mirrors
/
pafish
mirror of https://github.com/a0rtega/pafish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

re #40 add neutrino bochs detection via regkey

This commit is contained in:
Alberto Ortega 2015-08-26 19:09:52 +02:00
parent 49a6f3a447
commit 89cf87ead9
5 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pafish/Makefile.linux
View File

@ -4,7 +4,8 @@ LINK = i686-w64-mingw32-gcc
WINDRES = i686-w64-mingw32-windres
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/pafish_private.res
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/bochs.o \
Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ)
LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
INCS =
@ -60,5 +61,8 @@ Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
Objects/MingW/cuckoo.o: $(GLOBALDEPS) cuckoo.c
$(CC) -c cuckoo.c -o Objects/MingW/cuckoo.o $(CFLAGS)
Objects/MingW/bochs.o: $(GLOBALDEPS) bochs.c
$(CC) -c bochs.c -o Objects/MingW/bochs.o $(CFLAGS)
Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff

6
pafish/Makefile.win
View File

@ -4,7 +4,8 @@ LINK = gcc.exe
WINDRES = windres.exe
OBJ = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/pafish_private.res
Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/bochs.o \
Objects/MingW/pafish_private.res
LINKOBJ = $(OBJ)
LIBS = -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -s
INCS =
@ -60,5 +61,8 @@ Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
Objects/MingW/cuckoo.o: $(GLOBALDEPS) cuckoo.c
$(CC) -c cuckoo.c -o Objects/MingW/cuckoo.o $(CFLAGS)
Objects/MingW/bochs.o: $(GLOBALDEPS) bochs.c
$(CC) -c bochs.c -o Objects/MingW/bochs.o $(CFLAGS)
Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff

11
pafish/bochs.c Normal file
View File

@ -0,0 +1,11 @@
#include <windows.h>
#include "bochs.h"
#include "types.h"
#include "utils.h"
int bochs_reg_key1() {
return pafish_exists_regkey_value_str(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "BOCHS");
}

7
pafish/bochs.h Normal file
View File

@ -0,0 +1,7 @@
#ifndef BOCHS_H
#define BOCHS_H
int bochs_reg_key1();
#endif

12
pafish/main.c
View File

@ -3,7 +3,6 @@
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <wbemidl.h>
#include "types.h"
#include "common.h"
@ -18,6 +17,7 @@
#include "qemu.h"
#include "cpu.h"
#include "cuckoo.h"
#include "bochs.h"
/*
Pafish (Paranoid fish)
@ -453,6 +453,16 @@ int main(void)
}
else print_not_traced();
/* Bochs detection tricks */
printf("\n[-] Bochs detection\n");
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (bochs_reg_key1() == TRUE) {
write_log("Bochs traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_bochs");
}
else print_not_traced();
/* Cuckoo detection tricks */
printf("\n[-] Cuckoo detection\n");
printf("[*] Looking in the TLS for the hooks information structure ... ");