VMware magic value detection

Fixed issue #5: Add IsVMware from carberp sources Migrated snprintf to _snprintf_s
2014-08-25 20:49:52 +02:00 · 2014-08-25 20:49:52 +02:00 · 840ea17e87
parent 33c836c913
commit 840ea17e87
3 changed files with 99 additions and 56 deletions
--- a/pafish/common.c
+++ b/pafish/common.c
@ -46,7 +46,7 @@ void print_suspicious() {
 void write_log(char msg[]) {
    FILE *log;
    char logstr[1024];
-    snprintf(logstr, sizeof(logstr), "\n[pafish] %s", msg);
+	_snprintf_s(logstr, sizeof(logstr), _TRUNCATE, "\n[pafish] %s", msg);
    log = fopen("pafish.log", "a");
    fputs(logstr, log);
    fclose(log);
--- a/pafish/main.c
+++ b/pafish/main.c
@ -43,10 +43,10 @@ int main(int argc, char *argv[])
    
    winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx(&winver);
-    snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
+    _snprintf_s(winverstr, sizeof(winverstr), _TRUNCATE, "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
    
    printf("[*] Windows version: %s\n", winverstr);
-    snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
+	_snprintf_s(aux, sizeof(aux), "Windows version: %s", winverstr);
    write_log(aux);
    
    printf("[*] Running checks ...\n");
@ -236,6 +236,15 @@ int main(int argc, char *argv[])
    else {
        print_not_traced();
    }
+	printf("[*] Looking for VMware VMX magic value ... ");
+	if (vmware_magic_value() == 0) {
+		write_log("VMware traced using VMX magic value");
+		print_traced();
+		write_trace("hi_vmware");
+	}
+	else {
+		print_not_traced();
+	}
    
    /* Qemu detection tricks */
    printf("\n[-] Qemu detection\n");
--- a/pafish/vmware.c
+++ b/pafish/vmware.c
@ -5,66 +5,100 @@
 #include "vmware.h"

 int vmware_reg_key1() {
-    HKEY regkey;
-    LONG retu;
-    char value[1024];
-    int i;
-    DWORD size;
-    
-    size = sizeof(value);
-    retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, &regkey);
-    if (retu == ERROR_SUCCESS) {
-        retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size);
-        if (retu == ERROR_SUCCESS) {
-            for (i = 0; i < strlen(value); i++) { /* case-insensitive */
-                value[i] = toupper(value[i]);
-            }
-            if (strstr(value, "VMWARE") != NULL) {
-                return 0;
-            }
-            else {
-                return 1;
-            }
-        }
-        else {
-            return 1;
-        }
-    }
-    else {
-        return 1;
-    }
+	HKEY regkey;
+	LONG retu;
+	char value[1024];
+	int i;
+	DWORD size;
+
+	size = sizeof(value);
+	retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, &regkey);
+	if (retu == ERROR_SUCCESS) {
+		retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size);
+		if (retu == ERROR_SUCCESS) {
+			for (i = 0; i < strlen(value); i++) { /* case-insensitive */
+				value[i] = toupper(value[i]);
+			}
+			if (strstr(value, "VMWARE") != NULL) {
+				return 0;
+			}
+			else {
+				return 1;
+			}
+		}
+		else {
+			return 1;
+		}
+	}
+	else {
+		return 1;
+	}
 }

 int vmware_reg_key2() {
-    HKEY regkey;
-    LONG retu;
-    retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, &regkey);
-    if (retu == ERROR_SUCCESS) {
-        return 0;
-    }
-    else {
-        return 1;
-    }
+	HKEY regkey;
+	LONG retu;
+	retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, &regkey);
+	if (retu == ERROR_SUCCESS) {
+		return 0;
+	}
+	else {
+		return 1;
+	}
 }

 int vmware_sysfile1() {
-    DWORD ret;
-    ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
-    if (ret != INVALID_FILE_ATTRIBUTES) {
-        return 0;
-    }
-    else {
-        return 1;
-    }
+	DWORD ret;
+	ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
+	if (ret != INVALID_FILE_ATTRIBUTES) {
+		return 0;
+	}
+	else {
+		return 1;
+	}
 }

 int vmware_sysfile2() {
-    DWORD ret;
-    ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
-    if (ret != INVALID_FILE_ATTRIBUTES) {
-        return 0;
-    }
-    else {
-        return 1;
-    }
+	DWORD ret;
+	ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
+	if (ret != INVALID_FILE_ATTRIBUTES) {
+		return 0;
+	}
+	else {
+		return 1;
+	}
 }
+
+// Based on Carberp (https://github.com/hzeroo/Carberp) 
+int vmware_magic_value(){
+	int res = 0;
+	__try {
+		__asm
+		{
+			push   edx
+				push   ecx
+				push   ebx
+
+				mov    eax, 'VMXh'
+				mov    ebx, 0      // any value but not the MAGIC VALUE
+				mov    ecx, 10     // get VMWare version
+				mov    edx, 'VX'   // port number
+
+				in     eax, dx     // read port
+				// on return EAX returns the VERSION
+				cmp    ebx, 'VMXh' // is it a reply from VMWare?
+				setz[res]       // set return value
+
+				pop    ebx
+				pop    ecx
+				pop    edx
+		}
+	}
+	__except (EXCEPTION_EXECUTE_HANDLER) {
+		// Catched processor exception -> not inside VMware
+		res = 0;
+	}
+
+	// reverse the logic since 0 is detected in pafish
+	return abs(res-1);
+}