v0.2.3 submitted

This commit is contained in:
Alberto 2013-02-10 20:19:04 +01:00
parent 1ff2756a5d
commit a5f129bb3a
14 changed files with 157 additions and 28 deletions

View File

@ -1,4 +1,10 @@
v023
- Added two new detections for generic sandboxes (username, file path)
- Added one new detection for VMware (driver file)
- Added one new detection for Qemu (reg key)
v022
- Added one new detection for Qemu

Binary file not shown.

View File

@ -1,7 +1,7 @@
# Project: pafish
# Compiler: Default GCC compiler
# Compiler Type: MingW 3
# Makefile created by wxDev-C++ IDE 7.4.2.569 on 06/12/12 13:24
# Makefile created by wxDev-C++ IDE 7.4.2.569 on 10/02/13 19:56
WXLIBNAME = wxmsw29u
CPP = g++.exe

View File

@ -7,10 +7,10 @@
#define PAFISH_PRIVATE_H
/* VERSION DEFINITIONS */
#define VER_STRING "0.2.2.1"
#define VER_STRING "0.2.3.1"
#define VER_MAJOR 0
#define VER_MINOR 2
#define VER_RELEASE 2
#define VER_RELEASE 3
#define VER_BUILD 1
#define COMPANY_NAME ""
#define FILE_VERSION ""

View File

@ -8,8 +8,8 @@ A ICON MOVEABLE PURE LOADONCALL DISCARDABLE "pafish.ico"
// This section contains the executable version information. Go to
// Project > Project Options to edit these values.
1 VERSIONINFO
FILEVERSION 0,2,2,1
PRODUCTVERSION 0,2,2,1
FILEVERSION 0,2,3,1
PRODUCTVERSION 0,2,3,1
FILETYPE VFT_APP
BEGIN
BLOCK "StringFileInfo"

View File

@ -1,5 +1,6 @@
#include <windows.h>
#include <string.h>
#include "gensandbox.h"
@ -17,3 +18,43 @@ int gensandbox_mouse_act() {
return 1;
}
}
int gensandbox_username() {
char username[200];
int i;
DWORD usersize = sizeof(username);
GetUserName(username, &usersize);
for (i = 0; i < strlen(username); i++) { /* Uppercase to case-insensitive */
username[i] = toupper(username[i]);
}
if (strstr(username, "SANDBOX") != NULL) {
return 0;
}
if (strstr(username, "VIRUS") != NULL) {
return 0;
}
if (strstr(username, "MALWARE") != NULL) {
return 0;
}
return 1;
}
int gensandbox_path() {
char path[500];
int i;
DWORD pathsize = sizeof(path);
GetModuleFileName(NULL, path, pathsize);
for (i = 0; i < strlen(path); i++) { /* Uppercase to case-insensitive */
path[i] = toupper(path[i]);
}
if (strstr(path, "\\SAMPLE") != NULL) {
return 0;
}
if (strstr(path, "\\VIRUS") != NULL) {
return 0;
}
if (strstr(path, "SANDBOX") != NULL) {
return 0;
}
return 1;
}

View File

@ -4,4 +4,8 @@
int gensandbox_mouse_act();
int gensandbox_username();
int gensandbox_path();
#endif

View File

@ -82,6 +82,22 @@ int main(int argc, char *argv[])
else {
print_not_traced();
}
printf("[*] Checking username ... ");
if (gensandbox_username() == 0) {
print_traced();
write_log("Sandbox traced by checking username");
}
else {
print_not_traced();
}
printf("[*] Checking file path ... ");
if (gensandbox_path() == 0) {
print_traced();
write_log("Sandbox traced by checking file path");
}
else {
print_not_traced();
}
/* Sandboxie detection tricks */
printf("\n[-] Sandboxie detection\n");
@ -166,6 +182,14 @@ int main(int argc, char *argv[])
else {
print_not_traced();
}
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
if (vmware_sysfile2() == 0) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
print_traced();
}
else {
print_not_traced();
}
/* Qemu detection tricks */
printf("\n[-] Qemu detection\n");
@ -177,6 +201,14 @@ int main(int argc, char *argv[])
else {
print_not_traced();
}
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (qemu_reg_key2() == 0) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
}
else {
print_not_traced();
}
printf("\n\n");
printf("[-] Finished, feel free to RE me.");

View File

@ -23,7 +23,7 @@ BuildCmd=
[VersionInfo]
Major=0
Minor=2
Release=2
Release=3
Build=1
LanguageID=1033
CharsetID=1252
@ -254,5 +254,5 @@ Compile=1
Link=1
Priority=1000
OverrideBuildCmd=0
BuildCmd= $(CC) -c qemu.c -o Objects/MingW/qemu.o $(CFLAGS)
BuildCmd=$(CC) -c qemu.c -o Objects/MingW/qemu.o $(CFLAGS)

View File

@ -5,8 +5,8 @@ Order=0
Open=1
Top=1
CursorCol=6
CursorRow=176
TopLine=166
CursorRow=97
TopLine=201
LeftChar=1
[Editor_6]
CursorCol=1
@ -19,9 +19,9 @@ CursorRow=2
TopLine=1
LeftChar=1
[Editor_8]
CursorCol=18
CursorRow=83
TopLine=4
CursorCol=2
CursorRow=67
TopLine=48
LeftChar=1
[Editor_2]
CursorCol=25
@ -36,7 +36,7 @@ LeftChar=1
[Editor_4]
CursorCol=67
CursorRow=17
TopLine=1
TopLine=15
LeftChar=1
[Editor_3]
CursorCol=1
@ -49,14 +49,14 @@ CursorRow=11
TopLine=1
LeftChar=1
[Editor_9]
CursorCol=1
CursorRow=2
CursorCol=20
CursorRow=9
TopLine=1
LeftChar=1
[Editor_10]
CursorCol=1
CursorRow=20
TopLine=1
CursorCol=45
CursorRow=46
TopLine=40
LeftChar=1
[Editor_11]
CursorCol=18
@ -69,22 +69,22 @@ CursorRow=8
TopLine=1
LeftChar=1
[Editor_13]
CursorCol=5
CursorRow=13
TopLine=1
CursorCol=6
CursorRow=68
TopLine=53
LeftChar=1
[Editor_14]
CursorCol=1
CursorRow=2
CursorCol=23
CursorRow=11
TopLine=1
LeftChar=1
[Editor_15]
CursorCol=1
CursorRow=8
CursorCol=21
CursorRow=7
TopLine=1
LeftChar=1
[Editor_16]
CursorCol=22
CursorRow=7
TopLine=17
CursorCol=18
CursorRow=34
TopLine=36
LeftChar=1

View File

@ -34,3 +34,34 @@ int qemu_reg_key1() {
return 1;
}
}
int qemu_reg_key2() {
HKEY regkey;
LONG retu;
char value[1024];
int i;
DWORD size;
size = sizeof(value);
retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, &regkey);
if (retu == ERROR_SUCCESS) {
retu = RegQueryValueEx(regkey, "SystemBiosVersion", NULL, NULL, (BYTE*)value, &size);
if (retu == ERROR_SUCCESS) {
for (i = 0; i < strlen(value); i++) { /* Uppercase to case-insensitive */
value[i] = toupper(value[i]);
}
if (strstr(value, "QEMU") != NULL) {
return 0;
}
else {
return 1;
}
}
else {
return 1;
}
}
else {
return 1;
}
}

View File

@ -4,4 +4,6 @@
int qemu_reg_key1();
int qemu_reg_key2();
#endif

View File

@ -59,3 +59,14 @@ int vmware_sysfile1() {
return 1;
}
}
int vmware_sysfile2() {
DWORD ret;
ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
if (ret != INVALID_FILE_ATTRIBUTES) {
return 0;
}
else {
return 1;
}
}

View File

@ -8,4 +8,6 @@ int vmware_reg_key2();
int vmware_sysfile1();
int vmware_sysfile2();
#endif