mirror of https://github.com/a0rtega/pafish
VMware magic value detection
Fixed issue #5: Add IsVMware from carberp sources Migrated snprintf to _snprintf_s
This commit is contained in:
parent
33c836c913
commit
840ea17e87
|
@ -46,7 +46,7 @@ void print_suspicious() {
|
|||
void write_log(char msg[]) {
|
||||
FILE *log;
|
||||
char logstr[1024];
|
||||
snprintf(logstr, sizeof(logstr), "\n[pafish] %s", msg);
|
||||
_snprintf_s(logstr, sizeof(logstr), _TRUNCATE, "\n[pafish] %s", msg);
|
||||
log = fopen("pafish.log", "a");
|
||||
fputs(logstr, log);
|
||||
fclose(log);
|
||||
|
|
|
@ -43,10 +43,10 @@ int main(int argc, char *argv[])
|
|||
|
||||
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
||||
GetVersionEx(&winver);
|
||||
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
|
||||
_snprintf_s(winverstr, sizeof(winverstr), _TRUNCATE, "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
|
||||
|
||||
printf("[*] Windows version: %s\n", winverstr);
|
||||
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
|
||||
_snprintf_s(aux, sizeof(aux), "Windows version: %s", winverstr);
|
||||
write_log(aux);
|
||||
|
||||
printf("[*] Running checks ...\n");
|
||||
|
@ -236,6 +236,15 @@ int main(int argc, char *argv[])
|
|||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Looking for VMware VMX magic value ... ");
|
||||
if (vmware_magic_value() == 0) {
|
||||
write_log("VMware traced using VMX magic value");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Qemu detection tricks */
|
||||
printf("\n[-] Qemu detection\n");
|
||||
|
|
140
pafish/vmware.c
140
pafish/vmware.c
|
@ -5,66 +5,100 @@
|
|||
#include "vmware.h"
|
||||
|
||||
int vmware_reg_key1() {
|
||||
HKEY regkey;
|
||||
LONG retu;
|
||||
char value[1024];
|
||||
int i;
|
||||
DWORD size;
|
||||
|
||||
size = sizeof(value);
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
|
||||
value[i] = toupper(value[i]);
|
||||
}
|
||||
if (strstr(value, "VMWARE") != NULL) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
HKEY regkey;
|
||||
LONG retu;
|
||||
char value[1024];
|
||||
int i;
|
||||
DWORD size;
|
||||
|
||||
size = sizeof(value);
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
retu = RegQueryValueEx(regkey, "Identifier", NULL, NULL, (BYTE*)value, &size);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
for (i = 0; i < strlen(value); i++) { /* case-insensitive */
|
||||
value[i] = toupper(value[i]);
|
||||
}
|
||||
if (strstr(value, "VMWARE") != NULL) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
int vmware_reg_key2() {
|
||||
HKEY regkey;
|
||||
LONG retu;
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
HKEY regkey;
|
||||
LONG retu;
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
int vmware_sysfile1() {
|
||||
DWORD ret;
|
||||
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
|
||||
if (ret != INVALID_FILE_ATTRIBUTES) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
DWORD ret;
|
||||
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
|
||||
if (ret != INVALID_FILE_ATTRIBUTES) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
int vmware_sysfile2() {
|
||||
DWORD ret;
|
||||
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
|
||||
if (ret != INVALID_FILE_ATTRIBUTES) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
DWORD ret;
|
||||
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
|
||||
if (ret != INVALID_FILE_ATTRIBUTES) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
// Based on Carberp (https://github.com/hzeroo/Carberp)
|
||||
int vmware_magic_value(){
|
||||
int res = 0;
|
||||
__try {
|
||||
__asm
|
||||
{
|
||||
push edx
|
||||
push ecx
|
||||
push ebx
|
||||
|
||||
mov eax, 'VMXh'
|
||||
mov ebx, 0 // any value but not the MAGIC VALUE
|
||||
mov ecx, 10 // get VMWare version
|
||||
mov edx, 'VX' // port number
|
||||
|
||||
in eax, dx // read port
|
||||
// on return EAX returns the VERSION
|
||||
cmp ebx, 'VMXh' // is it a reply from VMWare?
|
||||
setz[res] // set return value
|
||||
|
||||
pop ebx
|
||||
pop ecx
|
||||
pop edx
|
||||
}
|
||||
}
|
||||
__except (EXCEPTION_EXECUTE_HANDLER) {
|
||||
// Catched processor exception -> not inside VMware
|
||||
res = 0;
|
||||
}
|
||||
|
||||
// reverse the logic since 0 is detected in pafish
|
||||
return abs(res-1);
|
||||
}
|
Loading…
Reference in New Issue