mirror of https://github.com/a0rtega/pafish
Adding device detection #13 (Thorsten commit)
This commit is contained in:
commit
9816ed8eaa
|
@ -5,7 +5,7 @@ SRC = $(wildcard *.c)
|
|||
OBJ = $(SRC:%.c=$(OBJDIR)/%.o) $(OBJDIR)/pafish_private.res
|
||||
BIN = Output/MingW/pafish.exe
|
||||
LINKOBJ = $(OBJDIR)/*.o $(OBJDIR)/pafish_private.res
|
||||
LIBS = -s -lws2_32 -liphlpapi -lmpr
|
||||
LIBS = -s -lws2_32 -liphlpapi -lmpr -lsetupapi
|
||||
CXXFLAGS = -fexpensive-optimizations -O1 -static-libgcc
|
||||
CFLAGS = -fexpensive-optimizations -O1
|
||||
GPROF = i686-pc-mingw32-gprof
|
||||
|
|
763
pafish/main.c
763
pafish/main.c
|
@ -1,380 +1,383 @@
|
|||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <windows.h>
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#include "debuggers.h"
|
||||
#include "sandboxie.h"
|
||||
#include "gensandbox.h"
|
||||
#include "hooks.h"
|
||||
#include "vbox.h"
|
||||
#include "wine.h"
|
||||
#include "vmware.h"
|
||||
#include "qemu.h"
|
||||
|
||||
/*
|
||||
Pafish (Paranoid fish)
|
||||
|
||||
All code from this project, including
|
||||
functions, procedures and the main program
|
||||
is licensed under GNU/GPL version 3.
|
||||
|
||||
So, if you are going to use functions or
|
||||
procedures from this project to develop
|
||||
your malware, you have to release the
|
||||
source code as well :)
|
||||
|
||||
- Alberto Ortega
|
||||
|
||||
*/
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024];
|
||||
OSVERSIONINFO winver;
|
||||
|
||||
write_log("Start");
|
||||
|
||||
init_cmd_colors();
|
||||
print_header();
|
||||
|
||||
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
||||
GetVersionEx(&winver);
|
||||
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
|
||||
|
||||
printf("[*] Windows version: %s\n", winverstr);
|
||||
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
|
||||
write_log(aux);
|
||||
|
||||
printf("[*] Running checks ...\n");
|
||||
|
||||
/* Debuggers detection tricks */
|
||||
printf("\n[-] Debuggers detection\n");
|
||||
printf("[*] Using IsDebuggerPresent() ... ");
|
||||
if (debug_isdebuggerpresent() == 0) {
|
||||
write_log("Debugger traced using IsDebuggerPresent()");
|
||||
print_traced();
|
||||
write_trace("hi_debugger_isdebuggerpresent");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
/* This is only working on MS Windows systems prior to Vista */
|
||||
if (winver.dwMajorVersion < 6) {
|
||||
printf("[*] Using OutputDebugString() ... ");
|
||||
if (debug_outputdebugstring() == 0) {
|
||||
write_log("Debugger traced using OutputDebugString()");
|
||||
print_traced();
|
||||
write_trace("hi_debugger_outputdebugstring");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
}
|
||||
|
||||
/* Generic sandbox detection tricks */
|
||||
printf("\n[-] Generic sandbox detection\n");
|
||||
printf("[*] Using mouse activity ... ");
|
||||
if (gensandbox_mouse_act() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced using mouse activity");
|
||||
write_trace("hi_sandbox_mouse_act");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Checking username ... ");
|
||||
if (gensandbox_username() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking username");
|
||||
write_trace("hi_sandbox_username");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Checking file path ... ");
|
||||
if (gensandbox_path() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking file path");
|
||||
write_trace("hi_sandbox_path");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Checking if disk size <= 50GB ... ");
|
||||
if (gensandbox_drive_size() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking disk size <= 50GB");
|
||||
write_trace("hi_sandbox_drive_size");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... ");
|
||||
if (gensandbox_drive_size2() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB");
|
||||
write_trace("hi_sandbox_drive_size_2");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Hooks detection tricks */
|
||||
printf("\n[-] Hooks detection\n");
|
||||
printf("[*] Checking function DeleteFileW method 1 ... ");
|
||||
if (check_hook_DeleteFileW_m1() == 0) {
|
||||
print_traced();
|
||||
write_log("Hooks traced using DeleteFileW method 1");
|
||||
write_trace("hi_hooks_deletefile_m1");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Sandboxie detection tricks */
|
||||
printf("\n[-] Sandboxie detection\n");
|
||||
printf("[*] Using sbiedll.dll ... ");
|
||||
if (sboxie_detect_sbiedll() == 0) {
|
||||
write_log("Sandboxie traced using sbiedll.dll");
|
||||
print_traced();
|
||||
write_trace("hi_sandboxie");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Wine detection tricks */
|
||||
printf("\n[-] Wine detection\n");
|
||||
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
|
||||
if (wine_detect_get_unix_file_name() == 0) {
|
||||
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
|
||||
print_traced();
|
||||
write_trace("hi_wine");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* VirtualBox detection tricks */
|
||||
printf("\n[-] VirtualBox detection\n");
|
||||
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
|
||||
if (vbox_reg_key1() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
|
||||
if (vbox_reg_key2() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
|
||||
if (vbox_reg_key3() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
|
||||
if (vbox_reg_key4() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
|
||||
if (vbox_reg_key5() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... ");
|
||||
if (vbox_reg_key6() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
|
||||
if (vbox_reg_key7() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
|
||||
if (vbox_reg_key8() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
|
||||
if (vbox_reg_key9() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
if (vbox_sysfile1() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
if (vbox_sysfile2() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for MAC ");
|
||||
if (vbox_mac() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for pseudo device ");
|
||||
if (vbox_pseudodev() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for pipe ");
|
||||
if (vbox_pipe() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for VBox tray tool window ");
|
||||
if (vbox_traywindow() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for VBox network share ");
|
||||
if (vbox_network_share() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for VBox processes ");
|
||||
if (vbox_processes() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for guest tools ");
|
||||
if (vbox_guest_tools() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* VMware detection tricks */
|
||||
printf("\n[-] VMware detection\n");
|
||||
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
|
||||
if (vmware_reg_key1() == 0) {
|
||||
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
|
||||
if (vmware_reg_key2() == 0) {
|
||||
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
|
||||
if (vmware_sysfile1() == 0) {
|
||||
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
|
||||
if (vmware_sysfile2() == 0) {
|
||||
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Qemu detection tricks */
|
||||
printf("\n[-] Qemu detection\n");
|
||||
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
|
||||
if (qemu_reg_key1() == 0) {
|
||||
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
|
||||
print_traced();
|
||||
write_trace("hi_qemu");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
|
||||
if (qemu_reg_key2() == 0) {
|
||||
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
|
||||
print_traced();
|
||||
write_trace("hi_qemu");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("\n\n");
|
||||
printf("[-] Finished, feel free to RE me.");
|
||||
|
||||
write_log("End");
|
||||
|
||||
fflush(stdin);
|
||||
if (argc != 2 || strncmp(argv[1], "-q", 2) != 0) {
|
||||
getchar();
|
||||
}
|
||||
return analysis_result;
|
||||
}
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <windows.h>
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#include "debuggers.h"
|
||||
#include "sandboxie.h"
|
||||
#include "gensandbox.h"
|
||||
#include "hooks.h"
|
||||
#include "vbox.h"
|
||||
#include "wine.h"
|
||||
#include "vmware.h"
|
||||
#include "qemu.h"
|
||||
|
||||
/*
|
||||
Pafish (Paranoid fish)
|
||||
|
||||
All code from this project, including
|
||||
functions, procedures and the main program
|
||||
is licensed under GNU/GPL version 3.
|
||||
|
||||
So, if you are going to use functions or
|
||||
procedures from this project to develop
|
||||
your malware, you have to release the
|
||||
source code as well :)
|
||||
|
||||
- Alberto Ortega
|
||||
|
||||
*/
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024];
|
||||
OSVERSIONINFO winver;
|
||||
|
||||
write_log("Start");
|
||||
|
||||
init_cmd_colors();
|
||||
print_header();
|
||||
|
||||
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
||||
GetVersionEx(&winver);
|
||||
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
|
||||
|
||||
printf("[*] Windows version: %s\n", winverstr);
|
||||
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
|
||||
write_log(aux);
|
||||
|
||||
printf("[*] Running checks ...\n");
|
||||
|
||||
/* Debuggers detection tricks */
|
||||
printf("\n[-] Debuggers detection\n");
|
||||
printf("[*] Using IsDebuggerPresent() ... ");
|
||||
if (debug_isdebuggerpresent() == 0) {
|
||||
write_log("Debugger traced using IsDebuggerPresent()");
|
||||
print_traced();
|
||||
write_trace("hi_debugger_isdebuggerpresent");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
/* This is only working on MS Windows systems prior to Vista */
|
||||
if (winver.dwMajorVersion < 6) {
|
||||
printf("[*] Using OutputDebugString() ... ");
|
||||
if (debug_outputdebugstring() == 0) {
|
||||
write_log("Debugger traced using OutputDebugString()");
|
||||
print_traced();
|
||||
write_trace("hi_debugger_outputdebugstring");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
}
|
||||
|
||||
/* Generic sandbox detection tricks */
|
||||
printf("\n[-] Generic sandbox detection\n");
|
||||
printf("[*] Using mouse activity ... ");
|
||||
if (gensandbox_mouse_act() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced using mouse activity");
|
||||
write_trace("hi_sandbox_mouse_act");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Checking username ... ");
|
||||
if (gensandbox_username() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking username");
|
||||
write_trace("hi_sandbox_username");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Checking file path ... ");
|
||||
if (gensandbox_path() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking file path");
|
||||
write_trace("hi_sandbox_path");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Checking if disk size <= 50GB ... ");
|
||||
if (gensandbox_drive_size() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking disk size <= 50GB");
|
||||
write_trace("hi_sandbox_drive_size");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... ");
|
||||
if (gensandbox_drive_size2() == 0) {
|
||||
print_traced();
|
||||
write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB");
|
||||
write_trace("hi_sandbox_drive_size_2");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Hooks detection tricks */
|
||||
printf("\n[-] Hooks detection\n");
|
||||
printf("[*] Checking function DeleteFileW method 1 ... ");
|
||||
if (check_hook_DeleteFileW_m1() == 0) {
|
||||
print_traced();
|
||||
write_log("Hooks traced using DeleteFileW method 1");
|
||||
write_trace("hi_hooks_deletefile_m1");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Sandboxie detection tricks */
|
||||
printf("\n[-] Sandboxie detection\n");
|
||||
printf("[*] Using sbiedll.dll ... ");
|
||||
if (sboxie_detect_sbiedll() == 0) {
|
||||
write_log("Sandboxie traced using sbiedll.dll");
|
||||
print_traced();
|
||||
write_trace("hi_sandboxie");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Wine detection tricks */
|
||||
printf("\n[-] Wine detection\n");
|
||||
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
|
||||
if (wine_detect_get_unix_file_name() == 0) {
|
||||
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
|
||||
print_traced();
|
||||
write_trace("hi_wine");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* VirtualBox detection tricks */
|
||||
printf("\n[-] VirtualBox detection\n");
|
||||
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
|
||||
if (vbox_reg_key1() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
|
||||
if (vbox_reg_key2() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
|
||||
if (vbox_reg_key3() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
|
||||
if (vbox_reg_key4() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
|
||||
if (vbox_reg_key5() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... ");
|
||||
if (vbox_reg_key6() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
|
||||
if (vbox_reg_key7() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
|
||||
if (vbox_reg_key8() == 0) {
|
||||
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
|
||||
if (vbox_reg_key9() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
if (vbox_sysfile1() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
if (vbox_sysfile2() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for MAC ");
|
||||
if (vbox_mac() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for pseudo device ");
|
||||
if (vbox_pseudodev() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for pipe ");
|
||||
if (vbox_pipe() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for VBox tray tool window ");
|
||||
if (vbox_traywindow() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for VBox network share ");
|
||||
if (vbox_network_share() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for VBox processes ");
|
||||
if (vbox_processes() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("[*] Looking for guest tools ");
|
||||
if (vbox_guest_tools() == 0) {
|
||||
|
||||
printf("[*] Looking for VBox devices ");
|
||||
if (vbox_devices() == 0) {
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* VMware detection tricks */
|
||||
printf("\n[-] VMware detection\n");
|
||||
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
|
||||
if (vmware_reg_key1() == 0) {
|
||||
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
|
||||
if (vmware_reg_key2() == 0) {
|
||||
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
|
||||
if (vmware_sysfile1() == 0) {
|
||||
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
|
||||
if (vmware_sysfile2() == 0) {
|
||||
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
/* Qemu detection tricks */
|
||||
printf("\n[-] Qemu detection\n");
|
||||
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
|
||||
if (qemu_reg_key1() == 0) {
|
||||
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
|
||||
print_traced();
|
||||
write_trace("hi_qemu");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
|
||||
if (qemu_reg_key2() == 0) {
|
||||
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
|
||||
print_traced();
|
||||
write_trace("hi_qemu");
|
||||
}
|
||||
else {
|
||||
print_not_traced();
|
||||
}
|
||||
|
||||
printf("\n\n");
|
||||
printf("[-] Finished, feel free to RE me.");
|
||||
|
||||
write_log("End");
|
||||
|
||||
fflush(stdin);
|
||||
if (argc != 2 || strncmp(argv[1], "-q", 2) != 0) {
|
||||
getchar();
|
||||
}
|
||||
return analysis_result;
|
||||
}
|
||||
|
|
140
pafish/vbox.c
140
pafish/vbox.c
|
@ -6,15 +6,23 @@
|
|||
#include <stdio.h>
|
||||
#include <iphlpapi.h>
|
||||
#include <tlhelp32.h>
|
||||
#include <setupapi.h>
|
||||
#include <devguid.h>
|
||||
#include <regstr.h>
|
||||
#include "vbox.h"
|
||||
|
||||
typedef char * string;
|
||||
|
||||
void ToUpper(unsigned char* Pstr) {
|
||||
char* P=(char*)Pstr;
|
||||
unsigned long length=strlen(P);
|
||||
unsigned long length;
|
||||
unsigned long i;
|
||||
|
||||
if (Pstr == NULL)
|
||||
return;
|
||||
|
||||
length=strlen(P);
|
||||
|
||||
for(i=0;i<length;i++) P[i]=toupper(P[i]);
|
||||
|
||||
return;
|
||||
|
@ -29,7 +37,7 @@ int vbox_reg_key1() {
|
|||
char value[1024];
|
||||
int i;
|
||||
DWORD size;
|
||||
|
||||
|
||||
size = sizeof(value);
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
|
@ -63,7 +71,7 @@ int vbox_reg_key2() {
|
|||
char value[1024];
|
||||
int i;
|
||||
DWORD size;
|
||||
|
||||
|
||||
size = sizeof(value);
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
|
@ -112,7 +120,7 @@ int vbox_reg_key4() {
|
|||
char value[1024];
|
||||
int i;
|
||||
DWORD size;
|
||||
|
||||
|
||||
size = sizeof(value);
|
||||
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, ®key);
|
||||
if (retu == ERROR_SUCCESS) {
|
||||
|
@ -195,7 +203,7 @@ int vbox_reg_key6() {
|
|||
sprintf(message, "VBOX traced in IDE Registry based on FriendlyName containing VBOX %s ", ValName);
|
||||
write_log(message);
|
||||
LocalFree(message);
|
||||
}
|
||||
}
|
||||
res = 0;
|
||||
}
|
||||
}
|
||||
|
@ -213,12 +221,12 @@ int vbox_reg_key6() {
|
|||
sprintf(message, "VBOX traced in IDE Registry based on HardwareID containing VBOX %s ", sp);
|
||||
write_log(message);
|
||||
LocalFree(message);
|
||||
}
|
||||
}
|
||||
res = 0;
|
||||
}
|
||||
sp = sp + strlen(sp) + 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else{
|
||||
message = (char*)LocalAlloc(LMEM_ZEROINIT,200);
|
||||
|
@ -228,7 +236,7 @@ int vbox_reg_key6() {
|
|||
}
|
||||
RegCloseKey(HKKK);
|
||||
}
|
||||
}
|
||||
}
|
||||
LocalFree(pNewNewKey);
|
||||
RegCloseKey(HKK);
|
||||
}
|
||||
|
@ -321,13 +329,13 @@ int vbox_reg_key9() {
|
|||
**/
|
||||
int vbox_sysfile1() {
|
||||
DWORD ret;
|
||||
|
||||
|
||||
const int count = 4;
|
||||
string strs[count];
|
||||
int res = 1;
|
||||
char message[200];
|
||||
int i=0;
|
||||
|
||||
|
||||
strs[0] = "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys";
|
||||
strs[1] = "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys";
|
||||
strs[2] = "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys";
|
||||
|
@ -346,9 +354,9 @@ int vbox_sysfile1() {
|
|||
res = 0;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return res;
|
||||
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -356,7 +364,7 @@ int vbox_sysfile1() {
|
|||
**/
|
||||
int vbox_sysfile2() {
|
||||
DWORD ret;
|
||||
|
||||
|
||||
const int count = 12;
|
||||
string strs[count];
|
||||
int res = 1;
|
||||
|
@ -449,7 +457,7 @@ int vbox_pseudodev() {
|
|||
res = 0;
|
||||
CloseHandle(h);
|
||||
}
|
||||
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
|
@ -469,7 +477,7 @@ int vbox_pipe() {
|
|||
res = 0;
|
||||
CloseHandle(h);
|
||||
}
|
||||
|
||||
|
||||
return res;
|
||||
|
||||
}
|
||||
|
@ -492,7 +500,7 @@ int vbox_traywindow() {
|
|||
write_trace("hi_virtualbox");
|
||||
res = 0;
|
||||
}
|
||||
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
|
@ -516,7 +524,7 @@ int vbox_network_share() {
|
|||
res = 0;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
|
@ -548,7 +556,7 @@ int vbox_processes() {
|
|||
res = 0;
|
||||
}
|
||||
} while( Process32Next( hpSnap, &pentry ) );
|
||||
|
||||
|
||||
if (res == 0){
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
|
@ -571,7 +579,7 @@ int vbox_guest_tools() {
|
|||
res = 0;
|
||||
CloseHandle(h);
|
||||
}
|
||||
|
||||
|
||||
h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxDrvInst.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
||||
if (h != INVALID_HANDLE_VALUE){
|
||||
write_log("VirtualBox VBoxDrvInst.exe detected");
|
||||
|
@ -594,3 +602,97 @@ int vbox_guest_tools() {
|
|||
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Helper function to get device propery. Free return buffer after use ! Only for REG_SZ data
|
||||
*
|
||||
*
|
||||
**/
|
||||
LPTSTR device_property(HDEVINFO hDevInfo, SP_DEVINFO_DATA DevInfoData, DWORD property){
|
||||
|
||||
LPTSTR buffer = NULL;
|
||||
DWORD buffersize = 0;
|
||||
DWORD DataT;
|
||||
|
||||
while (!SetupDiGetDeviceRegistryProperty(
|
||||
hDevInfo,
|
||||
&DevInfoData,
|
||||
property,
|
||||
&DataT,
|
||||
(PBYTE) buffer,
|
||||
buffersize,
|
||||
&buffersize
|
||||
)){
|
||||
|
||||
if (GetLastError () == ERROR_INSUFFICIENT_BUFFER){
|
||||
if (buffer) LocalFree(buffer);
|
||||
buffer = LocalAlloc (LPTR, buffersize * 2);
|
||||
}
|
||||
else
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return buffer;
|
||||
}
|
||||
|
||||
/**
|
||||
* VBox devices
|
||||
*
|
||||
* http://support.microsoft.com/kb/259695/EN-US
|
||||
**/
|
||||
int vbox_devices() {
|
||||
int res=1;
|
||||
HDEVINFO hDevInfo;
|
||||
DWORD i;
|
||||
SP_DEVINFO_DATA DevInfoData;
|
||||
|
||||
hDevInfo = SetupDiGetClassDevs(NULL, 0, 0, DIGCF_PRESENT | DIGCF_ALLCLASSES);
|
||||
|
||||
if (hDevInfo == INVALID_HANDLE_VALUE){
|
||||
return res;
|
||||
}
|
||||
|
||||
DevInfoData.cbSize = sizeof(SP_DEVINFO_DATA);
|
||||
|
||||
// Enum devices
|
||||
for (i=0; SetupDiEnumDeviceInfo(hDevInfo, i, &DevInfoData); i++){
|
||||
|
||||
LPTSTR buffer = NULL;
|
||||
|
||||
|
||||
DWORD properties[] = {SPDRP_CLASS, SPDRP_CLASSGUID, SPDRP_DEVICEDESC, SPDRP_ENUMERATOR_NAME, SPDRP_FRIENDLYNAME, SPDRP_LOCATION_INFORMATION, SPDRP_MFG, SPDRP_PHYSICAL_DEVICE_OBJECT_NAME, SPDRP_SERVICE};
|
||||
int prop;
|
||||
const int max_prop = 9;
|
||||
char * message;
|
||||
|
||||
for (prop=0; prop < max_prop ; prop ++){
|
||||
buffer = device_property(hDevInfo, DevInfoData, properties[prop]);
|
||||
if (buffer != NULL){
|
||||
ToUpper(buffer);
|
||||
if ((strstr((char *)buffer, "VBOX")) ||
|
||||
(strstr((char *)buffer, "VIRTUALBOX"))){
|
||||
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(buffer)+200);
|
||||
if (message) {
|
||||
sprintf(message, "VBOX traced by device property %s ", buffer);
|
||||
write_log(message);
|
||||
LocalFree(message);
|
||||
}
|
||||
res = 0;
|
||||
}
|
||||
LocalFree(buffer);
|
||||
buffer = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Cleanup
|
||||
SetupDiDestroyDeviceInfoList(hDevInfo);
|
||||
|
||||
if (res == 0){
|
||||
print_traced();
|
||||
write_trace("hi_virtualbox");
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
|
|
@ -1,41 +1,43 @@
|
|||
|
||||
#ifndef VBOX_H
|
||||
#define VBOX_H
|
||||
|
||||
int vbox_reg_key1();
|
||||
|
||||
int vbox_reg_key2();
|
||||
|
||||
int vbox_reg_key3();
|
||||
|
||||
int vbox_reg_key4();
|
||||
|
||||
int vbox_reg_key5();
|
||||
|
||||
int vbox_reg_key6();
|
||||
|
||||
int vbox_reg_key7();
|
||||
|
||||
int vbox_reg_key8();
|
||||
|
||||
int vbox_reg_key9();
|
||||
|
||||
int vbox_sysfile1();
|
||||
|
||||
int vbox_sysfile2();
|
||||
|
||||
int vbox_mac();
|
||||
|
||||
int vbox_pseudodev();
|
||||
|
||||
int vbox_pipe();
|
||||
|
||||
int vbox_traywindow();
|
||||
|
||||
int vbox_network_share();
|
||||
|
||||
int vbox_processes();
|
||||
|
||||
int vbox_guest_tools();
|
||||
|
||||
#endif
|
||||
|
||||
#ifndef VBOX_H
|
||||
#define VBOX_H
|
||||
|
||||
int vbox_reg_key1();
|
||||
|
||||
int vbox_reg_key2();
|
||||
|
||||
int vbox_reg_key3();
|
||||
|
||||
int vbox_reg_key4();
|
||||
|
||||
int vbox_reg_key5();
|
||||
|
||||
int vbox_reg_key6();
|
||||
|
||||
int vbox_reg_key7();
|
||||
|
||||
int vbox_reg_key8();
|
||||
|
||||
int vbox_reg_key9();
|
||||
|
||||
int vbox_sysfile1();
|
||||
|
||||
int vbox_sysfile2();
|
||||
|
||||
int vbox_mac();
|
||||
|
||||
int vbox_pseudodev();
|
||||
|
||||
int vbox_pipe();
|
||||
|
||||
int vbox_traywindow();
|
||||
|
||||
int vbox_network_share();
|
||||
|
||||
int vbox_processes();
|
||||
|
||||
int vbox_guest_tools();
|
||||
|
||||
int vbox_devices();
|
||||
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue