mirrors/pafish
1
0
Fork 0
mirror of https://github.com/a0rtega/pafish synced 2024-11-28 17:03:16 +03:00
Code Issues Packages Projects Releases Wiki Activity

re #33 Add VMware MAC detection, minor refactor

Browse Source
This commit is contained in:
Alberto Ortega 2015-05-30 20:50:22 +02:00
parent 6cae2f7fa8
commit ea2888161b
6 changed files with 75 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pafish/main.c
View File

@ -401,6 +401,14 @@ int main(void)
} }
else print_not_traced(); else print_not_traced();
printf("[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... ");
if (vmware_mac() == TRUE) {
write_log("VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56");
print_traced();
write_trace("hi_vmware");
}
else print_not_traced();
printf("[*] Looking for pseudo devices ... "); printf("[*] Looking for pseudo devices ... ");
if (vmware_devices(TRUE) == TRUE) { if (vmware_devices(TRUE) == TRUE) {
/* Log written inside function */ /* Log written inside function */

36
pafish/utils.c
View File

@ -1,8 +1,13 @@
#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <windows.h> #include <windows.h>
#include <ctype.h> #include <ctype.h>
#include <winsock2.h>
#include <iphlpapi.h>
#include <tlhelp32.h>
#include "utils.h" #include "utils.h"
#include "types.h" #include "types.h"
@ -122,3 +127,34 @@ inline int pafish_exists_file(char * filename) {
return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE; return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
} }
int pafish_check_mac_vendor(char * mac_vendor) {
WSADATA WSD;
int res = FALSE;
if(!WSAStartup(MAKEWORD(2,2),&WSD)){
unsigned long alist_size = 0;
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
if(ret==ERROR_BUFFER_OVERFLOW) {
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
if(palist) {
GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
IP_ADAPTER_ADDRESSES* ppalist=palist;
char mac[6]={0};
while (ppalist){
if (ppalist->PhysicalAddressLength==0x6){
memcpy(mac,ppalist->PhysicalAddress,0x6);
if (!memcmp(mac_vendor, mac, 3)) { /* First 3 bytes are the same */
res = TRUE;
break;
}
}
ppalist = ppalist->Next;
}
LocalFree(palist);
}
}
WSACleanup();
}
return res;
}

2
pafish/utils.h
View File

@ -14,4 +14,6 @@ inline int pafish_exists_regkey_value_str(HKEY, char *, char *, char *);
inline int pafish_exists_file(char * filename); inline int pafish_exists_file(char * filename);
int pafish_check_mac_vendor(char * mac_vendor);
#endif #endif

32
pafish/vbox.c
View File

@ -1,11 +1,9 @@
#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */ #define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
#include <winsock2.h>
#include <windows.h> #include <windows.h>
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
#include <iphlpapi.h>
#include <tlhelp32.h> #include <tlhelp32.h>
#include "vbox.h" #include "vbox.h"
@ -153,34 +151,8 @@ int vbox_sysfile2(int writelogs) {
* NIC MAC check * NIC MAC check
**/ **/
int vbox_mac() { int vbox_mac() {
WSADATA WSD; /* VirtualBox mac starts with 08:00:27 */
int res = FALSE; return pafish_check_mac_vendor("\x08\x00\x27");
if(!WSAStartup(MAKEWORD(2,2),&WSD)){
unsigned long alist_size = 0;
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
if(ret==ERROR_BUFFER_OVERFLOW) {
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
if(palist) {
GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
IP_ADAPTER_ADDRESSES* ppalist=palist;
char mac[6]={0};
while (ppalist){
if (ppalist->PhysicalAddressLength==0x6){
memcpy(mac,ppalist->PhysicalAddress,0x6);
if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27
res = TRUE;
break;
}
}
ppalist = ppalist->Next;
}
LocalFree(palist);
}
}
WSACleanup();
}
return res;
} }
/** /**

25
pafish/vmware.c
View File

@ -30,6 +30,31 @@ int vmware_sysfile2() {
return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
} }
int vmware_mac() {
/*
VMware is any of
00:05:69
00:0C:29
00:1C:14
00:50:56
*/
if (pafish_check_mac_vendor("\x00\x05\x69")) {
return TRUE;
}
else if (pafish_check_mac_vendor("\x00\x0C\x29")) {
return TRUE;
}
else if (pafish_check_mac_vendor("\x00\x1C\x14")) {
return TRUE;
}
else if (pafish_check_mac_vendor("\x00\x50\x56")) {
return TRUE;
}
else {
return FALSE;
}
}
int vmware_devices(int writelogs) { int vmware_devices(int writelogs) {
HANDLE h; HANDLE h;
const int count = 2; const int count = 2;

2
pafish/vmware.h
View File

@ -10,6 +10,8 @@ int vmware_sysfile1();
int vmware_sysfile2(); int vmware_sysfile2();
int vmware_mac();
int vmware_devices(); int vmware_devices();
#endif #endif