mirror of
https://github.com/a0rtega/pafish
synced 2024-11-25 07:40:56 +03:00
re #33 Add VMware MAC detection, minor refactor
This commit is contained in:
Alberto Ortega
parent
6cae2f7fa8
commit
ea2888161b
@ -401,6 +401,14 @@ int main(void)
|
||||
}
|
||||
else print_not_traced();
|
||||
|
||||
printf("[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... ");
|
||||
if (vmware_mac() == TRUE) {
|
||||
write_log("VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56");
|
||||
print_traced();
|
||||
write_trace("hi_vmware");
|
||||
}
|
||||
else print_not_traced();
|
||||
|
||||
printf("[*] Looking for pseudo devices ... ");
|
||||
if (vmware_devices(TRUE) == TRUE) {
|
||||
/* Log written inside function */
|
||||
|
||||
@ -1,8 +1,13 @@
|
||||
|
||||
#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <windows.h>
|
||||
#include <ctype.h>
|
||||
#include <winsock2.h>
|
||||
#include <iphlpapi.h>
|
||||
#include <tlhelp32.h>
|
||||
|
||||
#include "utils.h"
|
||||
#include "types.h"
|
||||
@ -122,3 +127,34 @@ inline int pafish_exists_file(char * filename) {
|
||||
return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
|
||||
}
|
||||
|
||||
int pafish_check_mac_vendor(char * mac_vendor) {
|
||||
WSADATA WSD;
|
||||
int res = FALSE;
|
||||
|
||||
if(!WSAStartup(MAKEWORD(2,2),&WSD)){
|
||||
unsigned long alist_size = 0;
|
||||
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
|
||||
if(ret==ERROR_BUFFER_OVERFLOW) {
|
||||
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
|
||||
if(palist) {
|
||||
GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
|
||||
IP_ADAPTER_ADDRESSES* ppalist=palist;
|
||||
char mac[6]={0};
|
||||
while (ppalist){
|
||||
if (ppalist->PhysicalAddressLength==0x6){
|
||||
memcpy(mac,ppalist->PhysicalAddress,0x6);
|
||||
if (!memcmp(mac_vendor, mac, 3)) { /* First 3 bytes are the same */
|
||||
res = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
ppalist = ppalist->Next;
|
||||
}
|
||||
LocalFree(palist);
|
||||
}
|
||||
}
|
||||
WSACleanup();
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
|
||||
@ -14,4 +14,6 @@ inline int pafish_exists_regkey_value_str(HKEY, char *, char *, char *);
|
||||
|
||||
inline int pafish_exists_file(char * filename);
|
||||
|
||||
int pafish_check_mac_vendor(char * mac_vendor);
|
||||
|
||||
#endif
|
||||
|
||||
@ -1,11 +1,9 @@
|
||||
|
||||
#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
|
||||
|
||||
#include <winsock2.h>
|
||||
#include <windows.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <iphlpapi.h>
|
||||
#include <tlhelp32.h>
|
||||
|
||||
#include "vbox.h"
|
||||
@ -153,34 +151,8 @@ int vbox_sysfile2(int writelogs) {
|
||||
* NIC MAC check
|
||||
**/
|
||||
int vbox_mac() {
|
||||
WSADATA WSD;
|
||||
int res = FALSE;
|
||||
|
||||
if(!WSAStartup(MAKEWORD(2,2),&WSD)){
|
||||
unsigned long alist_size = 0;
|
||||
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
|
||||
if(ret==ERROR_BUFFER_OVERFLOW) {
|
||||
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
|
||||
if(palist) {
|
||||
GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
|
||||
IP_ADAPTER_ADDRESSES* ppalist=palist;
|
||||
char mac[6]={0};
|
||||
while (ppalist){
|
||||
if (ppalist->PhysicalAddressLength==0x6){
|
||||
memcpy(mac,ppalist->PhysicalAddress,0x6);
|
||||
if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27
|
||||
res = TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
ppalist = ppalist->Next;
|
||||
}
|
||||
LocalFree(palist);
|
||||
}
|
||||
}
|
||||
WSACleanup();
|
||||
}
|
||||
return res;
|
||||
/* VirtualBox mac starts with 08:00:27 */
|
||||
return pafish_check_mac_vendor("\x08\x00\x27");
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -30,6 +30,31 @@ int vmware_sysfile2() {
|
||||
return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
|
||||
}
|
||||
|
||||
int vmware_mac() {
|
||||
/*
|
||||
VMware is any of
|
||||
00:05:69
|
||||
00:0C:29
|
||||
00:1C:14
|
||||
00:50:56
|
||||
*/
|
||||
if (pafish_check_mac_vendor("\x00\x05\x69")) {
|
||||
return TRUE;
|
||||
}
|
||||
else if (pafish_check_mac_vendor("\x00\x0C\x29")) {
|
||||
return TRUE;
|
||||
}
|
||||
else if (pafish_check_mac_vendor("\x00\x1C\x14")) {
|
||||
return TRUE;
|
||||
}
|
||||
else if (pafish_check_mac_vendor("\x00\x50\x56")) {
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
int vmware_devices(int writelogs) {
|
||||
HANDLE h;
|
||||
const int count = 2;
|
||||
|
||||
@ -10,6 +10,8 @@ int vmware_sysfile1();
|
||||
|
||||
int vmware_sysfile2();
|
||||
|
||||
int vmware_mac();
|
||||
|
||||
int vmware_devices();
|
||||
|
||||
#endif
|
||||
|
||||
Loading…
Reference in New Issue
Block a user