diff --git a/pafish/main.c b/pafish/main.c index 477392b..89ffcb6 100644 --- a/pafish/main.c +++ b/pafish/main.c @@ -194,6 +194,12 @@ int main(int argc, char *argv[]) else { print_not_traced(); } + + if (vbox_sysfile2() == 0) { + } + else { + print_not_traced(); + } /* VMware detection tricks */ printf("\n[-] VMware detection\n"); diff --git a/pafish/vbox.c b/pafish/vbox.c index bc83868..36efadd 100644 --- a/pafish/vbox.c +++ b/pafish/vbox.c @@ -111,6 +111,9 @@ int vbox_reg_key4() { } } +/** +* VirtualBox Driver files in windows/system32 +**/ int vbox_sysfile1() { DWORD ret; @@ -126,6 +129,48 @@ int vbox_sysfile1() { strs[3] = "C:\\WINDOWS\\system32\\drivers\\VBoxVideo.sys"; + for (i=0; i < count; i++){ + sprintf(message, "[*] Looking for %s ... ", strs[i]); + printf(message); + ret = GetFileAttributes(strs[i]); + if (ret != INVALID_FILE_ATTRIBUTES) { + sprintf(message, "VirtualBox traced using driver file %s", strs[i]); + write_log(message); + print_traced(); + write_trace("hi_virtualbox"); + res = 0; + } + } + + return res; + +} + +/** +* VirtualBox files in windows/system32 +**/ +int vbox_sysfile2() { + DWORD ret; + + const int count = 12; + string strs[count]; + int res = 1; + char message[200]; + int i=0; + + strs[0] = "C:\\WINDOWS\\system32\\vboxdisp.dll"; + strs[1] = "C:\\WINDOWS\\system32\\vboxhook.dll"; + strs[2] = "C:\\WINDOWS\\system32\\vboxmrxnp.dll"; + strs[3] = "C:\\WINDOWS\\system32\\vboxogl.dll"; + strs[4] = "C:\\WINDOWS\\system32\\vboxoglarrayspu.dll"; + strs[5] = "C:\\WINDOWS\\system32\\vboxoglcrutil.dll"; + strs[6] = "C:\\WINDOWS\\system32\\vboxoglerrorspu.dll"; + strs[7] = "C:\\WINDOWS\\system32\\vboxoglfeedbackspu.dll"; + strs[8] = "C:\\WINDOWS\\system32\\vboxoglpackspu.dll"; + strs[9] = "C:\\WINDOWS\\system32\\vboxoglpassthroughspu.dll"; + strs[10] = "C:\\WINDOWS\\system32\\vboxservice.exe"; + strs[11] = "C:\\WINDOWS\\system32\\vboxtray.exe"; + for (i=0; i < count; i++){ sprintf(message, "[*] Looking for %s ... ", strs[i]); printf(message);