Add new VirtualBox detection based on SystemBiosDate

2015-03-20 14:54:30 +01:00 · 2015-03-20 14:54:30 +01:00 · cde905703a
parent 0e71cbd1b7
commit cde905703a
3 changed files with 30 additions and 0 deletions
--- a/pafish/main.c
+++ b/pafish/main.c
@ -263,6 +263,14 @@ int main(int argc, char *argv[])
 	}
 	else print_not_traced();

+	printf("[*] Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\" ... ");
+	if (vbox_reg_key10() == TRUE) {
+		write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System \"SystemBiosDate\"");
+		print_traced();
+		write_trace("hi_virtualbox");
+	}
+	else print_not_traced();
+
 	printf("[*] Driver files in C:\\WINDOWS\\system32\\drivers\\VBox* ... ");
 	if (vbox_sysfile1(TRUE) == TRUE) {
 		/* Log written inside function */
--- a/pafish/vbox.c
+++ b/pafish/vbox.c
@ -165,6 +165,27 @@ int vbox_reg_key9(int writelogs) {
 	return res;
 }

+/**
+* HARDWARE\\DESCRIPTION\\System SystemBiosDate == 06/23/99
+**/
+int vbox_reg_key10() {
+	HKEY regkey;
+	LONG retu;
+	char value[1024];
+	DWORD size;
+
+	size = sizeof(value);
+	retu = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", 0, KEY_READ, &regkey);
+	if (retu == ERROR_SUCCESS) {
+		retu = RegQueryValueEx(regkey, "SystemBiosDate", NULL, NULL, (BYTE*)value, &size);
+		if (retu == ERROR_SUCCESS) {
+			if (!strcmp(value, "06/23/99"))
+				return TRUE;
+		}
+	}
+	return FALSE;
+}
+
 /**
 * VirtualBox driver files in \\WINDOWS\\system32\\drivers\\
 **/
--- a/pafish/vbox.h
+++ b/pafish/vbox.h
@ -10,6 +10,7 @@ int vbox_reg_key5();
 int vbox_reg_key7();
 int vbox_reg_key8();
 int vbox_reg_key9(int writelogs);
+int vbox_reg_key10();

 int vbox_sysfile1(int writelogs);
 int vbox_sysfile2(int writelogs);