Add cpu.c, fix rdtsc detection, add cpuid info, add cpuid hv bit detection

pafish/Makefile.linux

@@ -4,7 +4,7 @@ LINK      = i686-w64-mingw32-gcc
 WINDRES   = i686-w64-mingw32-windres
 OBJ       = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
             Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
-            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res
+            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res
 LINKOBJ   = $(OBJ)
 LIBS      = -lwsock32 -liphlpapi -lsetupapi -lmpr -s
 INCS      =
@@ -54,5 +54,8 @@ Objects/MingW/qemu.o: $(GLOBALDEPS) qemu.c
 Objects/MingW/hooks.o: $(GLOBALDEPS) hooks.c
 	$(CC) -c hooks.c -o Objects/MingW/hooks.o $(CFLAGS)
 
+Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
+	$(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS)
+
 Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
 	$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff

pafish/Makefile.win

@@ -4,7 +4,7 @@ LINK      = gcc.exe
 WINDRES   = windres.exe
 OBJ       = Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o \
             Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o \
-            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res
+            Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/pafish_private.res
 LINKOBJ   = $(OBJ)
 LIBS      = -L"C:/MinGW32/lib" -lwsock32 -liphlpapi -lsetupapi -lmpr -s
 INCS      = -I"C:/MinGW32/include"
@@ -54,5 +54,8 @@ Objects/MingW/qemu.o: $(GLOBALDEPS) qemu.c
 Objects/MingW/hooks.o: $(GLOBALDEPS) hooks.c
 	$(CC) -c hooks.c -o Objects/MingW/hooks.o $(CFLAGS)
 
+Objects/MingW/cpu.o: $(GLOBALDEPS) cpu.c
+	$(CC) -c cpu.c -o Objects/MingW/cpu.o $(CFLAGS)
+
 Objects/MingW/pafish_private.res: Objects/MingW/pafish_private.rc
 	$(WINDRES) Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff

pafish/cpu.c

@@ -0,0 +1,59 @@
+
+#include <windows.h>
+#include <stdio.h>
+
+#include "types.h"
+#include "cpu.h"
+
+static inline int rdtsc_diff() {
+	unsigned long long ret, ret2;
+	unsigned eax, edx;
+
+	__asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
+	ret  = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
+	__asm__ volatile("rdtsc" : "=a" (eax), "=d" (edx));
+	ret2  = ((unsigned long long)eax) | (((unsigned long long)edx) << 32);
+
+	return ret2 - ret;
+}
+
+static inline void cpuid_vendor_00(char * vendor) {
+	int eax, ebx, ecx, edx;
+
+	__asm__ volatile("cpuid" \
+			: "=b"(ebx), \
+			  "=c"(ecx), \
+			  "=d"(edx) \
+			: "a"(0x00));
+	sprintf(vendor  , "%c%c%c%c", ebx, (ebx >> 8), (ebx >> 16), (ebx >> 24));
+	sprintf(vendor+4, "%c%c%c%c", edx, (edx >> 8), (edx >> 16), (edx >> 24));
+	sprintf(vendor+8, "%c%c%c%c", ecx, (ecx >> 8), (ecx >> 16), (ecx >> 24));
+	vendor[12] = 0x00;
+}
+
+static inline int cpuid_hv_bit() {
+	int ecx;
+	__asm__ volatile("cpuid" \
+			: "=c"(ecx) \
+			: "a"(0x01));
+	return (ecx >> 31) & 0x1;
+}
+
+int cpu_rdtsc() {
+	int i, avg = 0, diff;
+	for (i = 0; i < 10; i++) {
+		diff = rdtsc_diff();
+		avg = avg + diff;
+		Sleep(500);
+	}
+	return (avg / 10) > 750 ? TRUE : FALSE;
+}
+
+int cpu_hv() {
+	return cpuid_hv_bit() ? TRUE : FALSE;
+}
+
+void cpu_write_vendor(char * vendor) {
+	cpuid_vendor_00(vendor);
+}
+

pafish/cpu.h

@@ -0,0 +1,11 @@
+
+#ifndef CPU_H
+#define CPU_H
+
+int cpu_rdtsc();
+
+int cpu_hv();
+
+void cpu_write_vendor(char *);
+
+#endif

pafish/main.c

@@ -15,6 +15,7 @@
 #include "wine.h"
 #include "vmware.h"
 #include "qemu.h"
+#include "cpu.h"
 
 /*
 	Pafish (Paranoid fish)
@@ -35,6 +36,7 @@
 int main(int argc, char *argv[])
 {
 	char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024];
+	char cpu_vendor[13];
 	OSVERSIONINFO winver;
 	unsigned short original_colors = 0;
 
@@ -48,11 +50,15 @@ int main(int argc, char *argv[])
 	snprintf(winverstr, sizeof(winverstr)-sizeof(winverstr[0]), "%d.%d build %d",
 	winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber);
 
+	/* Get CPU vendor */
+	cpu_write_vendor(cpu_vendor);
+
 	printf("[*] Windows version: %s\n", winverstr);
+	printf("[*] CPU vendor: %s\n", cpu_vendor);
 	snprintf(aux, sizeof(aux)-sizeof(aux[0]), "Windows version: %s", winverstr);
 	write_log(aux);
-
-	printf("[*] Running checks ...\n");
+	snprintf(aux, sizeof(aux)-sizeof(aux[0]), "CPU vendor: %s", cpu_vendor);
+	write_log(aux);
 
 	/* Debuggers detection tricks */
 	printf("\n[-] Debuggers detection\n");
@@ -75,6 +81,24 @@ int main(int argc, char *argv[])
 		else print_not_traced();
 	}
 
+	/* CPU information based detection tricks */
+	printf("\n[-] CPU information detection\n");
+	printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... ");
+	if (cpu_rdtsc() == TRUE) {
+		print_traced();
+		write_log("CPU VM traced by checking the difference between CPU timestamp counters (rdtsc)");
+		write_trace("hi_CPU_VM_rdtsc");
+	}
+	else print_not_traced();
+
+	printf("[*] Checking hypervisor bit in cpuid feature bits ... ");
+	if (cpu_hv() == TRUE) {
+		print_traced();
+		write_log("CPU VM traced by checking hypervisor bit in cpuid feature bits");
+		write_trace("hi_CPU_VM_hypervisor_bit");
+	}
+	else print_not_traced();
+
 	/* Generic sandbox detection tricks */
 	printf("\n[-] Generic sandbox detection\n");
 	printf("[*] Using mouse activity ... ");
@@ -133,14 +157,6 @@ int main(int argc, char *argv[])
 	}
 	else print_not_traced();
 
-	printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... ");
-	if (gensandbox_rdtsc() == TRUE) {
-		print_traced();
-		write_log("Sandbox traced by checking the difference between CPU timestamp counters (rdtsc)");
-		write_trace("hi_sandbox_rdtsc");
-	}
-	else print_not_traced();
-
 	/* Hooks detection tricks */
 	printf("\n[-] Hooks detection\n");
 	printf("[*] Checking function DeleteFileW method 1 ... ");