Adding device detection #13 (Thorsten commit)

This commit is contained in:
Alberto Ortega 2014-12-29 01:20:21 +01:00
commit 9816ed8eaa
4 changed files with 548 additions and 441 deletions

View File

@ -5,7 +5,7 @@ SRC = $(wildcard *.c)
OBJ = $(SRC:%.c=$(OBJDIR)/%.o) $(OBJDIR)/pafish_private.res
BIN = Output/MingW/pafish.exe
LINKOBJ = $(OBJDIR)/*.o $(OBJDIR)/pafish_private.res
LIBS = -s -lws2_32 -liphlpapi -lmpr
LIBS = -s -lws2_32 -liphlpapi -lmpr -lsetupapi
CXXFLAGS = -fexpensive-optimizations -O1 -static-libgcc
CFLAGS = -fexpensive-optimizations -O1
GPROF = i686-pc-mingw32-gprof

View File

@ -1,380 +1,383 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include "common.h"
#include "debuggers.h"
#include "sandboxie.h"
#include "gensandbox.h"
#include "hooks.h"
#include "vbox.h"
#include "wine.h"
#include "vmware.h"
#include "qemu.h"
/*
Pafish (Paranoid fish)
All code from this project, including
functions, procedures and the main program
is licensed under GNU/GPL version 3.
So, if you are going to use functions or
procedures from this project to develop
your malware, you have to release the
source code as well :)
- Alberto Ortega
*/
int main(int argc, char *argv[])
{
char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024];
OSVERSIONINFO winver;
write_log("Start");
init_cmd_colors();
print_header();
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&winver);
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
printf("[*] Windows version: %s\n", winverstr);
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
write_log(aux);
printf("[*] Running checks ...\n");
/* Debuggers detection tricks */
printf("\n[-] Debuggers detection\n");
printf("[*] Using IsDebuggerPresent() ... ");
if (debug_isdebuggerpresent() == 0) {
write_log("Debugger traced using IsDebuggerPresent()");
print_traced();
write_trace("hi_debugger_isdebuggerpresent");
}
else {
print_not_traced();
}
/* This is only working on MS Windows systems prior to Vista */
if (winver.dwMajorVersion < 6) {
printf("[*] Using OutputDebugString() ... ");
if (debug_outputdebugstring() == 0) {
write_log("Debugger traced using OutputDebugString()");
print_traced();
write_trace("hi_debugger_outputdebugstring");
}
else {
print_not_traced();
}
}
/* Generic sandbox detection tricks */
printf("\n[-] Generic sandbox detection\n");
printf("[*] Using mouse activity ... ");
if (gensandbox_mouse_act() == 0) {
print_traced();
write_log("Sandbox traced using mouse activity");
write_trace("hi_sandbox_mouse_act");
}
else {
print_not_traced();
}
printf("[*] Checking username ... ");
if (gensandbox_username() == 0) {
print_traced();
write_log("Sandbox traced by checking username");
write_trace("hi_sandbox_username");
}
else {
print_not_traced();
}
printf("[*] Checking file path ... ");
if (gensandbox_path() == 0) {
print_traced();
write_log("Sandbox traced by checking file path");
write_trace("hi_sandbox_path");
}
else {
print_not_traced();
}
printf("[*] Checking if disk size <= 50GB ... ");
if (gensandbox_drive_size() == 0) {
print_traced();
write_log("Sandbox traced by checking disk size <= 50GB");
write_trace("hi_sandbox_drive_size");
}
else {
print_not_traced();
}
printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... ");
if (gensandbox_drive_size2() == 0) {
print_traced();
write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB");
write_trace("hi_sandbox_drive_size_2");
}
else {
print_not_traced();
}
/* Hooks detection tricks */
printf("\n[-] Hooks detection\n");
printf("[*] Checking function DeleteFileW method 1 ... ");
if (check_hook_DeleteFileW_m1() == 0) {
print_traced();
write_log("Hooks traced using DeleteFileW method 1");
write_trace("hi_hooks_deletefile_m1");
}
else {
print_not_traced();
}
/* Sandboxie detection tricks */
printf("\n[-] Sandboxie detection\n");
printf("[*] Using sbiedll.dll ... ");
if (sboxie_detect_sbiedll() == 0) {
write_log("Sandboxie traced using sbiedll.dll");
print_traced();
write_trace("hi_sandboxie");
}
else {
print_not_traced();
}
/* Wine detection tricks */
printf("\n[-] Wine detection\n");
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
if (wine_detect_get_unix_file_name() == 0) {
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
print_traced();
write_trace("hi_wine");
}
else {
print_not_traced();
}
/* VirtualBox detection tricks */
printf("\n[-] VirtualBox detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vbox_reg_key1() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (vbox_reg_key2() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
if (vbox_reg_key3() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
if (vbox_reg_key4() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
if (vbox_reg_key5() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... ");
if (vbox_reg_key6() == 0) {
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
if (vbox_reg_key7() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
if (vbox_reg_key8() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
if (vbox_reg_key9() == 0) {
}
else {
print_not_traced();
}
if (vbox_sysfile1() == 0) {
}
else {
print_not_traced();
}
if (vbox_sysfile2() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for MAC ");
if (vbox_mac() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for pseudo device ");
if (vbox_pseudodev() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for pipe ");
if (vbox_pipe() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for VBox tray tool window ");
if (vbox_traywindow() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for VBox network share ");
if (vbox_network_share() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for VBox processes ");
if (vbox_processes() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for guest tools ");
if (vbox_guest_tools() == 0) {
}
else {
print_not_traced();
}
/* VMware detection tricks */
printf("\n[-] VMware detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vmware_reg_key1() == 0) {
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
if (vmware_reg_key2() == 0) {
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
if (vmware_sysfile1() == 0) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
if (vmware_sysfile2() == 0) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
/* Qemu detection tricks */
printf("\n[-] Qemu detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (qemu_reg_key1() == 0) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_qemu");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (qemu_reg_key2() == 0) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_qemu");
}
else {
print_not_traced();
}
printf("\n\n");
printf("[-] Finished, feel free to RE me.");
write_log("End");
fflush(stdin);
if (argc != 2 || strncmp(argv[1], "-q", 2) != 0) {
getchar();
}
return analysis_result;
}
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include "common.h"
#include "debuggers.h"
#include "sandboxie.h"
#include "gensandbox.h"
#include "hooks.h"
#include "vbox.h"
#include "wine.h"
#include "vmware.h"
#include "qemu.h"
/*
Pafish (Paranoid fish)
All code from this project, including
functions, procedures and the main program
is licensed under GNU/GPL version 3.
So, if you are going to use functions or
procedures from this project to develop
your malware, you have to release the
source code as well :)
- Alberto Ortega
*/
int main(int argc, char *argv[])
{
char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024];
OSVERSIONINFO winver;
write_log("Start");
init_cmd_colors();
print_header();
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&winver);
snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
printf("[*] Windows version: %s\n", winverstr);
snprintf(aux, sizeof(aux), "Windows version: %s", winverstr);
write_log(aux);
printf("[*] Running checks ...\n");
/* Debuggers detection tricks */
printf("\n[-] Debuggers detection\n");
printf("[*] Using IsDebuggerPresent() ... ");
if (debug_isdebuggerpresent() == 0) {
write_log("Debugger traced using IsDebuggerPresent()");
print_traced();
write_trace("hi_debugger_isdebuggerpresent");
}
else {
print_not_traced();
}
/* This is only working on MS Windows systems prior to Vista */
if (winver.dwMajorVersion < 6) {
printf("[*] Using OutputDebugString() ... ");
if (debug_outputdebugstring() == 0) {
write_log("Debugger traced using OutputDebugString()");
print_traced();
write_trace("hi_debugger_outputdebugstring");
}
else {
print_not_traced();
}
}
/* Generic sandbox detection tricks */
printf("\n[-] Generic sandbox detection\n");
printf("[*] Using mouse activity ... ");
if (gensandbox_mouse_act() == 0) {
print_traced();
write_log("Sandbox traced using mouse activity");
write_trace("hi_sandbox_mouse_act");
}
else {
print_not_traced();
}
printf("[*] Checking username ... ");
if (gensandbox_username() == 0) {
print_traced();
write_log("Sandbox traced by checking username");
write_trace("hi_sandbox_username");
}
else {
print_not_traced();
}
printf("[*] Checking file path ... ");
if (gensandbox_path() == 0) {
print_traced();
write_log("Sandbox traced by checking file path");
write_trace("hi_sandbox_path");
}
else {
print_not_traced();
}
printf("[*] Checking if disk size <= 50GB ... ");
if (gensandbox_drive_size() == 0) {
print_traced();
write_log("Sandbox traced by checking disk size <= 50GB");
write_trace("hi_sandbox_drive_size");
}
else {
print_not_traced();
}
printf("[*] Checking if disk size by GetDiskFreeSpace <= 60GB ... ");
if (gensandbox_drive_size2() == 0) {
print_traced();
write_log("Sandbox traced by checking disk size GetDiskFreeSpace <= 60GB");
write_trace("hi_sandbox_drive_size_2");
}
else {
print_not_traced();
}
/* Hooks detection tricks */
printf("\n[-] Hooks detection\n");
printf("[*] Checking function DeleteFileW method 1 ... ");
if (check_hook_DeleteFileW_m1() == 0) {
print_traced();
write_log("Hooks traced using DeleteFileW method 1");
write_trace("hi_hooks_deletefile_m1");
}
else {
print_not_traced();
}
/* Sandboxie detection tricks */
printf("\n[-] Sandboxie detection\n");
printf("[*] Using sbiedll.dll ... ");
if (sboxie_detect_sbiedll() == 0) {
write_log("Sandboxie traced using sbiedll.dll");
print_traced();
write_trace("hi_sandboxie");
}
else {
print_not_traced();
}
/* Wine detection tricks */
printf("\n[-] Wine detection\n");
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
if (wine_detect_get_unix_file_name() == 0) {
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
print_traced();
write_trace("hi_wine");
}
else {
print_not_traced();
}
/* VirtualBox detection tricks */
printf("\n[-] VirtualBox detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vbox_reg_key1() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (vbox_reg_key2() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
if (vbox_reg_key3() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
if (vbox_reg_key4() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
if (vbox_reg_key5() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\CurrentControlSet\\Enum\\IDE ... ");
if (vbox_reg_key6() == 0) {
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
if (vbox_reg_key7() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
if (vbox_reg_key8() == 0) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
if (vbox_reg_key9() == 0) {
}
else {
print_not_traced();
}
if (vbox_sysfile1() == 0) {
}
else {
print_not_traced();
}
if (vbox_sysfile2() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for MAC ");
if (vbox_mac() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for pseudo device ");
if (vbox_pseudodev() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for pipe ");
if (vbox_pipe() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for VBox tray tool window ");
if (vbox_traywindow() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for VBox network share ");
if (vbox_network_share() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for VBox processes ");
if (vbox_processes() == 0) {
}
else {
print_not_traced();
}
printf("[*] Looking for guest tools ");
if (vbox_guest_tools() == 0) {
printf("[*] Looking for VBox devices ");
if (vbox_devices() == 0) {
}
else {
print_not_traced();
}
/* VMware detection tricks */
printf("\n[-] VMware detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vmware_reg_key1() == 0) {
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
if (vmware_reg_key2() == 0) {
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
if (vmware_sysfile1() == 0) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
if (vmware_sysfile2() == 0) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
print_traced();
write_trace("hi_vmware");
}
else {
print_not_traced();
}
/* Qemu detection tricks */
printf("\n[-] Qemu detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (qemu_reg_key1() == 0) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_qemu");
}
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (qemu_reg_key2() == 0) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_qemu");
}
else {
print_not_traced();
}
printf("\n\n");
printf("[-] Finished, feel free to RE me.");
write_log("End");
fflush(stdin);
if (argc != 2 || strncmp(argv[1], "-q", 2) != 0) {
getchar();
}
return analysis_result;
}

View File

@ -6,15 +6,23 @@
#include <stdio.h>
#include <iphlpapi.h>
#include <tlhelp32.h>
#include <setupapi.h>
#include <devguid.h>
#include <regstr.h>
#include "vbox.h"
typedef char * string;
void ToUpper(unsigned char* Pstr) {
char* P=(char*)Pstr;
unsigned long length=strlen(P);
unsigned long length;
unsigned long i;
if (Pstr == NULL)
return;
length=strlen(P);
for(i=0;i<length;i++) P[i]=toupper(P[i]);
return;
@ -29,7 +37,7 @@ int vbox_reg_key1() {
char value[1024];
int i;
DWORD size;
size = sizeof(value);
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
@ -63,7 +71,7 @@ int vbox_reg_key2() {
char value[1024];
int i;
DWORD size;
size = sizeof(value);
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
@ -112,7 +120,7 @@ int vbox_reg_key4() {
char value[1024];
int i;
DWORD size;
size = sizeof(value);
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
@ -195,7 +203,7 @@ int vbox_reg_key6() {
sprintf(message, "VBOX traced in IDE Registry based on FriendlyName containing VBOX %s ", ValName);
write_log(message);
LocalFree(message);
}
}
res = 0;
}
}
@ -213,12 +221,12 @@ int vbox_reg_key6() {
sprintf(message, "VBOX traced in IDE Registry based on HardwareID containing VBOX %s ", sp);
write_log(message);
LocalFree(message);
}
}
res = 0;
}
sp = sp + strlen(sp) + 1;
}
}
}
}
else{
message = (char*)LocalAlloc(LMEM_ZEROINIT,200);
@ -228,7 +236,7 @@ int vbox_reg_key6() {
}
RegCloseKey(HKKK);
}
}
}
LocalFree(pNewNewKey);
RegCloseKey(HKK);
}
@ -321,13 +329,13 @@ int vbox_reg_key9() {
**/
int vbox_sysfile1() {
DWORD ret;
const int count = 4;
string strs[count];
int res = 1;
char message[200];
int i=0;
strs[0] = "C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys";
strs[1] = "C:\\WINDOWS\\system32\\drivers\\VBoxGuest.sys";
strs[2] = "C:\\WINDOWS\\system32\\drivers\\VBoxSF.sys";
@ -346,9 +354,9 @@ int vbox_sysfile1() {
res = 0;
}
}
return res;
}
/**
@ -356,7 +364,7 @@ int vbox_sysfile1() {
**/
int vbox_sysfile2() {
DWORD ret;
const int count = 12;
string strs[count];
int res = 1;
@ -449,7 +457,7 @@ int vbox_pseudodev() {
res = 0;
CloseHandle(h);
}
return res;
}
@ -469,7 +477,7 @@ int vbox_pipe() {
res = 0;
CloseHandle(h);
}
return res;
}
@ -492,7 +500,7 @@ int vbox_traywindow() {
write_trace("hi_virtualbox");
res = 0;
}
return res;
}
@ -516,7 +524,7 @@ int vbox_network_share() {
res = 0;
}
}
return res;
}
@ -548,7 +556,7 @@ int vbox_processes() {
res = 0;
}
} while( Process32Next( hpSnap, &pentry ) );
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
@ -571,7 +579,7 @@ int vbox_guest_tools() {
res = 0;
CloseHandle(h);
}
h = CreateFile("c:\\program files\\oracle\\virtualbox guest additions\\VBoxDrvInst.exe", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h != INVALID_HANDLE_VALUE){
write_log("VirtualBox VBoxDrvInst.exe detected");
@ -594,3 +602,97 @@ int vbox_guest_tools() {
}
/**
* Helper function to get device propery. Free return buffer after use ! Only for REG_SZ data
*
*
**/
LPTSTR device_property(HDEVINFO hDevInfo, SP_DEVINFO_DATA DevInfoData, DWORD property){
LPTSTR buffer = NULL;
DWORD buffersize = 0;
DWORD DataT;
while (!SetupDiGetDeviceRegistryProperty(
hDevInfo,
&DevInfoData,
property,
&DataT,
(PBYTE) buffer,
buffersize,
&buffersize
)){
if (GetLastError () == ERROR_INSUFFICIENT_BUFFER){
if (buffer) LocalFree(buffer);
buffer = LocalAlloc (LPTR, buffersize * 2);
}
else
{
break;
}
}
return buffer;
}
/**
* VBox devices
*
* http://support.microsoft.com/kb/259695/EN-US
**/
int vbox_devices() {
int res=1;
HDEVINFO hDevInfo;
DWORD i;
SP_DEVINFO_DATA DevInfoData;
hDevInfo = SetupDiGetClassDevs(NULL, 0, 0, DIGCF_PRESENT | DIGCF_ALLCLASSES);
if (hDevInfo == INVALID_HANDLE_VALUE){
return res;
}
DevInfoData.cbSize = sizeof(SP_DEVINFO_DATA);
// Enum devices
for (i=0; SetupDiEnumDeviceInfo(hDevInfo, i, &DevInfoData); i++){
LPTSTR buffer = NULL;
DWORD properties[] = {SPDRP_CLASS, SPDRP_CLASSGUID, SPDRP_DEVICEDESC, SPDRP_ENUMERATOR_NAME, SPDRP_FRIENDLYNAME, SPDRP_LOCATION_INFORMATION, SPDRP_MFG, SPDRP_PHYSICAL_DEVICE_OBJECT_NAME, SPDRP_SERVICE};
int prop;
const int max_prop = 9;
char * message;
for (prop=0; prop < max_prop ; prop ++){
buffer = device_property(hDevInfo, DevInfoData, properties[prop]);
if (buffer != NULL){
ToUpper(buffer);
if ((strstr((char *)buffer, "VBOX")) ||
(strstr((char *)buffer, "VIRTUALBOX"))){
message = (char*)LocalAlloc(LMEM_ZEROINIT,strlen(buffer)+200);
if (message) {
sprintf(message, "VBOX traced by device property %s ", buffer);
write_log(message);
LocalFree(message);
}
res = 0;
}
LocalFree(buffer);
buffer = NULL;
}
}
}
// Cleanup
SetupDiDestroyDeviceInfoList(hDevInfo);
if (res == 0){
print_traced();
write_trace("hi_virtualbox");
}
return res;
}

View File

@ -1,41 +1,43 @@
#ifndef VBOX_H
#define VBOX_H
int vbox_reg_key1();
int vbox_reg_key2();
int vbox_reg_key3();
int vbox_reg_key4();
int vbox_reg_key5();
int vbox_reg_key6();
int vbox_reg_key7();
int vbox_reg_key8();
int vbox_reg_key9();
int vbox_sysfile1();
int vbox_sysfile2();
int vbox_mac();
int vbox_pseudodev();
int vbox_pipe();
int vbox_traywindow();
int vbox_network_share();
int vbox_processes();
int vbox_guest_tools();
#endif
#ifndef VBOX_H
#define VBOX_H
int vbox_reg_key1();
int vbox_reg_key2();
int vbox_reg_key3();
int vbox_reg_key4();
int vbox_reg_key5();
int vbox_reg_key6();
int vbox_reg_key7();
int vbox_reg_key8();
int vbox_reg_key9();
int vbox_sysfile1();
int vbox_sysfile2();
int vbox_mac();
int vbox_pseudodev();
int vbox_pipe();
int vbox_traywindow();
int vbox_network_share();
int vbox_processes();
int vbox_guest_tools();
int vbox_devices();
#endif