mirrors/pafish
1
0
Fork 0
mirror of https://github.com/a0rtega/pafish synced 2024-11-22 14:21:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added HackingTeam anti-VM WMI checks

Browse Source 
- VirtualBox check of the device identifiers
- VMWare check of the serial number
This commit is contained in:
Duarte Silva 2015-07-10 15:21:06 +01:00
parent 28d2889d0d
commit 229e1eb751
12 changed files with 212 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pafish/Makefile.linux
View File

@ -6,7 +6,7 @@ OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Ob
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \ Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ) LINKOBJ = $(OBJ)
LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -s LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
INCS = INCS =
BIN = Output/MingW/pafish.exe BIN = Output/MingW/pafish.exe
CFLAGS = $(INCS) -Wall -Wextra -O0 CFLAGS = $(INCS) -Wall -Wextra -O0

2
pafish/Makefile.win
View File

@ -6,7 +6,7 @@ OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Ob
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \ Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ) LINKOBJ = $(OBJ)
LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -s LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
INCS = INCS =
BIN = Output/MingW/pafish.exe BIN = Output/MingW/pafish.exe
CFLAGS = $(INCS) -Wall -Wextra -O0 CFLAGS = $(INCS) -Wall -Wextra -O0

1
pafish/gensandbox.c
View File

@ -7,6 +7,7 @@
#include <stdint.h> #include <stdint.h>
#include <stdio.h> #include <stdio.h>
#include <ctype.h> #include <ctype.h>
#include <wbemidl.h>
#include "types.h" #include "types.h"
#include "gensandbox.h" #include "gensandbox.h"

17
pafish/main.c
View File

@ -3,6 +3,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <windows.h> #include <windows.h>
#include <wbemidl.h>
#include "types.h" #include "types.h"
#include "common.h" #include "common.h"
@ -367,6 +368,14 @@ int main(void)
} }
else print_not_traced(); else print_not_traced();
printf("[*] Looking for VBox devices using WMI ... ");
if (vbox_wmi_devices() == TRUE) {
write_log("VirtualBox device identifiers traced using WMI");
print_traced();
write_trace("hi_virtualbox_wmi");
}
else print_not_traced();
/* VMware detection tricks */ /* VMware detection tricks */
printf("\n[-] VMware detection\n"); printf("\n[-] VMware detection\n");
printf("[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... "); printf("[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... ");
@ -417,6 +426,14 @@ int main(void)
} }
else print_not_traced(); else print_not_traced();
printf("[*] Looking for VMware serial number ... ");
if (vmware_wmi_serial() == TRUE) {
write_log("VMware serial number traced using WMI");
print_traced();
write_trace("hi_vmware_wmi");
}
else print_not_traced();
/* Qemu detection tricks */ /* Qemu detection tricks */
printf("\n[-] Qemu detection\n"); printf("\n[-] Qemu detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");

1
pafish/qemu.c
View File

@ -1,6 +1,7 @@
#include <windows.h> #include <windows.h>
#include <string.h> #include <string.h>
#include <wbemidl.h>
#include "qemu.h" #include "qemu.h"
#include "types.h" #include "types.h"

104
pafish/utils.c
View File

@ -8,6 +8,7 @@
#include <ctype.h> #include <ctype.h>
#include <iphlpapi.h> #include <iphlpapi.h>
#include <tlhelp32.h> #include <tlhelp32.h>
#include <wbemidl.h>
#include "utils.h" #include "utils.h"
#include "types.h" #include "types.h"
@ -177,3 +178,106 @@ int pafish_check_mac_vendor(char * mac_vendor) {
return res; return res;
} }
/**
* Initialise the WMI client that will connect to the local machine WMI
* namespace. It will return TRUE if the connection was successful, FALSE
* otherwise.
*/
int wmi_initialize(const wchar_t *query_namespace, IWbemServices **services) {
BSTR namespace;
IWbemLocator *locator = NULL;
int result;
HRESULT hresult = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hresult)) {
return FALSE;
}
hresult = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
if (FAILED(hresult)) {
CoUninitialize();
return FALSE;
}
hresult = CoCreateInstance(&CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER,
&IID_IWbemLocator, (LPVOID *) & locator);
if (FAILED(hresult)) {
CoUninitialize();
return FALSE;
}
namespace = SysAllocString(query_namespace);
// Connect to the namespace with the current user and obtain pointer
// services to make IWbemServices calls.
hresult = locator->lpVtbl->ConnectServer(locator, namespace, NULL, NULL, NULL, 0,
NULL, NULL, services);
result = FAILED(hresult) ? FALSE : TRUE;
SysFreeString(namespace);
locator->lpVtbl->Release(locator);
return result;
}
/**
* Execute the suplied WMI query and call the row checking function for each row returned.
*/
int wmi_check_query(IWbemServices *services, const wchar_t *language, const wchar_t *query,
wmi_check_row check_row) {
int status = FALSE;
IEnumWbemClassObject *queryrows = NULL;
IWbemClassObject * batchrows[10];
BSTR wmilang = SysAllocString(language);
BSTR wmiquery = SysAllocString(query);
// Execute the query.
HRESULT result = services->lpVtbl->ExecQuery(
services, wmilang, wmiquery, WBEM_FLAG_BIDIRECTIONAL, NULL, &queryrows);
if (!FAILED(result) && (queryrows != NULL)) {
ULONG index, count = 0;
result = WBEM_S_NO_ERROR;
while (WBEM_S_NO_ERROR == result && status == FALSE) {
// Retrieve 10 rows (instances) each time.
result = queryrows->lpVtbl->Next(queryrows, WBEM_INFINITE, 10,
batchrows, &count);
if (!SUCCEEDED(result)) {
continue;
}
for (index = 0; index < count && status == FALSE; index++) {
status = check_row(batchrows[index]);
batchrows[index]->lpVtbl->Release(batchrows[index]);
}
}
queryrows->lpVtbl->Release(queryrows);
}
SysFreeString(wmiquery);
SysFreeString(wmilang);
return status;
}
/**
* Cleanup WMI.
*/
void wmi_cleanup(IWbemServices *services) {
if (services != NULL) {
services->lpVtbl->Release(services);
}
CoUninitialize();
}

13
pafish/utils.h
View File

@ -16,4 +16,17 @@ inline int pafish_exists_file(char * filename);
int pafish_check_mac_vendor(char * mac_vendor); int pafish_check_mac_vendor(char * mac_vendor);
/**
* Prototype for the WMI caller implemented function for checking the
* WMI query results.
*/
typedef int (*wmi_check_row) (IWbemClassObject *);
int wmi_initialize(const wchar_t *, IWbemServices **);
int wmi_check_query(IWbemServices *, const wchar_t *, const wchar_t *,
wmi_check_row check_row);
void wmi_cleanup(IWbemServices *);
#endif #endif

34
pafish/vbox.c
View File

@ -5,6 +5,7 @@
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
#include <tlhelp32.h> #include <tlhelp32.h>
#include <wbemidl.h>
#include "vbox.h" #include "vbox.h"
#include "utils.h" #include "utils.h"
@ -251,3 +252,36 @@ int vbox_processes(int writelogs) {
return res; return res;
} }
/**
* Check if the device identifier ("PCI\\VEN_80EE&DEV_CAFE") in the returned rows.
*/
int vbox_wmi_check_row(IWbemClassObject *row) {
CIMTYPE type = CIM_ILLEGAL;
VARIANT value;
HRESULT hresult = row->lpVtbl->Get(row, L"DeviceId", 0, &value, &type, 0);
if (FAILED(hresult) || V_VT(&value) == VT_NULL || type != CIM_STRING) {
return FALSE;
}
return (wcsstr(V_BSTR(&value), L"PCI\\VEN_80EE&DEV_CAFE") != NULL) ? TRUE : FALSE;
}
/**
* Check for devices VirtualBox devices using WMI.
*/
int vbox_wmi_devices() {
IWbemServices *services = NULL;
if (wmi_initialize(L"root\\cimv2", &services) != TRUE) {
return FALSE;
}
int result = wmi_check_query(services, L"WQL", L"SELECT DeviceId FROM Win32_PnPEntity",
&vbox_wmi_check_row);
wmi_cleanup(services);
return result;
}

2
pafish/vbox.h
View File

@ -25,4 +25,6 @@ int vbox_network_share();
int vbox_processes(int writelogs); int vbox_processes(int writelogs);
int vbox_wmi_devices();
#endif #endif

35
pafish/vmware.c
View File

@ -2,6 +2,7 @@
#include <windows.h> #include <windows.h>
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
#include <wbemidl.h>
#include "vmware.h" #include "vmware.h"
#include "types.h" #include "types.h"
@ -74,3 +75,37 @@ int vmware_devices(int writelogs) {
} }
return res; return res;
} }
/**
* Check the serial number ("VMware") in the returned rows.
*/
int vmware_wmi_check_row(IWbemClassObject *row) {
CIMTYPE type = CIM_ILLEGAL;
VARIANT value;
HRESULT hresult = row->lpVtbl->Get(row, L"SerialNumber", 0, &value, &type, 0);
if (FAILED(hresult) || V_VT(&value) == VT_NULL || type != CIM_STRING) {
return FALSE;
}
return (wcsstr(V_BSTR(&value), L"VMware") != NULL) ? TRUE : FALSE;
}
/**
* Check for the computer serial using WMI.
*/
int vmware_wmi_serial() {
IWbemServices *services = NULL;
if (wmi_initialize(L"root\\cimv2", &services) != TRUE) {
return FALSE;
}
int result = wmi_check_query(services, L"WQL", L"SELECT SerialNumber FROM Win32_Bios",
&vmware_wmi_check_row);
wmi_cleanup(services);
return result;
}

2
pafish/vmware.h
View File

@ -14,4 +14,6 @@ int vmware_mac();
int vmware_devices(); int vmware_devices();
int vmware_wmi_serial();
#endif #endif

1
pafish/wine.c
View File

@ -1,5 +1,6 @@
#include <windows.h> #include <windows.h>
#include <wbemidl.h>
#include "wine.h" #include "wine.h"
#include "types.h" #include "types.h"