOBALDEPS) utils.c
$(CC) -c utils.c -o Objects/MingW/utils.o $(CFLAGS)
Objects/MingW/debuggers.o: $(GLOBALDEPS) debuggers.c
$(CC) -c debuggers.c -o Objects/MingW/debuggers.o $(CFLAGS)

6
pafish/common.c
View File

@ -6,8 +6,6 @@
#include "common.h"
int analysis_result = 0;
void init_cmd_colors() {
HANDLE handler = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY);
@ -29,7 +27,6 @@ void print_traced() {
SetConsoleTextAttribute(handler, 207);
printf("traced!\n");
SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY);
analysis_result = 2;
}
void print_not_traced() {
@ -44,9 +41,6 @@ void print_suspicious() {
SetConsoleTextAttribute(handler, 207);
printf("suspicious\n");
SetConsoleTextAttribute(handler, FOREGROUND_INTENSITY);
if (analysis_result == 0) {
analysis_result = 1;
}
}
void write_log(char msg[]) {

2
pafish/common.h
View File

@ -16,6 +16,4 @@ void write_log(char msg[]);
void write_trace(char product[]);
extern int analysis_result;
#endif

21
pafish/debuggers.c
View File

@ -4,26 +4,25 @@
#include <windows.h>
#include "debuggers.h"
#include "types.h"
int debug_isdebuggerpresent() {
if (IsDebuggerPresent()) {
return 0;
}
else {
return 1;
}
if (IsDebuggerPresent())
return TRUE;
else
return FALSE;
}
/* This function is not used because it isn't reliable in
some new environments */
some new environments */
int debug_checkremotedebuggerpresent() {
BOOL isdebug = FALSE;
CheckRemoteDebuggerPresent(GetCurrentProcess(), &isdebug);
if (isdebug) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
@ -34,9 +33,9 @@ int debug_outputdebugstring() {
drop an error. */
OutputDebugString("useless");
if (GetLastError() == err){
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}

50
pafish/gensandbox.c
View File

@ -3,20 +3,21 @@
#include <winioctl.h>
#include <string.h>
#include "types.h"
#include "gensandbox.h"
int gensandbox_mouse_act() {
POINT position1, position2;
GetCursorPos(&position1);
Sleep(1750); /* Sleep time */
Sleep(2000); /* Sleep time */
GetCursorPos(&position2);
if ((position1.x == position2.x) && (position1.y == position2.y)) {
/* No mouse activity during the sleep */
return 0;
return TRUE;
}
else {
/* Mouse activity during the sleep */
return 1;
return FALSE;
}
}
@ -29,15 +30,15 @@ int gensandbox_username() {
username[i] = toupper(username[i]);
}
if (strstr(username, "SANDBOX") != NULL) {
return 0;
return TRUE;
}
if (strstr(username, "VIRUS") != NULL) {
return 0;
return TRUE;
}
if (strstr(username, "MALWARE") != NULL) {
return 0;
return TRUE;
}
return 1;
return FALSE;
}
int gensandbox_path() {
@ -49,15 +50,15 @@ int gensandbox_path() {
path[i] = toupper(path[i]);
}
if (strstr(path, "\\SAMPLE") != NULL) {
return 0;
return TRUE;
}
if (strstr(path, "\\VIRUS") != NULL) {
return 0;
return TRUE;
}
if (strstr(path, "SANDBOX") != NULL) {
return 0;
return TRUE;
}
return 1;
return FALSE;
}
int gensandbox_drive_size() {
@ -70,36 +71,25 @@ int gensandbox_drive_size() {
if (drive == INVALID_HANDLE_VALUE) {
// Someone is playing tricks. Or not enough privileges.
CloseHandle(drive);
return 1;
return FALSE;
}
result = DeviceIoControl(drive, IOCTL_DISK_GET_LENGTH_INFO, NULL, 0, &size,
sizeof(GET_LENGTH_INFORMATION), &lpBytesReturned, NULL);
CloseHandle(drive);
if (result != 0) {
if (size.Length.QuadPart / 1073741824 <= 50) { /* <= 50 GB */
return 0;
if (size.Length.QuadPart / 1073741824 <= 60) /* <= 60 GB */
return TRUE;
}
}
return 1;
return FALSE;
}
int gensandbox_drive_size2() {
ULARGE_INTEGER bytes_available;
ULARGE_INTEGER total_bytes;
ULARGE_INTEGER total_number_free_bytes;
if (GetDiskFreeSpaceExA("C:\\", &bytes_available, &total_bytes, &total_number_free_bytes))
if (GetDiskFreeSpaceExA("C:\\", NULL, &total_bytes, NULL))
{
if (bytes_available.QuadPart / 1073741824 <= 60) { /* <= 60 GB */
return 0;
if (total_bytes.QuadPart / 1073741824 <= 60) /* <= 60 GB */
return TRUE;
}
if (total_bytes.QuadPart / 1073741824 <= 60) { /* <= 60 GB */
return 0;
}
if (total_number_free_bytes.QuadPart / 1073741824 <= 60) { /* <= 60 GB */
return 0;
}
}
return 1;
return FALSE;
}

7
pafish/hooks.c
View File

@ -2,6 +2,7 @@
#include <windows.h>
#include "hooks.h"
#include "types.h"
/* Thx Inaki for this! (@virtualminds_es) */
int check_hook_DeleteFileW_m1() {
@ -14,13 +15,13 @@ int check_hook_DeleteFileW_m1() {
BYTE *op = (BYTE *)*c;
if ((*op == 0x8b) && (*(op+1) == 0xff)) {
return 1;
return FALSE;
}
else {
return 0;
return TRUE;
}
}
else {
return 1;
return FALSE;
}
}

273
pafish/main.c
View File

@ -4,6 +4,7 @@
#include <string.h>
#include <windows.h>
#include "types.h"
#include "common.h"
#include "debuggers.h"
@ -43,10 +44,11 @@ int main(int argc, char *argv[])
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&winver);
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
snprintf(winverstr, sizeof(winverstr)-sizeof(winverstr[0]), "%d.%d build %d",
winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
printf("[*] Windows version: %s\n", winverstr);
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
snprintf(aux, sizeof(aux)-sizeof(aux[0]), "Windows version: %s", winverstr);
write_log(aux);
printf("[*] Running checks ...\n");
@ -54,337 +56,272 @@ int main(int argc, char *argv[])
/* Debuggers detection tricks */
printf("\n[-] Debuggers detection\n");
printf("[*] Using IsDebuggerPresent() ... ");
if (debug_isdebuggerpresent() == 0) {
if (debug_isdebuggerpresent() == TRUE) {
write_log("Debugger traced using IsDebuggerPresent()");
print_traced();
write_trace("hi_debugger_isdebuggerpresent");
}
else {
print_not_traced();
}
else print_not_traced();
/* This is only working on MS Windows systems prior to Vista */
if (winver.dwMajorVersion < 6) {
printf("[*] Using OutputDebugString() ... ");
if (debug_outputdebugstring() == 0) {
if (debug_outputdebugstring() == TRUE) {
write_log("Debugger traced using OutputDebugString()");
print_traced();
write_trace("hi_debugger_outputdebugstring");
}
else {
print_not_traced();
}
else print_not_traced();
}
/* Generic sandbox detection tricks */
printf("\n[-] Generic sandbox detection\n");
printf("[*] Using mouse activity ... ");
if (gensandbox_mouse_act() == 0) {
if (gensandbox_mouse_act() == TRUE) {
print_traced();
write_log("Sandbox traced using mouse activity");
write_trace("hi_sandbox_mouse_act");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Checking username ... ");
if (gensandbox_username() == 0) {
if (gensandbox_username() == TRUE) {
print_traced();
write_log("Sandbox traced by checking username");
write_trace("hi_sandbox_username");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Checking file path ... ");
if (gensandbox_path() == 0) {
if (gensandbox_path() == TRUE) {
print_traced();
write_log("Sandbox traced by checking file path");
write_trace("hi_sandbox_path");
}
else {
print_not_traced();
}
printf("[*] Checking if disk size <= 50GB ... ");
if (gensandbox_drive_size() == 0) {
else print_not_traced();
printf("[*] Checking if disk size <= 60GB via DeviceIoControl() ... ");
if (gensandbox_drive_size() == TRUE) {
print_traced();
write_log("Sandbox traced by checking disk size <= 50GB");
write_log("Sandbox traced by checking disk size <= 60GB via DeviceIoControl()");
write_trace("hi_sandbox_drive_size");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... ");
if (gensandbox_drive_size2() == 0) {
printf("[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... ");
if (gensandbox_drive_size2() == TRUE) {
print_traced();
write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB");
write_trace("hi_sandbox_drive_size_2");
}
else {
print_not_traced();
write_log("Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()");
write_trace("hi_sandbox_drive_size2");
}
else print_not_traced();
/* Hooks detection tricks */
printf("\n[-] Hooks detection\n");
printf("[*] Checking function DeleteFileW method 1 ... ");
if (check_hook_DeleteFileW_m1() == 0) {
if (check_hook_DeleteFileW_m1() == TRUE) {
print_traced();
write_log("Hooks traced using DeleteFileW method 1");
write_trace("hi_hooks_deletefile_m1");
}
else {
print_not_traced();
}
else print_not_traced();
/* Sandboxie detection tricks */
printf("\n[-] Sandboxie detection\n");
printf("[*] Using sbiedll.dll ... ");
if (sboxie_detect_sbiedll() == 0) {
write_log("Sandboxie traced using sbiedll.dll");
printf("[*] Using GetModuleHandle(sbiedll.dll) ... ");
if (sboxie_detect_sbiedll() == TRUE) {
write_log("Sandboxie traced using GetModuleHandle(sbiedll.dll)");
print_traced();
write_trace("hi_sandboxie");
}
else {
print_not_traced();
}
else print_not_traced();
/* Wine detection tricks */
printf("\n[-] Wine detection\n");
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
if (wine_detect_get_unix_file_name() == 0) {
if (wine_detect_get_unix_file_name() == TRUE) {
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
print_traced();
write_trace("hi_wine");
}
else {
print_not_traced();
}
else print_not_traced();
/* VirtualBox detection tricks */
printf("\n[-] VirtualBox detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vbox_reg_key1() == 0) {
if (vbox_reg_key1() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (vbox_reg_key2() == 0) {
if (vbox_reg_key2() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
if (vbox_reg_key3() == 0) {
if (vbox_reg_key3() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
if (vbox_reg_key4() == 0) {
if (vbox_reg_key4() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
if (vbox_reg_key5() == 0) {
if (vbox_reg_key5() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... ");
if (vbox_reg_key6() == 0) {
print_traced();
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
if (vbox_reg_key7() == 0) {
if (vbox_reg_key7() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
if (vbox_reg_key8() == 0) {
if (vbox_reg_key8() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
if (vbox_reg_key9() == 0) {
if (vbox_reg_key9(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
if (vbox_sysfile1() == 0) {
printf("[*] Driver files in C:\\WINDOWS\\system32\\drivers\\VBox* ... ");
if (vbox_sysfile1(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
if (vbox_sysfile2() == 0) {
printf("[*] Additional system files ... ");
if (vbox_sysfile2(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for MAC ");
if (vbox_mac() == 0) {
printf("[*] Looking for a MAC address starting with 08:00:27 ... ");
if (vbox_mac() == TRUE) {
write_log("VirtualBox traced using MAC address starting with 08:00:27");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for pseudo device ");
if (vbox_pseudodev() == 0) {
printf("[*] Looking for pseudo devices ... ");
if (vbox_devices(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for pipe ");
if (vbox_pipe() == 0) {
printf("[*] Looking for VBoxTray windows ... ");
if (vbox_traywindow() == TRUE) {
write_log("VirtualBox traced using VBoxTray windows");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for VBox tray tool window ");
if (vbox_traywindow() == 0) {
printf("[*] Looking for VBox network share ... ");
if (vbox_network_share() == TRUE) {
write_log("VirtualBox traced using its network share");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for VBox network share ");
if (vbox_network_share() == 0) {
printf("[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... ");
if (vbox_processes(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Looking for VBox processes ");
if (vbox_processes() == 0) {
print_traced();
}
else {
print_not_traced();
}
printf("[*] Looking for guest tools ");
if (vbox_guest_tools() == 0) {
print_traced();
}
printf("[*] Looking for VBox devices ");
if (vbox_devices() == 0) {
print_traced();
}
else {
print_not_traced();
}
else print_not_traced();
/* VMware detection tricks */
printf("\n[-] VMware detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vmware_reg_key1() == 0) {
if (vmware_reg_key1() == TRUE) {
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
if (vmware_reg_key2() == 0) {
if (vmware_reg_key2() == TRUE) {
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
if (vmware_sysfile1() == 0) {
if (vmware_sysfile1() == TRUE) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
if (vmware_sysfile2() == 0) {
if (vmware_sysfile2() == TRUE) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
else print_not_traced();
/* Qemu detection tricks */
printf("\n[-] Qemu detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (qemu_reg_key1() == 0) {
if (qemu_reg_key1() == TRUE) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_qemu");
}
else {
print_not_traced();
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (qemu_reg_key2() == 0) {
if (qemu_reg_key2() == TRUE) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_qemu");
}
else {
print_not_traced();
}
else print_not_traced();
printf("\n\n");
printf("[-] Finished, feel free to RE me.");
printf("[-] Feel free to RE me, check log file for more information.");
write_log("End");

17
pafish/qemu.c
View File

@ -3,6 +3,7 @@
#include <string.h>
#include "qemu.h"
#include "types.h"
int qemu_reg_key1() {
HKEY regkey;
@ -20,18 +21,18 @@ int qemu_reg_key1() {
value[i] = toupper(value[i]);
}
if (strstr(value, "QEMU") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
@ -51,17 +52,17 @@ int qemu_reg_key2() {
value[i] = toupper(value[i]);
}
if (strstr(value, "QEMU") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}

5
pafish/sandboxie.c
View File

@ -2,12 +2,13 @@
#include <windows.h>
#include "sandboxie.h"
#include "types.h"
int sboxie_detect_sbiedll() {
if (GetModuleHandle("sbiedll.dll") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}

10
pafish/types.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef TYPES_H
#define TYPES_H
#define TRUE 1
#define FALSE 0
typedef char * string;
#endif

30
pafish/utils.c Normal file
View File

@ -0,0 +1,30 @@
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "utils.h"
#include "types.h"
inline int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
HKEY regkey;
LONG ret;
ret = RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, &regkey);
if (ret == ERROR_SUCCESS) {
RegCloseKey(regkey);
return TRUE;
}
else
return FALSE;
}
inline int pafish_exists_file(char * filename) {
DWORD ret;
ret = GetFileAttributes(filename);
if (ret != INVALID_FILE_ATTRIBUTES)
return TRUE;
else
return FALSE;
}

9
pafish/utils.h Normal file
View File

@ -0,0 +1,9 @@
#ifndef UTILS_H
#define UTILS_H
inline int pafish_exists_regkey(HKEY hKey, char * regkey);
inline int pafish_exists_file(char * filename);
#endif

552
pafish/vbox.c
View File

@ -1,34 +1,15 @@
#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
#include <winsock2.h>
#include <windows.h>
#include <winnetwk.h>
#include <string.h>
#include <stdio.h>
#include <iphlpapi.h>
#include <tlhelp32.h>
#include <setupapi.h>
#include <devguid.h>
#include <regstr.h>
#include "vbox.h"
typedef char * string;
void ToUpper(unsigned char* Pstr) {
char* P=(char*)Pstr;
unsigned long length;
unsigned long i;
if (Pstr == NULL)
return;
length=strlen(P);
for(i=0;i<length;i++) P[i]=toupper(P[i]);
return;
}
#include "utils.h"
#include "types.h"
/**
* SCSI registry key check
@ -49,18 +30,18 @@ int vbox_reg_key1() {
value[i] = toupper(value[i]);
}
if (strstr(value, "VBOX") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
@ -83,34 +64,26 @@ int vbox_reg_key2() {
value[i] = toupper(value[i]);
}
if (strstr(value, "VBOX") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
/**
* GuestAdditions key check
* VirtualBox Guest Additions key check
**/
int vbox_reg_key3() {
HKEY regkey;
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions");
}
/**
@ -132,18 +105,18 @@ int vbox_reg_key4() {
value[i] = toupper(value[i]);
}
if (strstr(value, "VIRTUALBOX") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
@ -151,153 +124,28 @@ int vbox_reg_key4() {
* ACPI Regkey detection
**/
int vbox_reg_key5() {
HKEY regkey;
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
}
/**
* IDE Registry key scanning
* http://0xmalware.blogspot.de/2013/10/cuckoo-sandbox-hardening-virtualbox.html
* https://twitter.com/waleedassar
**/
int vbox_reg_key6() {
HKEY HK=0;
int res=1;
unsigned long i;
char * message;
DWORD ValType;
long error;
char* subkey="SYSTEM\\CurrentControlSet\\Enum\\IDE";
if( (ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_READ,&HK)) && HK ){
unsigned long n_subkeys=0;
unsigned long max_subkey_length=0;
if(ERROR_SUCCESS==RegQueryInfoKey(HK,0,0,0,&n_subkeys,&max_subkey_length,0,0,0,0,0,0)){
if(n_subkeys) { //Usually n_subkeys are 2
char* pNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,max_subkey_length+1);
for(i=0;i<n_subkeys;i++) { //Usually n_subkeys are 2
memset(pNewKey,0,max_subkey_length+1);
HKEY HKK=0;
if(ERROR_SUCCESS==RegEnumKey(HK,i,pNewKey,max_subkey_length+1)) {
if((RegOpenKeyEx(HK,pNewKey,0,KEY_READ,&HKK)==ERROR_SUCCESS) && HKK) {
unsigned long nn=0;
unsigned long maxlen=0;
RegQueryInfoKey(HKK,0,0,0,&nn,&maxlen,0,0,0,0,0,0);
char* pNewNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,maxlen+1);
if(RegEnumKey(HKK,0,pNewNewKey,maxlen+1)==ERROR_SUCCESS) {
HKEY HKKK=0;
if(RegOpenKeyEx(HKK,pNewNewKey,0,KEY_READ,&HKKK)==ERROR_SUCCESS) {
unsigned long size=0xFFFF;
unsigned char ValName[0x10000]={0};
if(RegQueryValueEx(HKKK,"FriendlyName",0,0,ValName,&size)==ERROR_SUCCESS) {
ToUpper(ValName);
if(strstr((char*)ValName,"VBOX")) {
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(ValName)+200);
if (message) {
sprintf(message, "VBOX traced in IDE Registry based on FriendlyName containing VBOX %s ", ValName);
write_log(message);
LocalFree(message);
}
res = 0;
}
}
size = 0xFFFF;
error = RegQueryValueEx(HKKK,"HardwareID",0,&ValType,ValName,&size);
if(error==ERROR_SUCCESS) {
if (ValType == REG_MULTI_SZ){
char * sp = ValName;
while(strlen(sp)){
ToUpper(sp);
if(strstr((char*)sp,"VBOX")) {
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(sp)+200);
if (message) {
sprintf(message, "VBOX traced in IDE Registry based on HardwareID containing VBOX %s ", sp);
write_log(message);
LocalFree(message);
}
res = 0;
}
sp = sp + strlen(sp) + 1;
}
}
}
else{
message = (char*)LocalAlloc(LMEM_ZEROINIT,200);
sprintf(message, "%d", error);
write_log(message);
LocalFree(message);
}
RegCloseKey(HKKK);
}
}
LocalFree(pNewNewKey);
RegCloseKey(HKK);
}
}
}
LocalFree(pNewKey);
}
}
RegCloseKey(HK);
}
if (res == 0) {
print_traced();
write_trace("hi_virtualbox");
}
return res;
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__");
}
/**
* FADT ACPI Regkey detection
**/
int vbox_reg_key7() {
HKEY regkey;
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__");
}
/**
* RSDT ACPI Regkey detection
**/
int vbox_reg_key8() {
HKEY regkey;
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__");
}
/**
* Service Regkey detection
* VirtualBox Services Regkey detection
**/
int vbox_reg_key9() {
HKEY regkey;
int res = 1;
LONG retu;
int i;
int vbox_reg_key9(int writelogs) {
int res = FALSE, i;
const int count = 5;
char message[200];
@ -307,71 +155,49 @@ int vbox_reg_key9() {
strs[2] = "SYSTEM\\ControlSet001\\Services\\VBoxService";
strs[3] = "SYSTEM\\ControlSet001\\Services\\VBoxSF";
strs[4] = "SYSTEM\\ControlSet001\\Services\\VBoxVideo";
for (i=0;i<count; i++){
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, strs[i], 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
sprintf(message, "VirtualBox traced registry key %s", strs[i]);
write_log(message);
res = 0;
for (i=0; i < count; i++) {
if (pafish_exists_regkey(HKEY_LOCAL_MACHINE, strs[i])) {
snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using Reg key HKLM\\%s", strs[i]);
if (writelogs) write_log(message);
res = TRUE;
}
}
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
return res;
}
/**
* VirtualBox Driver files in windows/system32
* VirtualBox driver files in \\WINDOWS\\system32\\drivers\\
**/
int vbox_sysfile1() {
int vbox_sysfile1(int writelogs) {
DWORD ret;
const int count = 4;
string strs[count];
int res = 1;
int res = FALSE, i = 0;
char message[200];
int i=0;
strs[0] = "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys";
strs[1] = "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys";
strs[2] = "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys";
strs[3] = "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys";
for (i=0; i < count; i++){
sprintf(message, "[*] Looking for %s ... ", strs[i]);
printf(message);
ret = GetFileAttributes(strs[i]);
if (ret != INVALID_FILE_ATTRIBUTES) {
sprintf(message, "VirtualBox traced using driver file %s", strs[i]);
write_log(message);
print_traced();
write_trace("hi_virtualbox");
res = 0;
for (i=0; i < count; i++) {
if (pafish_exists_file(strs[i])) {
snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using driver file %s", strs[i]);
if (writelogs) write_log(message);
res = TRUE;
}
}
return res;
}
/**
* VirtualBox files in windows/system32
* VirtualBox other system files
**/
int vbox_sysfile2() {
int vbox_sysfile2(int writelogs) {
DWORD ret;
const int count = 12;
const int count = 14;
string strs[count];
int res = 1;
int res = FALSE, i = 0;
char message[200];
int i=0;
strs[0] = "C:\\WINDOWS\\system32\\vboxdisp.dll";
strs[1] = "C:\\WINDOWS\\system32\\vboxhook.dll";
@ -385,19 +211,16 @@ int vbox_sysfile2() {
strs[9] = "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll";
strs[10] = "C:\\WINDOWS\\system32\\vboxservice.exe";
strs[11] = "C:\\WINDOWS\\system32\\vboxtray.exe";
for (i=0; i < count; i++){
sprintf(message, "[*] Looking for %s ... ", strs[i]);
printf(message);
ret = GetFileAttributes(strs[i]);
if (ret != INVALID_FILE_ATTRIBUTES) {
sprintf(message, "VirtualBox traced using file %s", strs[i]);
write_log(message);
print_traced();
write_trace("hi_virtualbox");
res = 0;
strs[12] = "C:\\WINDOWS\\system32\\VBoxControl.exe";
strs[13] = "C:\\program files\\oracle\\virtualbox guest additions\\";
for (i = 0; i < count; i++) {
if (pafish_exists_file(strs[i])) {
snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using system file %s", strs[i]);
if (writelogs) write_log(message);
res = TRUE;
}
}
return res;
}
/**
@ -405,83 +228,59 @@ int vbox_sysfile2() {
**/
int vbox_mac() {
WSADATA WSD;
int res=1;
int res = FALSE;
char mac[6]={0};
if(!WSAStartup(MAKEWORD(2,2),&WSD)){
unsigned long alist_size=0;
// getting the size of the adapter list
unsigned long alist_size = 0;
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
if(ret==ERROR_BUFFER_OVERFLOW) {
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
if(palist) {
ret=GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
IP_ADAPTER_ADDRESSES* ppalist=palist;
while (ppalist){
if (ppalist->PhysicalAddressLength==0x6){
memcpy(mac,ppalist->PhysicalAddress,6);
memcpy(mac,ppalist->PhysicalAddress,0x6);
if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27
write_log("VirtualBox traced using MAC starting with 08:00:27");
res = 0;
res = TRUE;
break;
}
}
ppalist = ppalist->Next;
}
LocalFree(palist);
}
}
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
WSACleanup();
}
return res;
}
/**
* Checking for the VirtualBox pseudo device VBoxMiniRdrDN
* https://twitter.com/waleedassar
* VirtualBox devices
**/
int vbox_pseudodev() {
int res=1;
int vbox_devices(int writelogs) {
HANDLE h;
const int count = 4;
string strs[count];
int res = FALSE, i = 0;
char message[200];
h = CreateFile("\\\\.\\VBoxMiniRdrDN", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VBoxMiniRdrDN pseudo device detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
/* Got this list from https://github.com/cuckoobox/community/blob/master/modules/signatures/antivm_vbox_devices.py */
strs[0] = "\\\\.\\VBoxMiniRdrDN";
strs[1] = "\\\\.\\pipe\\VBoxMiniRdDN";
strs[2] = "\\\\.\\VBoxTrayIPC";
strs[3] = "\\\\.\\pipe\\VBoxTrayIPC";
for (i=0; i < count; i++) {
h = CreateFile(strs[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE) {
snprintf(message, sizeof(message)-sizeof(message[0]), "VirtualBox traced using device %s", strs[i]);
if (writelogs) write_log(message);
res = TRUE;
}
return res;
}
/**
* Checking for the VirtualBox pipe
* https://twitter.com/waleedassar
**/
int vbox_pipe() {
int res=1;
HANDLE h;
h = CreateFile("\\\\.\\pipe\\VBoxTrayIPC", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxTrayIPC pipe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
return res;
}
/**
@ -489,212 +288,67 @@ int vbox_pipe() {
* https://twitter.com/waleedassar
**/
int vbox_traywindow() {
int res=1;
HWND h1;
HWND h2;
h1 = FindWindow("VBoxTrayToolWndClass", 0);
h2 = FindWindow(0, "VBoxTrayToolWnd");
if (h1 || h2){
write_log("VirtualBox Tray tool window detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
}
return res;
HWND h1, h2;
h1 = FindWindow("VBoxTrayToolWndClass", NULL);
h2 = FindWindow(NULL, "VBoxTrayToolWnd");
if (h1 || h2) return TRUE;
else return FALSE;
}
/**
* Checking network shared
* https://twitter.com/waleedassar
**/
int vbox_network_share() {
int res=1;
unsigned long pnsize = 0x1000;
char provider[pnsize];
/* a0rtega : any reason for this to be in the heap :?, changed to stack */
//char * provider = (char *)LocalAlloc(LMEM_ZEROINIT, pnsize);
unsigned long pnsize=0x1000;
char * provider=(char *)LocalAlloc(LMEM_ZEROINIT, pnsize);
int retv = WNetGetProviderName(WNNC_NET_RDR2SAMPLE, provider, &pnsize);
if (retv==NO_ERROR){
if (lstrcmpi(provider, "VirtualBox Shared Folders") == 0){
write_log("VirtualBox shared folder detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
if (retv == NO_ERROR) {
if (lstrcmpi(provider, "VirtualBox Shared Folders") == 0) {
//LocalFree(provider);
return TRUE;
}
else {
//LocalFree(provider);
return FALSE;
}
}
return res;
return FALSE;
}
/**
* Checking for virtual box processes
**/
int vbox_processes() {
int res=1;
int vbox_processes(int writelogs) {
int res = FALSE;
HANDLE hpSnap;
PROCESSENTRY32 pentry;
hpSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if (hpSnap != INVALID_HANDLE_VALUE){
if (hpSnap != INVALID_HANDLE_VALUE) {
pentry.dwSize = sizeof (PROCESSENTRY32);
}
else {
return FALSE;
}
if( !Process32First( hpSnap, &pentry ) ){
if(!Process32First(hpSnap, &pentry)) {
CloseHandle(hpSnap);
return 0;
return FALSE;
}
do {
if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0){
write_log("vboxservice.exe process detected");
res = 0;
if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0) {
write_log("VirtualBox traced using vboxservice.exe process");
res = TRUE;
}
if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0){
write_log("vboxtray.exe process detected");
res = 0;
}
} while( Process32Next( hpSnap, &pentry ) );
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
return res;
}
/**
* Checking for the VBoxControl and other vbox tools
**/
int vbox_guest_tools() {
int res=1;
HANDLE h;
h = CreateFile("c:\\windows\\system32\\VBoxControl.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxControl.exe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxDrvInst.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxDrvInst.exe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxWHQLFake.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxWHQLFake.exe detected");
print_traced();
write_trace("hi_virtualbox");
res = 0;
CloseHandle(h);
}
return res;
}
/**
* Helper function to get device propery. Free return buffer after use ! Only for REG_SZ data
*
*
**/
LPTSTR device_property(HDEVINFO hDevInfo, SP_DEVINFO_DATA DevInfoData, DWORD property){
LPTSTR buffer = NULL;
DWORD buffersize = 0;
DWORD DataT;
while (!SetupDiGetDeviceRegistryProperty(
hDevInfo,
&DevInfoData,
property,
&DataT,
(PBYTE) buffer,
buffersize,
&buffersize
)){
if (GetLastError () == ERROR_INSUFFICIENT_BUFFER){
if (buffer) LocalFree(buffer);
buffer = LocalAlloc (LPTR, buffersize * 2);
}
else
{
break;
}
}
return buffer;
}
/**
* VBox devices
*
* http://support.microsoft.com/kb/259695/EN-US
**/
int vbox_devices() {
int res=1;
HDEVINFO hDevInfo;
DWORD i;
SP_DEVINFO_DATA DevInfoData;
hDevInfo = SetupDiGetClassDevs(NULL, 0, 0, DIGCF_PRESENT | DIGCF_ALLCLASSES);
if (hDevInfo == INVALID_HANDLE_VALUE){
return res;
}
DevInfoData.cbSize = sizeof(SP_DEVINFO_DATA);
// Enum devices
for (i=0; SetupDiEnumDeviceInfo(hDevInfo, i, &DevInfoData); i++){
LPTSTR buffer = NULL;
DWORD properties[] = {SPDRP_CLASS, SPDRP_CLASSGUID, SPDRP_DEVICEDESC, SPDRP_ENUMERATOR_NAME, SPDRP_FRIENDLYNAME, SPDRP_LOCATION_INFORMATION, SPDRP_MFG, SPDRP_PHYSICAL_DEVICE_OBJECT_NAME, SPDRP_SERVICE};
int prop;
const int max_prop = 9;
char * message;
for (prop=0; prop < max_prop ; prop ++){
buffer = device_property(hDevInfo, DevInfoData, properties[prop]);
if (buffer != NULL){
ToUpper(buffer);
if ((strstr((char *)buffer, "VBOX")) ||
(strstr((char *)buffer, "VIRTUALBOX"))){
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(buffer)+200);
if (message) {
sprintf(message, "VBOX traced by device property %s ", buffer);
write_log(message);
LocalFree(message);
}
res = 0;
}
LocalFree(buffer);
buffer = NULL;
}
}
}
// Cleanup
SetupDiDestroyDeviceInfoList(hDevInfo);
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0) {
write_log("VirtualBox traced using vboxtray.exe process");
res = TRUE;
}
} while (Process32Next(hpSnap, &pentry));
return res;
}

26
pafish/vbox.h
View File

@ -3,41 +3,25 @@
#define VBOX_H
int vbox_reg_key1();
int vbox_reg_key2();
int vbox_reg_key3();
int vbox_reg_key4();
int vbox_reg_key5();
int vbox_reg_key6();
int vbox_reg_key7();
int vbox_reg_key8();
int vbox_reg_key9(int writelogs);
int vbox_reg_key9();
int vbox_sysfile1();
int vbox_sysfile2();
int vbox_sysfile1(int writelogs);
int vbox_sysfile2(int writelogs);
int vbox_mac();
int vbox_pseudodev();
int vbox_pipe();
int vbox_devices(int writelogs);
int vbox_traywindow();
int vbox_network_share();
int vbox_processes();
int vbox_guest_tools();
int vbox_devices();
int vbox_processes(int writelogs);
#endif

38
pafish/vmware.c
View File

@ -3,6 +3,8 @@
#include <string.h>
#include "vmware.h"
#include "types.h"
#include "utils.h"
int vmware_reg_key1() {
HKEY regkey;
@ -20,51 +22,29 @@ int vmware_reg_key1() {
value[i] = toupper(value[i]);
}
if (strstr(value, "VMWARE") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}
int vmware_reg_key2() {
HKEY regkey;
LONG retu;
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
return 0;
}
else {
return 1;
}
return pafish_exists_regkey(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools");
}
int vmware_sysfile1() {
DWORD ret;
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
if (ret != INVALID_FILE_ATTRIBUTES) {
return 0;
}
else {
return 1;
}
return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
}
int vmware_sysfile2() {
DWORD ret;
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
if (ret != INVALID_FILE_ATTRIBUTES) {
return 0;
}
else {
return 1;
}
return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
}

7
pafish/wine.c
View File

@ -2,19 +2,20 @@
#include <windows.h>
#include "wine.h"
#include "types.h"
int wine_detect_get_unix_file_name() {
HMODULE k32;
k32 = GetModuleHandle("kernel32.dll");
if (k32 != NULL) {
if (GetProcAddress(k32, "wine_get_unix_file_name") != NULL) {
return 0;
return TRUE;
}
else {
return 1;
return FALSE;
}
}
else {
return 1;
return FALSE;
}
}