Win32 Process Enumeration

process_enum.cpp

// non-reentrant
CHAR *_ToLowerCase(char *p)
{
	static char _s_lower_str[4000];
	int i;
	
	memset(_s_lower_str, 0, sizeof(_s_lower_str));
	for(i = 0; i < strlen(p); i++)
		_s_lower_str[i] = tolower((int) p[i]);
		
	return ((char*) _s_lower_str);
}

static VOID VmCheck()
{
	DWORD nProcessIDs[1024];
	DWORD nProcesses;
	DWORD cb;
	DWORD i;
	HANDLE hProcess;
	CHAR szPath[MAX_PATH + 32];
	BOOLEAN found = FALSE;

	/* Check running process for known Virtual Machine tools */
	if(EnumProcesses(nProcessIDs, sizeof(nProcessIDs), &cb)) {
		nProcesses = cb / sizeof(nProcessIDs[0]);
		for(i = 0; i < nProcesses; i++) {
			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, nProcessIDs[i]);
			if(!hProcess)
				continue;

			ZeroMemory(szPath, sizeof(szPath));
			if(!GetModuleFileNameEx(hProcess, NULL, szPath, sizeof(szPath)))
				continue;

			if( (strstr(_ToLowerCase(szPath), "VBoxService") != NULL) ||
				(strstr(_ToLowerCase(szPath), "VBoxTray") != NULL)	||
				(strstr(_ToLowerCase(szPath), "VMware") != NULL)		||
				(strstr(_ToLowerCase(szPath), "VirtualPC") != NULL)	||
				(strstr(_ToLowerCase(szPath), "wireshark") != NULL) ) {

				found = TRUE;
				break;
			}

			CloseHandle(hProcess);
		}
	}

	if(found)
		ExitProcess(1);

	/* TODO: VMware sidt check */
}