v0.2.3 submitted

2013-02-10 20:19:04 +01:00 · 2013-02-10 20:19:04 +01:00 · a5f129bb3a
parent 1ff2756a5d
commit a5f129bb3a
14 changed files with 157 additions and 28 deletions
--- a/6
+++ b/6
@ -1,4 +1,10 @@

+v023
+
+- Added two new detections for generic sandboxes (username, file path)
+- Added one new detection for VMware (driver file)
+- Added one new detection for Qemu (reg key)
+
 v022

 - Added one new detection for Qemu
--- a/pafish.exe
+++ b/pafish.exe
--- a/pafish/Makefile.win
+++ b/pafish/Makefile.win
@ -1,7 +1,7 @@
 # Project: pafish
 # Compiler: Default GCC compiler
 # Compiler Type: MingW 3
-# Makefile created by wxDev-C++ IDE 7.4.2.569 on 06/12/12 13:24
+# Makefile created by wxDev-C++ IDE 7.4.2.569 on 10/02/13 19:56

 WXLIBNAME = wxmsw29u
 CPP       = g++.exe
--- a/pafish/Objects/MingW/pafish_private.h
+++ b/pafish/Objects/MingW/pafish_private.h
@ -7,10 +7,10 @@
 #define PAFISH_PRIVATE_H

 /* VERSION DEFINITIONS */
-#define VER_STRING	"0.2.2.1"
+#define VER_STRING	"0.2.3.1"
 #define VER_MAJOR	0
 #define VER_MINOR	2
-#define VER_RELEASE	2
+#define VER_RELEASE	3
 #define VER_BUILD	1
 #define COMPANY_NAME	""
 #define FILE_VERSION	""
--- a/pafish/Objects/MingW/pafish_private.rc
+++ b/pafish/Objects/MingW/pafish_private.rc
@ -8,8 +8,8 @@ A ICON MOVEABLE PURE LOADONCALL DISCARDABLE "pafish.ico"
 // This section contains the executable version information. Go to
 // Project > Project Options to edit these values.
 1 VERSIONINFO
-FILEVERSION 0,2,2,1
-PRODUCTVERSION 0,2,2,1
+FILEVERSION 0,2,3,1
+PRODUCTVERSION 0,2,3,1
 FILETYPE VFT_APP
 BEGIN
    BLOCK "StringFileInfo"
--- a/pafish/gensandbox.c
+++ b/pafish/gensandbox.c
@ -1,5 +1,6 @@

 #include <windows.h>
+#include <string.h>

 #include "gensandbox.h"

@ -17,3 +18,43 @@ int gensandbox_mouse_act() {
        return 1;
    }
 }
+
+int gensandbox_username() {
+    char username[200];
+    int i;
+    DWORD usersize = sizeof(username);
+    GetUserName(username, &usersize);
+    for (i = 0; i < strlen(username); i++) { /* Uppercase to case-insensitive */
+        username[i] = toupper(username[i]);
+    }
+    if (strstr(username, "SANDBOX") != NULL) {
+        return 0;
+    }
+    if (strstr(username, "VIRUS") != NULL) {
+        return 0;
+    }
+    if (strstr(username, "MALWARE") != NULL) {
+        return 0;
+    }
+    return 1;
+}
+
+int gensandbox_path() {
+    char path[500];
+    int i;
+    DWORD pathsize = sizeof(path);
+    GetModuleFileName(NULL, path, pathsize);
+    for (i = 0; i < strlen(path); i++) { /* Uppercase to case-insensitive */
+        path[i] = toupper(path[i]);
+    }
+    if (strstr(path, "\\SAMPLE") != NULL) {
+        return 0;
+    }
+    if (strstr(path, "\\VIRUS") != NULL) {
+        return 0;
+    }
+    if (strstr(path, "SANDBOX") != NULL) {
+        return 0;
+    }
+    return 1;
+}
--- a/pafish/gensandbox.h
+++ b/pafish/gensandbox.h
@ -4,4 +4,8 @@

 int gensandbox_mouse_act();

+int gensandbox_username();
+
+int gensandbox_path();
+
 #endif
--- a/pafish/main.c
+++ b/pafish/main.c
@ -82,6 +82,22 @@ int main(int argc, char *argv[])
    else {
        print_not_traced();
    }
+    printf("[*] Checking username ... ");
+    if (gensandbox_username() == 0) {
+        print_traced();
+        write_log("Sandbox traced by checking username");
+    }
+    else {
+        print_not_traced();
+    }
+    printf("[*] Checking file path ... ");
+    if (gensandbox_path() == 0) {
+        print_traced();
+        write_log("Sandbox traced by checking file path");
+    }
+    else {
+        print_not_traced();
+    }
    
    /* Sandboxie detection tricks */
    printf("\n[-] Sandboxie detection\n");
@ -166,6 +182,14 @@ int main(int argc, char *argv[])
    else {
        print_not_traced();
    }
+    printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
+    if (vmware_sysfile2() == 0) {
+        write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
+        print_traced();
+    }
+    else {
+        print_not_traced();
+    }
    
    /* Qemu detection tricks */
    printf("\n[-] Qemu detection\n");
@ -177,6 +201,14 @@ int main(int argc, char *argv[])
    else {
        print_not_traced();
    }
+    printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
+    if (qemu_reg_key2() == 0) {
+        write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
+        print_traced();
+    }
+    else {
+        print_not_traced();
+    }
    
    printf("\n\n");
    printf("[-] Finished, feel free to RE me.");
--- a/pafish/pafish.dev
+++ b/pafish/pafish.dev
@ -23,7 +23,7 @@ BuildCmd=
 [VersionInfo]
 Major=0
 Minor=2
-Release=2
+Release=3
 Build=1
 LanguageID=1033
 CharsetID=1252
@ -254,5 +254,5 @@ Compile=1
 Link=1
 Priority=1000
 OverrideBuildCmd=0
-BuildCmd=	$(CC) -c qemu.c -o Objects/MingW/qemu.o $(CFLAGS)
+BuildCmd=$(CC) -c qemu.c -o Objects/MingW/qemu.o $(CFLAGS)

--- a/pafish/pafish.layout
+++ b/pafish/pafish.layout
@ -5,8 +5,8 @@ Order=0
 Open=1
 Top=1
 CursorCol=6
-CursorRow=176
-TopLine=166
+CursorRow=97
+TopLine=201
 LeftChar=1
 [Editor_6]
 CursorCol=1
@ -19,9 +19,9 @@ CursorRow=2
 TopLine=1
 LeftChar=1
 [Editor_8]
-CursorCol=18
-CursorRow=83
-TopLine=4
+CursorCol=2
+CursorRow=67
+TopLine=48
 LeftChar=1
 [Editor_2]
 CursorCol=25
@ -36,7 +36,7 @@ LeftChar=1
 [Editor_4]
 CursorCol=67
 CursorRow=17
-TopLine=1
+TopLine=15
 LeftChar=1
 [Editor_3]
 CursorCol=1
@ -49,14 +49,14 @@ CursorRow=11
 TopLine=1
 LeftChar=1
 [Editor_9]
-CursorCol=1
-CursorRow=2
+CursorCol=20
+CursorRow=9
 TopLine=1
 LeftChar=1
 [Editor_10]
-CursorCol=1
-CursorRow=20
-TopLine=1
+CursorCol=45
+CursorRow=46
+TopLine=40
 LeftChar=1
 [Editor_11]
 CursorCol=18
@ -69,22 +69,22 @@ CursorRow=8
 TopLine=1
 LeftChar=1
 [Editor_13]
-CursorCol=5
-CursorRow=13
-TopLine=1
+CursorCol=6
+CursorRow=68
+TopLine=53
 LeftChar=1
 [Editor_14]
-CursorCol=1
-CursorRow=2
+CursorCol=23
+CursorRow=11
 TopLine=1
 LeftChar=1
 [Editor_15]
-CursorCol=1
-CursorRow=8
+CursorCol=21
+CursorRow=7
 TopLine=1
 LeftChar=1
 [Editor_16]
-CursorCol=22
-CursorRow=7
-TopLine=17
+CursorCol=18
+CursorRow=34
+TopLine=36
 LeftChar=1
--- a/pafish/qemu.c
+++ b/pafish/qemu.c
@ -34,3 +34,34 @@ int qemu_reg_key1() {
        return 1;
    }
 }
+
+int qemu_reg_key2() {
+    HKEY regkey;
+    LONG retu;
+    char value[1024];
+    int i;
+    DWORD size;
+    
+    size = sizeof(value);
+    retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", 0, KEY_READ, &regkey);
+    if (retu == ERROR_SUCCESS) {
+        retu = RegQueryValueEx(regkey, "SystemBiosVersion", NULL, NULL, (BYTE*)value, &size);
+        if (retu == ERROR_SUCCESS) {
+            for (i = 0; i < strlen(value); i++) { /* Uppercase to case-insensitive */
+                value[i] = toupper(value[i]);
+            }
+            if (strstr(value, "QEMU") != NULL) {
+                return 0;
+            }
+            else {
+                return 1;
+            }
+        }
+        else {
+            return 1;
+        }
+    }
+    else {
+        return 1;
+    }
+}
--- a/pafish/qemu.h
+++ b/pafish/qemu.h
@ -4,4 +4,6 @@

 int qemu_reg_key1();

+int qemu_reg_key2();
+
 #endif
--- a/pafish/vmware.c
+++ b/pafish/vmware.c
@ -59,3 +59,14 @@ int vmware_sysfile1() {
        return 1;
    }
 }
+
+int vmware_sysfile2() {
+    DWORD ret;
+    ret = GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
+    if (ret != INVALID_FILE_ATTRIBUTES) {
+        return 0;
+    }
+    else {
+        return 1;
+    }
+}
--- a/pafish/vmware.h
+++ b/pafish/vmware.h
@ -8,4 +8,6 @@ int vmware_reg_key2();

 int vmware_sysfile1();

+int vmware_sysfile2();
+
 #endif