From 2902f5f21fac66b843163fc240d54465d994a8fe Mon Sep 17 00:00:00 2001
From: Thorsten Sick <thorsten.sick@avira.com>
Date: Mon, 17 Feb 2014 09:56:19 +0100
Subject: [PATCH] Added pseudo-device vm detection

---
 pafish/main.c |  7 +++++++
 pafish/vbox.c | 18 ++++++++++++++++++
 pafish/vbox.h |  2 ++
 3 files changed, 27 insertions(+)

diff --git a/pafish/main.c b/pafish/main.c
index a7cf297..95697e2 100644
--- a/pafish/main.c
+++ b/pafish/main.c
@@ -207,6 +207,13 @@ int main(int argc, char *argv[])
     else {
         print_not_traced();
     }
+
+    printf("[*] Looking for pseudo device ");
+    if (vbox_pseudodev() == 0) {
+    }
+    else {
+        print_not_traced();
+    }
     
     /* VMware detection tricks */
     printf("\n[-] VMware detection\n");
diff --git a/pafish/vbox.c b/pafish/vbox.c
index 4b014ef..1f63e97 100644
--- a/pafish/vbox.c
+++ b/pafish/vbox.c
@@ -228,3 +228,21 @@ int vbox_mac() {
     return res;
 }
 
+/**
+* Checking for the VirtualBox pseudo device VBoxMiniRdrDN
+**/
+int vbox_pseudodev() {
+    int res=1;
+    HANDLE h;
+
+    h = CreateFile("\\\\.\\VBoxMiniRdrDN", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (h != INVALID_HANDLE_VALUE){
+        write_log("VirtualBox traced using MAC starting with 08:00:27");
+        print_traced();
+        write_trace("hi_virtualbox");
+        res = 0;
+        CloseHandle(h);
+        }
+ 
+    return res;
+}
diff --git a/pafish/vbox.h b/pafish/vbox.h
index b30a63c..1256eb6 100644
--- a/pafish/vbox.h
+++ b/pafish/vbox.h
@@ -16,4 +16,6 @@ int vbox_sysfile2();
 
 int vbox_mac();
 
+int vbox_pseudodev();
+
 #endif