mirrors/pafish
1
0
Fork 0
mirror of https://github.com/a0rtega/pafish synced 2024-11-24 23:29:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Refactor main.c, link new Qemu and Bochs detections in main

Browse Source
This commit is contained in:
Alberto Ortega 2015-08-29 13:55:42 +02:00
parent ea6617f45b
commit b0b72c4e5e
5 changed files with 114 additions and 402 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
pafish/common.c
View File

@ -68,3 +68,29 @@ void write_trace(char product[]) {
trace = fopen(product, "a");
fclose(trace);
}
void print_check_group(char * text) {
printf("\n[-] %s\n", text);
}
void exec_check(char * text, int (*callback)(), char * text_log, char * text_trace) {
int check_result;
int (*callback_writeslog)(int) = callback;
/* Handle functions that write logs */
if (text_log)
check_result = callback();
else
check_result = callback_writeslog(TRUE);
printf("[*] %s ... ", text);
if (check_result == TRUE) {
/* Some checks write their own logs */
if (text_log)
write_log(text_log);
print_traced();
write_trace(text_trace);
}
else print_not_traced();
}

4
pafish/common.h
View File

@ -18,4 +18,8 @@ void write_log(char msg[]);
void write_trace(char product[]);
void print_check_group(char * text);
void exec_check(char * text, int (*callback)(), char * text_log, char * text_trace);
#endif

6
pafish/cpu.c
View File

@ -118,16 +118,18 @@ void cpu_write_brand(char * brand) {
}
}
int cpu_known_vm_vendors(char * vendor) {
int cpu_known_vm_vendors() {
const int count = 4;
int i;
char cpu_vendor[13];
string strs[count];
strs[0] = "KVMKVMKVMKVM";
strs[1] = "Microsoft Hv";
strs[2] = "VMwareVMware";
strs[3] = "XenVMMXenVMM";
cpu_write_vendor(cpu_vendor);
for (i = 0; i < count; i++) {
if (!memcmp(vendor, strs[i], 12)) return TRUE;
if (!memcmp(cpu_vendor, strs[i], 12)) return TRUE;
}
return FALSE;
}

2
pafish/cpu.h
View File

@ -11,6 +11,6 @@ int cpu_hv();
void cpu_write_vendor(char *);
void cpu_write_brand(char *);
int cpu_known_vm_vendors(char *);
int cpu_known_vm_vendors();
#endif

478
pafish/main.c
View File

@ -20,27 +20,27 @@
#include "bochs.h"
/*
Pafish (Paranoid fish)
Pafish (Paranoid fish)
All code from this project, including
functions, procedures and the main program
is licensed under GNU/GPL version 3.
All code from this project, including
functions, procedures and the main program
is licensed under GNU/GPL version 3.
So, if you are going to use functions or
procedures from this project to develop
your malware, you have to release the
source code as well :)
So, if you are going to use functions or
procedures from this project to develop
your malware, you have to release the
source code as well :)
- Alberto Ortega
- Alberto Ortega
Blue fish icon thanks to http://www.fasticon.com/
Blue fish icon thanks to http://www.fasticon.com/
*/
*/
int main(void)
{
char winverstr[32], aux[1024];
char cpu_vendor[13];
char cpu_vendor[13], cpu_brand[49];
OSVERSIONINFO winver;
unsigned short original_colors = 0;
@ -52,426 +52,106 @@ int main(void)
winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&winver);
snprintf(winverstr, sizeof(winverstr)-sizeof(winverstr[0]), "%lu.%lu build %lu",
winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
/* Get CPU vendor */
cpu_write_vendor(cpu_vendor);
cpu_write_brand(cpu_brand);
printf("[*] Windows version: %s\n", winverstr);
printf("[*] CPU vendor: %s\n", cpu_vendor);
printf("[*] CPU: %s %s \n", cpu_vendor, cpu_brand);
snprintf(aux, sizeof(aux)-sizeof(aux[0]), "Windows version: %s", winverstr);
write_log(aux);
snprintf(aux, sizeof(aux)-sizeof(aux[0]), "CPU vendor: %s", cpu_vendor);
snprintf(aux, sizeof(aux)-sizeof(aux[0]), "CPU: %s %s", cpu_vendor, cpu_brand);
write_log(aux);
/* Debuggers detection tricks */
printf("\n[-] Debuggers detection\n");
printf("[*] Using IsDebuggerPresent() ... ");
if (debug_isdebuggerpresent() == TRUE) {
write_log("Debugger traced using IsDebuggerPresent()");
print_traced();
write_trace("hi_debugger_isdebuggerpresent");
}
else print_not_traced();
print_check_group("Debuggers detection");
exec_check("Using IsDebuggerPresent()", &debug_isdebuggerpresent, "Debugger traced using IsDebuggerPresent()", "hi_debugger_isdebuggerpresent");
/* This is only working on MS Windows systems prior to Vista */
if (winver.dwMajorVersion < 6) {
printf("[*] Using OutputDebugString() ... ");
if (debug_outputdebugstring() == TRUE) {
write_log("Debugger traced using OutputDebugString()");
print_traced();
write_trace("hi_debugger_outputdebugstring");
}
else print_not_traced();
exec_check("Using OutputDebugString()", &debug_outputdebugstring, "Debugger traced using OutputDebugString()", "hi_debugger_outputdebugstring");
}
/* CPU information based detection tricks */
printf("\n[-] CPU information based detections\n");
printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... ");
if (cpu_rdtsc() == TRUE) {
print_traced();
write_log("CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)");
write_trace("hi_CPU_VM_rdtsc");
}
else print_not_traced();
printf("[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... ");
if (cpu_rdtsc_force_vmexit() == TRUE) {
print_traced();
write_log("CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit");
write_trace("hi_CPU_VM_rdtsc_force_vm_exit");
}
else print_not_traced();
printf("[*] Checking hypervisor bit in cpuid feature bits ... ");
if (cpu_hv() == TRUE) {
print_traced();
write_log("CPU VM traced by checking hypervisor bit in cpuid feature bits");
write_trace("hi_CPU_VM_hypervisor_bit");
}
else print_not_traced();
printf("[*] Checking cpuid vendor for known VM vendors ... ");
if (cpu_known_vm_vendors(cpu_vendor) == TRUE) {
print_traced();
write_log("CPU VM traced by checking cpuid vendor for known VM vendors");
write_trace("hi_CPU_VM_vendor_name");
}
else print_not_traced();
print_check_group("CPU information based detections");
exec_check("Checking the difference between CPU timestamp counters (rdtsc)", &cpu_rdtsc, "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)", "hi_CPU_VM_rdtsc");
exec_check("Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit", &cpu_rdtsc_force_vmexit, "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit", "hi_CPU_VM_rdtsc_force_vm_exit");
exec_check("Checking hypervisor bit in cpuid feature bits", &cpu_hv, "CPU VM traced by checking hypervisor bit in cpuid feature bits", "hi_CPU_VM_hypervisor_bit");
exec_check("Checking cpuid vendor for known VM vendors", &cpu_known_vm_vendors, "CPU VM traced by checking cpuid vendor for known VM vendors", "hi_CPU_VM_vendor_name");
/* Generic sandbox detection tricks */
printf("\n[-] Generic sandbox detection\n");
printf("[*] Using mouse activity ... ");
if (gensandbox_mouse_act() == TRUE) {
print_traced();
write_log("Sandbox traced using mouse activity");
write_trace("hi_sandbox_mouse_act");
}
else print_not_traced();
printf("[*] Checking username ... ");
if (gensandbox_username() == TRUE) {
print_traced();
write_log("Sandbox traced by checking username");
write_trace("hi_sandbox_username");
}
else print_not_traced();
printf("[*] Checking file path ... ");
if (gensandbox_path() == TRUE) {
print_traced();
write_log("Sandbox traced by checking file path");
write_trace("hi_sandbox_path");
}
else print_not_traced();
printf("[*] Checking common sample names in drives root ... ");
if (gensandbox_common_names() == TRUE) {
print_traced();
write_log("Sandbox traced by checking common sample names in drives root");
write_trace("hi_sandbox_common_names");
}
else print_not_traced();
printf("[*] Checking if disk size <= 60GB via DeviceIoControl() ... ");
if (gensandbox_drive_size() == TRUE) {
print_traced();
write_log("Sandbox traced by checking disk size <= 60GB via DeviceIoControl()");
write_trace("hi_sandbox_drive_size");
}
else print_not_traced();
printf("[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... ");
if (gensandbox_drive_size2() == TRUE) {
print_traced();
write_log("Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()");
write_trace("hi_sandbox_drive_size2");
}
else print_not_traced();
printf("[*] Checking if Sleep() is patched using GetTickCount() ... ");
if (gensandbox_sleep_patched() == TRUE) {
print_traced();
write_log("Sandbox traced by checking if Sleep() was patched using GetTickCount()");
write_trace("hi_sandbox_sleep_gettickcount");
}
else print_not_traced();
printf("[*] Checking if NumberOfProcessors is < 2 via raw access ... ");
if (gensandbox_one_cpu() == TRUE) {
print_traced();
write_log("Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access");
write_trace("hi_sandbox_NumberOfProcessors_less_2_raw");
}
else print_not_traced();
printf("[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... ");
if (gensandbox_one_cpu_GetSystemInfo() == TRUE) {
print_traced();
write_log("Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()");
write_trace("hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo");
}
else print_not_traced();
printf("[*] Checking if pysical memory is < 1Gb ... ");
if (gensandbox_less_than_onegb() == TRUE) {
print_traced();
write_log("Sandbox traced by checking if pysical memory is less than 1Gb");
write_trace("hi_sandbox_pysicalmemory_less_1Gb");
}
else print_not_traced();
print_check_group("Generic sandbox detection");
exec_check("Using mouse activity", &gensandbox_mouse_act, "Sandbox traced using mouse activity", "hi_sandbox_mouse_act");
exec_check("Checking username", &gensandbox_username, "Sandbox traced by checking username", "hi_sandbox_username");
exec_check("Checking file path", &gensandbox_path, "Sandbox traced by checking file path", "hi_sandbox_path");
exec_check("Checking common sample names in drives root", &gensandbox_common_names, "Sandbox traced by checking common sample names in drives root", "hi_sandbox_common_names");
exec_check("Checking if disk size <= 60GB via DeviceIoControl()", &gensandbox_drive_size, "Sandbox traced by checking disk size <= 60GB via DeviceIoControl()", "hi_sandbox_drive_size");
exec_check("Checking if disk size <= 60GB via GetDiskFreeSpaceExA()", &gensandbox_drive_size2, "Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()", "hi_sandbox_drive_size2");
exec_check("Checking if Sleep() is patched using GetTickCount()", &gensandbox_sleep_patched, "Sandbox traced by checking if Sleep() was patched using GetTickCount()", "hi_sandbox_sleep_gettickcount");
exec_check("Checking if NumberOfProcessors is < 2 via raw access", &gensandbox_one_cpu, "Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access", "hi_sandbox_NumberOfProcessors_less_2_raw");
exec_check("Checking if NumberOfProcessors is < 2 via GetSystemInfo()", &gensandbox_one_cpu_GetSystemInfo, "Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()", "hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo");
exec_check("Checking if pysical memory is < 1Gb", &gensandbox_less_than_onegb, "Sandbox traced by checking if pysical memory is less than 1Gb", "hi_sandbox_pysicalmemory_less_1Gb");
/* Hooks detection tricks */
printf("\n[-] Hooks detection\n");
printf("[*] Checking function DeleteFileW method 1 ... ");
if (check_hook_DeleteFileW_m1() == TRUE) {
print_traced();
write_log("Hooks traced using DeleteFileW method 1");
write_trace("hi_hooks_deletefile_m1");
}
else print_not_traced();
print_check_group("Hooks detection");
exec_check("Checking function DeleteFileW method 1", &check_hook_DeleteFileW_m1, "Hooks traced using DeleteFileW method 1", "hi_hooks_deletefile_m1");
/* Sandboxie detection tricks */
printf("\n[-] Sandboxie detection\n");
printf("[*] Using GetModuleHandle(sbiedll.dll) ... ");
if (sboxie_detect_sbiedll() == TRUE) {
write_log("Sandboxie traced using GetModuleHandle(sbiedll.dll)");
print_traced();
write_trace("hi_sandboxie");
}
else print_not_traced();
print_check_group("Sandboxie detection");
exec_check("Using GetModuleHandle(sbiedll.dll)", &sboxie_detect_sbiedll, "Sandboxie traced using GetModuleHandle(sbiedll.dll)", "hi_sandboxie");
/* Wine detection tricks */
printf("\n[-] Wine detection\n");
printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... ");
if (wine_detect_get_unix_file_name() == TRUE) {
write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll");
print_traced();
write_trace("hi_wine");
}
else print_not_traced();
printf("[*] Reg key (HKCU\\SOFTWARE\\Wine) ... ");
if (wine_reg_key1() == TRUE) {
write_log("Wine traced using Reg key HKCU\\SOFTWARE\\Wine");
print_traced();
write_trace("hi_wine");
}
else print_not_traced();
print_check_group("Wine detection");
exec_check("Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll", &wine_detect_get_unix_file_name, "Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll", "hi_wine");
exec_check("Reg key (HKCU\\SOFTWARE\\Wine)", &wine_reg_key1, "Wine traced using Reg key HKCU\\SOFTWARE\\Wine", "hi_wine");
/* VirtualBox detection tricks */
printf("\n[-] VirtualBox detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (vbox_reg_key1() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (vbox_reg_key2() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... ");
if (vbox_reg_key3() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... ");
if (vbox_reg_key4() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... ");
if (vbox_reg_key5() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... ");
if (vbox_reg_key7() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... ");
if (vbox_reg_key8() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... ");
if (vbox_reg_key9(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\" ... ");
if (vbox_reg_key10() == TRUE) {
write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\"");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Driver files in C:\\WINDOWS\\system32\\drivers\\VBox* ... ");
if (vbox_sysfile1(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Additional system files ... ");
if (vbox_sysfile2(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Looking for a MAC address starting with 08:00:27 ... ");
if (vbox_mac() == TRUE) {
write_log("VirtualBox traced using MAC address starting with 08:00:27");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Looking for pseudo devices ... ");
if (vbox_devices(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Looking for VBoxTray windows ... ");
if (vbox_traywindow() == TRUE) {
write_log("VirtualBox traced using VBoxTray windows");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Looking for VBox network share ... ");
if (vbox_network_share() == TRUE) {
write_log("VirtualBox traced using its network share");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... ");
if (vbox_processes(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
printf("[*] Looking for VBox devices using WMI ... ");
if (vbox_wmi_devices() == TRUE) {
write_log("VirtualBox device identifiers traced using WMI");
print_traced();
write_trace("hi_virtualbox");
}
else print_not_traced();
print_check_group("VirtualBox detection");
exec_check("Scsi port->bus->target id->logical unit id-> 0 identifier", &vbox_reg_key1, "VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "hi_virtualbox");
exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", &vbox_reg_key2, "VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "hi_virtualbox");
exec_check("Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions)", &vbox_reg_key3, "VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions", "hi_virtualbox");
exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\")", &vbox_reg_key4, "VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"", "hi_virtualbox");
exec_check("Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__)", &vbox_reg_key5, "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__", "hi_virtualbox");
exec_check("Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__)", &vbox_reg_key7, "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__", "hi_virtualbox");
exec_check("Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__)", &vbox_reg_key8, "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__", "hi_virtualbox");
exec_check("Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox*)", &vbox_reg_key9, NULL, "hi_virtualbox");
exec_check("Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\")", &vbox_reg_key10, "VirtualBox traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\"", "hi_virtualbox");
exec_check("Driver files in C:\\WINDOWS\\system32\\drivers\\VBox*", &vbox_sysfile1, NULL, "hi_virtualbox");
exec_check("Additional system files", &vbox_sysfile2, NULL, "hi_virtualbox");
exec_check("Looking for a MAC address starting with 08:00:27", &vbox_mac, "VirtualBox traced using MAC address starting with 08:00:27", "hi_virtualbox");
exec_check("Looking for pseudo devices", &vbox_devices, NULL, "hi_virtualbox");
exec_check("Looking for VBoxTray windows", &vbox_traywindow, "VirtualBox traced using VBoxTray windows", "hi_virtualbox");
exec_check("Looking for VBox network share", &vbox_network_share, "VirtualBox traced using its network share", "hi_virtualbox");
exec_check("Looking for VBox processes (vboxservice.exe, vboxtray.exe)", &vbox_processes, NULL, "hi_virtualbox");
exec_check("Looking for VBox devices using WMI", &vbox_wmi_devices, "VirtualBox device identifiers traced using WMI", "hi_virtualbox");
/* VMware detection tricks */
printf("\n[-] VMware detection\n");
printf("[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... ");
if (vmware_reg_key1() == TRUE) {
write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0,1,2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... ");
if (vmware_reg_key2() == TRUE) {
write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... ");
if (vmware_sysfile1() == TRUE) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... ");
if (vmware_sysfile2() == TRUE) {
write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... ");
if (vmware_mac() == TRUE) {
write_log("VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Looking for pseudo devices ... ");
if (vmware_devices(TRUE) == TRUE) {
/* Log written inside function */
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Looking for VMware serial number ... ");
if (vmware_wmi_serial() == TRUE) {
write_log("VMware serial number traced using WMI");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
print_check_group("VMware detection");
exec_check("Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier", &vmware_reg_key1, "VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0,1,2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "hi_vmware");
exec_check("Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools)", &vmware_reg_key2, "VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools", "hi_vmware");
exec_check("Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", &vmware_sysfile1, "VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", "hi_vmware");
exec_check("Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", &vmware_sysfile2, "VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", "hi_vmware");
exec_check("Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56", &vmware_mac, "VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56", "hi_vmware");
exec_check("Looking for pseudo devices", &vmware_devices, NULL, "hi_vmware");
exec_check("Looking for VMware serial number", &vmware_wmi_serial, "VMware serial number traced using WMI", "hi_vmware");
/* Qemu detection tricks */
printf("\n[-] Qemu detection\n");
printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... ");
if (qemu_reg_key1() == TRUE) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"");
print_traced();
write_trace("hi_qemu");
}
else print_not_traced();
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (qemu_reg_key2() == TRUE) {
write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_qemu");
}
else print_not_traced();
print_check_group("Qemu detection");
exec_check("Scsi port->bus->target id->logical unit id-> 0 identifier", &qemu_reg_key1, "Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "hi_qemu");
exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", &qemu_reg_key2, "Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "hi_qemu");
exec_check("cpuid CPU brand string 'QEMU Virtual CPU'", &qemu_cpu_name, "Qemu traced using CPU brand string 'QEMU Virtual CPU'", "hi_qemu");
/* Bochs detection tricks */
printf("\n[-] Bochs detection\n");
printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... ");
if (bochs_reg_key1() == TRUE) {
write_log("Bochs traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"");
print_traced();
write_trace("hi_bochs");
}
else print_not_traced();
print_check_group("Bochs detection");
exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", &bochs_reg_key1, "Bochs traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "hi_bochs");
exec_check("cpuid AMD wrong value for processor name", &bochs_cpu_amd1, "Bochs traced using CPU AMD wrong value for processor name", "hi_bochs");
exec_check("cpuid AMD wrong value for Easter egg", &bochs_cpu_amd2, "Bochs traced using CPU AMD wrong value for Easter egg", "hi_bochs");
exec_check("cpuid Intel wrong value for processor name", &bochs_cpu_intel1, "Bochs traced using CPU Intel wrong value for processor name", "hi_bochs");
/* Cuckoo detection tricks */
printf("\n[-] Cuckoo detection\n");
printf("[*] Looking in the TLS for the hooks information structure ... ");
if (cuckoo_check_tls() == TRUE) {
write_log("Cuckoo hooks information structure traced in the TLS");
print_traced();
write_trace("hi_cuckoo");
}
else print_not_traced();
print_check_group("Cuckoo detection");
exec_check("Looking in the TLS for the hooks information structure", &cuckoo_check_tls, "Cuckoo hooks information structure traced in the TLS", "hi_cuckoo");
printf("\n\n");
printf("[-] Feel free to RE me, check log file for more information.");