diff --git a/pafish/common.c b/pafish/common.c index 526b5f6..20ea1a0 100644 --- a/pafish/common.c +++ b/pafish/common.c @@ -68,3 +68,29 @@ void write_trace(char product[]) { trace = fopen(product, "a"); fclose(trace); } + +void print_check_group(char * text) { + printf("\n[-] %s\n", text); +} + +void exec_check(char * text, int (*callback)(), char * text_log, char * text_trace) { + int check_result; + int (*callback_writeslog)(int) = callback; + + /* Handle functions that write logs */ + if (text_log) + check_result = callback(); + else + check_result = callback_writeslog(TRUE); + + printf("[*] %s ... ", text); + if (check_result == TRUE) { + /* Some checks write their own logs */ + if (text_log) + write_log(text_log); + print_traced(); + write_trace(text_trace); + } + else print_not_traced(); +} + diff --git a/pafish/common.h b/pafish/common.h index a04e364..2050685 100644 --- a/pafish/common.h +++ b/pafish/common.h @@ -18,4 +18,8 @@ void write_log(char msg[]); void write_trace(char product[]); +void print_check_group(char * text); + +void exec_check(char * text, int (*callback)(), char * text_log, char * text_trace); + #endif diff --git a/pafish/cpu.c b/pafish/cpu.c index 048f03a..dea1614 100644 --- a/pafish/cpu.c +++ b/pafish/cpu.c @@ -118,16 +118,18 @@ void cpu_write_brand(char * brand) { } } -int cpu_known_vm_vendors(char * vendor) { +int cpu_known_vm_vendors() { const int count = 4; int i; + char cpu_vendor[13]; string strs[count]; strs[0] = "KVMKVMKVMKVM"; strs[1] = "Microsoft Hv"; strs[2] = "VMwareVMware"; strs[3] = "XenVMMXenVMM"; + cpu_write_vendor(cpu_vendor); for (i = 0; i < count; i++) { - if (!memcmp(vendor, strs[i], 12)) return TRUE; + if (!memcmp(cpu_vendor, strs[i], 12)) return TRUE; } return FALSE; } diff --git a/pafish/cpu.h b/pafish/cpu.h index f58bfc9..5e36983 100644 --- a/pafish/cpu.h +++ b/pafish/cpu.h @@ -11,6 +11,6 @@ int cpu_hv(); void cpu_write_vendor(char *); void cpu_write_brand(char *); -int cpu_known_vm_vendors(char *); +int cpu_known_vm_vendors(); #endif diff --git a/pafish/main.c b/pafish/main.c index cbd8d08..92a82db 100644 --- a/pafish/main.c +++ b/pafish/main.c @@ -20,27 +20,27 @@ #include "bochs.h" /* - Pafish (Paranoid fish) + Pafish (Paranoid fish) - All code from this project, including - functions, procedures and the main program - is licensed under GNU/GPL version 3. + All code from this project, including + functions, procedures and the main program + is licensed under GNU/GPL version 3. - So, if you are going to use functions or - procedures from this project to develop - your malware, you have to release the - source code as well :) + So, if you are going to use functions or + procedures from this project to develop + your malware, you have to release the + source code as well :) - - Alberto Ortega + - Alberto Ortega - Blue fish icon thanks to http://www.fasticon.com/ + Blue fish icon thanks to http://www.fasticon.com/ -*/ + */ int main(void) { char winverstr[32], aux[1024]; - char cpu_vendor[13]; + char cpu_vendor[13], cpu_brand[49]; OSVERSIONINFO winver; unsigned short original_colors = 0; @@ -52,426 +52,106 @@ int main(void) winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&winver); snprintf(winverstr, sizeof(winverstr)-sizeof(winverstr[0]), "%lu.%lu build %lu", - winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber); + winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber); /* Get CPU vendor */ cpu_write_vendor(cpu_vendor); + cpu_write_brand(cpu_brand); printf("[*] Windows version: %s\n", winverstr); - printf("[*] CPU vendor: %s\n", cpu_vendor); + printf("[*] CPU: %s %s \n", cpu_vendor, cpu_brand); snprintf(aux, sizeof(aux)-sizeof(aux[0]), "Windows version: %s", winverstr); write_log(aux); - snprintf(aux, sizeof(aux)-sizeof(aux[0]), "CPU vendor: %s", cpu_vendor); + snprintf(aux, sizeof(aux)-sizeof(aux[0]), "CPU: %s %s", cpu_vendor, cpu_brand); write_log(aux); /* Debuggers detection tricks */ - printf("\n[-] Debuggers detection\n"); - printf("[*] Using IsDebuggerPresent() ... "); - if (debug_isdebuggerpresent() == TRUE) { - write_log("Debugger traced using IsDebuggerPresent()"); - print_traced(); - write_trace("hi_debugger_isdebuggerpresent"); - } - else print_not_traced(); - + print_check_group("Debuggers detection"); + exec_check("Using IsDebuggerPresent()", &debug_isdebuggerpresent, "Debugger traced using IsDebuggerPresent()", "hi_debugger_isdebuggerpresent"); /* This is only working on MS Windows systems prior to Vista */ if (winver.dwMajorVersion < 6) { - printf("[*] Using OutputDebugString() ... "); - if (debug_outputdebugstring() == TRUE) { - write_log("Debugger traced using OutputDebugString()"); - print_traced(); - write_trace("hi_debugger_outputdebugstring"); - } - else print_not_traced(); + exec_check("Using OutputDebugString()", &debug_outputdebugstring, "Debugger traced using OutputDebugString()", "hi_debugger_outputdebugstring"); } /* CPU information based detection tricks */ - printf("\n[-] CPU information based detections\n"); - printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... "); - if (cpu_rdtsc() == TRUE) { - print_traced(); - write_log("CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)"); - write_trace("hi_CPU_VM_rdtsc"); - } - else print_not_traced(); - - printf("[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... "); - if (cpu_rdtsc_force_vmexit() == TRUE) { - print_traced(); - write_log("CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit"); - write_trace("hi_CPU_VM_rdtsc_force_vm_exit"); - } - else print_not_traced(); - - printf("[*] Checking hypervisor bit in cpuid feature bits ... "); - if (cpu_hv() == TRUE) { - print_traced(); - write_log("CPU VM traced by checking hypervisor bit in cpuid feature bits"); - write_trace("hi_CPU_VM_hypervisor_bit"); - } - else print_not_traced(); - - printf("[*] Checking cpuid vendor for known VM vendors ... "); - if (cpu_known_vm_vendors(cpu_vendor) == TRUE) { - print_traced(); - write_log("CPU VM traced by checking cpuid vendor for known VM vendors"); - write_trace("hi_CPU_VM_vendor_name"); - } - else print_not_traced(); + print_check_group("CPU information based detections"); + exec_check("Checking the difference between CPU timestamp counters (rdtsc)", &cpu_rdtsc, "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)", "hi_CPU_VM_rdtsc"); + exec_check("Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit", &cpu_rdtsc_force_vmexit, "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit", "hi_CPU_VM_rdtsc_force_vm_exit"); + exec_check("Checking hypervisor bit in cpuid feature bits", &cpu_hv, "CPU VM traced by checking hypervisor bit in cpuid feature bits", "hi_CPU_VM_hypervisor_bit"); + exec_check("Checking cpuid vendor for known VM vendors", &cpu_known_vm_vendors, "CPU VM traced by checking cpuid vendor for known VM vendors", "hi_CPU_VM_vendor_name"); /* Generic sandbox detection tricks */ - printf("\n[-] Generic sandbox detection\n"); - printf("[*] Using mouse activity ... "); - if (gensandbox_mouse_act() == TRUE) { - print_traced(); - write_log("Sandbox traced using mouse activity"); - write_trace("hi_sandbox_mouse_act"); - } - else print_not_traced(); - - printf("[*] Checking username ... "); - if (gensandbox_username() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking username"); - write_trace("hi_sandbox_username"); - } - else print_not_traced(); - - printf("[*] Checking file path ... "); - if (gensandbox_path() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking file path"); - write_trace("hi_sandbox_path"); - } - else print_not_traced(); - - printf("[*] Checking common sample names in drives root ... "); - if (gensandbox_common_names() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking common sample names in drives root"); - write_trace("hi_sandbox_common_names"); - } - else print_not_traced(); - - printf("[*] Checking if disk size <= 60GB via DeviceIoControl() ... "); - if (gensandbox_drive_size() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking disk size <= 60GB via DeviceIoControl()"); - write_trace("hi_sandbox_drive_size"); - } - else print_not_traced(); - - printf("[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... "); - if (gensandbox_drive_size2() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()"); - write_trace("hi_sandbox_drive_size2"); - } - else print_not_traced(); - - printf("[*] Checking if Sleep() is patched using GetTickCount() ... "); - if (gensandbox_sleep_patched() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking if Sleep() was patched using GetTickCount()"); - write_trace("hi_sandbox_sleep_gettickcount"); - } - else print_not_traced(); - - printf("[*] Checking if NumberOfProcessors is < 2 via raw access ... "); - if (gensandbox_one_cpu() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access"); - write_trace("hi_sandbox_NumberOfProcessors_less_2_raw"); - } - else print_not_traced(); - - printf("[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... "); - if (gensandbox_one_cpu_GetSystemInfo() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()"); - write_trace("hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo"); - } - else print_not_traced(); - - printf("[*] Checking if pysical memory is < 1Gb ... "); - if (gensandbox_less_than_onegb() == TRUE) { - print_traced(); - write_log("Sandbox traced by checking if pysical memory is less than 1Gb"); - write_trace("hi_sandbox_pysicalmemory_less_1Gb"); - } - else print_not_traced(); + print_check_group("Generic sandbox detection"); + exec_check("Using mouse activity", &gensandbox_mouse_act, "Sandbox traced using mouse activity", "hi_sandbox_mouse_act"); + exec_check("Checking username", &gensandbox_username, "Sandbox traced by checking username", "hi_sandbox_username"); + exec_check("Checking file path", &gensandbox_path, "Sandbox traced by checking file path", "hi_sandbox_path"); + exec_check("Checking common sample names in drives root", &gensandbox_common_names, "Sandbox traced by checking common sample names in drives root", "hi_sandbox_common_names"); + exec_check("Checking if disk size <= 60GB via DeviceIoControl()", &gensandbox_drive_size, "Sandbox traced by checking disk size <= 60GB via DeviceIoControl()", "hi_sandbox_drive_size"); + exec_check("Checking if disk size <= 60GB via GetDiskFreeSpaceExA()", &gensandbox_drive_size2, "Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()", "hi_sandbox_drive_size2"); + exec_check("Checking if Sleep() is patched using GetTickCount()", &gensandbox_sleep_patched, "Sandbox traced by checking if Sleep() was patched using GetTickCount()", "hi_sandbox_sleep_gettickcount"); + exec_check("Checking if NumberOfProcessors is < 2 via raw access", &gensandbox_one_cpu, "Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access", "hi_sandbox_NumberOfProcessors_less_2_raw"); + exec_check("Checking if NumberOfProcessors is < 2 via GetSystemInfo()", &gensandbox_one_cpu_GetSystemInfo, "Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()", "hi_sandbox_NumberOfProcessors_less_2_GetSystemInfo"); + exec_check("Checking if pysical memory is < 1Gb", &gensandbox_less_than_onegb, "Sandbox traced by checking if pysical memory is less than 1Gb", "hi_sandbox_pysicalmemory_less_1Gb"); /* Hooks detection tricks */ - printf("\n[-] Hooks detection\n"); - printf("[*] Checking function DeleteFileW method 1 ... "); - if (check_hook_DeleteFileW_m1() == TRUE) { - print_traced(); - write_log("Hooks traced using DeleteFileW method 1"); - write_trace("hi_hooks_deletefile_m1"); - } - else print_not_traced(); + print_check_group("Hooks detection"); + exec_check("Checking function DeleteFileW method 1", &check_hook_DeleteFileW_m1, "Hooks traced using DeleteFileW method 1", "hi_hooks_deletefile_m1"); /* Sandboxie detection tricks */ - printf("\n[-] Sandboxie detection\n"); - printf("[*] Using GetModuleHandle(sbiedll.dll) ... "); - if (sboxie_detect_sbiedll() == TRUE) { - write_log("Sandboxie traced using GetModuleHandle(sbiedll.dll)"); - print_traced(); - write_trace("hi_sandboxie"); - } - else print_not_traced(); + print_check_group("Sandboxie detection"); + exec_check("Using GetModuleHandle(sbiedll.dll)", &sboxie_detect_sbiedll, "Sandboxie traced using GetModuleHandle(sbiedll.dll)", "hi_sandboxie"); /* Wine detection tricks */ - printf("\n[-] Wine detection\n"); - printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... "); - if (wine_detect_get_unix_file_name() == TRUE) { - write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll"); - print_traced(); - write_trace("hi_wine"); - } - else print_not_traced(); - - printf("[*] Reg key (HKCU\\SOFTWARE\\Wine) ... "); - if (wine_reg_key1() == TRUE) { - write_log("Wine traced using Reg key HKCU\\SOFTWARE\\Wine"); - print_traced(); - write_trace("hi_wine"); - } - else print_not_traced(); + print_check_group("Wine detection"); + exec_check("Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll", &wine_detect_get_unix_file_name, "Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll", "hi_wine"); + exec_check("Reg key (HKCU\\SOFTWARE\\Wine)", &wine_reg_key1, "Wine traced using Reg key HKCU\\SOFTWARE\\Wine", "hi_wine"); /* VirtualBox detection tricks */ - printf("\n[-] VirtualBox detection\n"); - printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); - if (vbox_reg_key1() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); - if (vbox_reg_key2() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... "); - if (vbox_reg_key3() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... "); - if (vbox_reg_key4() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ ... "); - if (vbox_reg_key5() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__ ... "); - if (vbox_reg_key7() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__ ... "); - if (vbox_reg_key8() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox* ... "); - if (vbox_reg_key9(TRUE) == TRUE) { - /* Log written inside function */ - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\" ... "); - if (vbox_reg_key10() == TRUE) { - write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\""); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Driver files in C:\\WINDOWS\\system32\\drivers\\VBox* ... "); - if (vbox_sysfile1(TRUE) == TRUE) { - /* Log written inside function */ - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Additional system files ... "); - if (vbox_sysfile2(TRUE) == TRUE) { - /* Log written inside function */ - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Looking for a MAC address starting with 08:00:27 ... "); - if (vbox_mac() == TRUE) { - write_log("VirtualBox traced using MAC address starting with 08:00:27"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Looking for pseudo devices ... "); - if (vbox_devices(TRUE) == TRUE) { - /* Log written inside function */ - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Looking for VBoxTray windows ... "); - if (vbox_traywindow() == TRUE) { - write_log("VirtualBox traced using VBoxTray windows"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Looking for VBox network share ... "); - if (vbox_network_share() == TRUE) { - write_log("VirtualBox traced using its network share"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... "); - if (vbox_processes(TRUE) == TRUE) { - /* Log written inside function */ - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); - - printf("[*] Looking for VBox devices using WMI ... "); - if (vbox_wmi_devices() == TRUE) { - write_log("VirtualBox device identifiers traced using WMI"); - print_traced(); - write_trace("hi_virtualbox"); - } - else print_not_traced(); + print_check_group("VirtualBox detection"); + exec_check("Scsi port->bus->target id->logical unit id-> 0 identifier", &vbox_reg_key1, "VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "hi_virtualbox"); + exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", &vbox_reg_key2, "VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "hi_virtualbox"); + exec_check("Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions)", &vbox_reg_key3, "VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions", "hi_virtualbox"); + exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\")", &vbox_reg_key4, "VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\"", "hi_virtualbox"); + exec_check("Reg key (HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__)", &vbox_reg_key5, "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__", "hi_virtualbox"); + exec_check("Reg key (HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__)", &vbox_reg_key7, "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\FADT\\VBOX__", "hi_virtualbox"); + exec_check("Reg key (HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__)", &vbox_reg_key8, "VirtualBox traced using Reg key HKLM\\HARDWARE\\ACPI\\RSDT\\VBOX__", "hi_virtualbox"); + exec_check("Reg key (HKLM\\SYSTEM\\ControlSet001\\Services\\VBox*)", &vbox_reg_key9, NULL, "hi_virtualbox"); + exec_check("Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\")", &vbox_reg_key10, "VirtualBox traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\"", "hi_virtualbox"); + exec_check("Driver files in C:\\WINDOWS\\system32\\drivers\\VBox*", &vbox_sysfile1, NULL, "hi_virtualbox"); + exec_check("Additional system files", &vbox_sysfile2, NULL, "hi_virtualbox"); + exec_check("Looking for a MAC address starting with 08:00:27", &vbox_mac, "VirtualBox traced using MAC address starting with 08:00:27", "hi_virtualbox"); + exec_check("Looking for pseudo devices", &vbox_devices, NULL, "hi_virtualbox"); + exec_check("Looking for VBoxTray windows", &vbox_traywindow, "VirtualBox traced using VBoxTray windows", "hi_virtualbox"); + exec_check("Looking for VBox network share", &vbox_network_share, "VirtualBox traced using its network share", "hi_virtualbox"); + exec_check("Looking for VBox processes (vboxservice.exe, vboxtray.exe)", &vbox_processes, NULL, "hi_virtualbox"); + exec_check("Looking for VBox devices using WMI", &vbox_wmi_devices, "VirtualBox device identifiers traced using WMI", "hi_virtualbox"); /* VMware detection tricks */ - printf("\n[-] VMware detection\n"); - printf("[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... "); - if (vmware_reg_key1() == TRUE) { - write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0,1,2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... "); - if (vmware_reg_key2() == TRUE) { - write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"); - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); - - printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... "); - if (vmware_sysfile1() == TRUE) { - write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); - - printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... "); - if (vmware_sysfile2() == TRUE) { - write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); - - printf("[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... "); - if (vmware_mac() == TRUE) { - write_log("VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56"); - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); - - printf("[*] Looking for pseudo devices ... "); - if (vmware_devices(TRUE) == TRUE) { - /* Log written inside function */ - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); - - printf("[*] Looking for VMware serial number ... "); - if (vmware_wmi_serial() == TRUE) { - write_log("VMware serial number traced using WMI"); - print_traced(); - write_trace("hi_vmware"); - } - else print_not_traced(); + print_check_group("VMware detection"); + exec_check("Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier", &vmware_reg_key1, "VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0,1,2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "hi_vmware"); + exec_check("Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools)", &vmware_reg_key2, "VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools", "hi_vmware"); + exec_check("Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", &vmware_sysfile1, "VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys", "hi_vmware"); + exec_check("Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", &vmware_sysfile2, "VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys", "hi_vmware"); + exec_check("Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56", &vmware_mac, "VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56", "hi_vmware"); + exec_check("Looking for pseudo devices", &vmware_devices, NULL, "hi_vmware"); + exec_check("Looking for VMware serial number", &vmware_wmi_serial, "VMware serial number traced using WMI", "hi_vmware"); /* Qemu detection tricks */ - printf("\n[-] Qemu detection\n"); - printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); - if (qemu_reg_key1() == TRUE) { - write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); - print_traced(); - write_trace("hi_qemu"); - } - else print_not_traced(); - - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); - if (qemu_reg_key2() == TRUE) { - write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); - print_traced(); - write_trace("hi_qemu"); - } - else print_not_traced(); + print_check_group("Qemu detection"); + exec_check("Scsi port->bus->target id->logical unit id-> 0 identifier", &qemu_reg_key1, "Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\"", "hi_qemu"); + exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", &qemu_reg_key2, "Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "hi_qemu"); + exec_check("cpuid CPU brand string 'QEMU Virtual CPU'", &qemu_cpu_name, "Qemu traced using CPU brand string 'QEMU Virtual CPU'", "hi_qemu"); /* Bochs detection tricks */ - printf("\n[-] Bochs detection\n"); - printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); - if (bochs_reg_key1() == TRUE) { - write_log("Bochs traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); - print_traced(); - write_trace("hi_bochs"); - } - else print_not_traced(); + print_check_group("Bochs detection"); + exec_check("Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\")", &bochs_reg_key1, "Bochs traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\"", "hi_bochs"); + exec_check("cpuid AMD wrong value for processor name", &bochs_cpu_amd1, "Bochs traced using CPU AMD wrong value for processor name", "hi_bochs"); + exec_check("cpuid AMD wrong value for Easter egg", &bochs_cpu_amd2, "Bochs traced using CPU AMD wrong value for Easter egg", "hi_bochs"); + exec_check("cpuid Intel wrong value for processor name", &bochs_cpu_intel1, "Bochs traced using CPU Intel wrong value for processor name", "hi_bochs"); /* Cuckoo detection tricks */ - printf("\n[-] Cuckoo detection\n"); - printf("[*] Looking in the TLS for the hooks information structure ... "); - if (cuckoo_check_tls() == TRUE) { - write_log("Cuckoo hooks information structure traced in the TLS"); - print_traced(); - write_trace("hi_cuckoo"); - } - else print_not_traced(); + print_check_group("Cuckoo detection"); + exec_check("Looking in the TLS for the hooks information structure", &cuckoo_check_tls, "Cuckoo hooks information structure traced in the TLS", "hi_cuckoo"); printf("\n\n"); printf("[-] Feel free to RE me, check log file for more information.");