From e15a37eb964d5c5dea53417e92ffd188b8b94a03 Mon Sep 17 00:00:00 2001 From: Thorsten Sick Date: Thu, 20 Feb 2014 11:48:16 +0100 Subject: [PATCH] Looking for VirtualBox processes --- pafish/main.c | 7 +++++++ pafish/vbox.c | 35 +++++++++++++++++++++++++++++++++++ pafish/vbox.h | 2 ++ 3 files changed, 44 insertions(+) diff --git a/pafish/main.c b/pafish/main.c index 7ed3727..19dda79 100644 --- a/pafish/main.c +++ b/pafish/main.c @@ -253,6 +253,13 @@ int main(int argc, char *argv[]) else { print_not_traced(); } + + printf("[*] Looking for VBox processes "); + if (vbox_processes() == 0) { + } + else { + print_not_traced(); + } /* VMware detection tricks */ printf("\n[-] VMware detection\n"); diff --git a/pafish/vbox.c b/pafish/vbox.c index f2e23ff..e84199e 100644 --- a/pafish/vbox.c +++ b/pafish/vbox.c @@ -5,6 +5,7 @@ #include #include #include +#include #include "vbox.h" typedef char * string; @@ -444,4 +445,38 @@ int vbox_network_share() { return res; } +/** +* Checking for virtual box processes +**/ +int vbox_processes() { + int res=1; + HANDLE hpSnap; + PROCESSENTRY32 pentry; + hpSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); + if (hpSnap != INVALID_HANDLE_VALUE){ + pentry.dwSize = sizeof (PROCESSENTRY32); + } + + if( !Process32First( hpSnap, &pentry ) ){ + CloseHandle(hpSnap); + return 0; + } + + do { + if (lstrcmpi(pentry.szExeFile, "vboxservice.exe") == 0){ + write_log("vboxservice.exe process detected"); + res = 0; + } + if (lstrcmpi(pentry.szExeFile, "vboxtray.exe") == 0){ + write_log("vboxtray.exe process detected"); + res = 0; + } + } while( Process32Next( hpSnap, &pentry ) ); + + if (res == 0){ + print_traced(); + write_trace("hi_virtualbox"); + } + return res; +} diff --git a/pafish/vbox.h b/pafish/vbox.h index 7a56d7e..ebfa32d 100644 --- a/pafish/vbox.h +++ b/pafish/vbox.h @@ -28,4 +28,6 @@ int vbox_traywindow(); int vbox_network_share(); +int vbox_processes(); + #endif