-
-
Save farukuzun/8975b791c183dad1a301 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <TlHelp32.h> | |
| #include <Setupapi.h> | |
| #include <string.h> | |
| void vmx_check(); | |
| void process_name_check(); | |
| void class_name_check(); | |
| void cpuid_check(); | |
| void cpu_cores_check(); | |
| void registry_check(); | |
| void devices_check(); | |
| void drivers_check(); | |
| int main(int argc, char **argv) | |
| { | |
| process_name_check(); | |
| class_name_check(); | |
| vmx_check(); | |
| cpuid_check(); | |
| cpu_cores_check(); | |
| registry_check(); | |
| devices_check(); | |
| drivers_check(); | |
| return 0; | |
| } | |
| void process_name_check() | |
| { | |
| HANDLE psnap; | |
| PROCESSENTRY32 pe; | |
| int i=0; | |
| char *process_name[] = {"regshot.exe", "wireshark.exe", "vmtoolsd.exe", "vboxtray.exe", "vboxservice.exe", "filemon.exe", "procmon.exe", "vmacthlp.exe"}; | |
| pe.dwSize = sizeof(PROCESSENTRY32); | |
| psnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
| if(!Process32First(psnap, &pe)) | |
| { | |
| printf("There was an error in retrieving the process information\n"); | |
| return; | |
| } | |
| while(Process32Next(psnap, &pe)) | |
| { | |
| i=0; | |
| while(i != 8) | |
| { | |
| if(lstrcmpi(process_name[i], pe.szExeFile) == 0) | |
| { | |
| printf("Found process: %s\n", pe.szExeFile); | |
| } | |
| i++; | |
| } | |
| } | |
| return; | |
| } | |
| void cpu_cores_check() | |
| { | |
| int i=0; | |
| __asm | |
| { | |
| pushad | |
| mov eax, dword ptr fs:[0x18]; | |
| mov eax, dword ptr ds:[eax+0x30] | |
| mov eax, dword ptr ds:[eax+0x64]; | |
| cmp eax, 0x1 | |
| jnz done | |
| xor eax, eax | |
| inc eax | |
| mov i, eax | |
| done: | |
| popad | |
| } | |
| if(i==1) | |
| { | |
| printf("Only 1 CPU core assigned to the VM\n"); | |
| } | |
| return; | |
| } | |
| void cpuid_check() | |
| { | |
| int i=0; | |
| __asm | |
| { | |
| pushad | |
| mov eax, 0x1 | |
| cpuid | |
| and ecx, 0x1 | |
| cmp ecx, 0x1 | |
| jnz done | |
| xor eax, eax | |
| inc eax | |
| mov i, eax | |
| done: | |
| popad | |
| } | |
| if(i == 1) | |
| { | |
| printf("Hypervisor found\n"); | |
| } | |
| return; | |
| } | |
| void class_name_check() | |
| { | |
| char *window_names[] = {"VMDisplayChangeControlClass", "VMwareDragDetWndClass", "vmtoolsdControlWndClass", "VMwareTrayIcon"}; | |
| int i=0; | |
| while(i < 5) | |
| { | |
| if(FindWindow(window_names[i], NULL) != NULL) | |
| { | |
| printf("Found window name: %s\n", window_names[i]); | |
| } | |
| i++; | |
| } | |
| return; | |
| } | |
| void registry_check() | |
| { | |
| HKEY hkey; | |
| char *buffer; | |
| int i=0,j=0; | |
| int size = 256; | |
| char *vm_names[] = {"vmware", "qemu", "xen"}; | |
| buffer = (char *) malloc(sizeof(char) * size); | |
| RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", 0, KEY_READ, &hkey); | |
| RegQueryValueEx(hkey, "0", NULL, NULL, buffer, &size); | |
| while(*(buffer+i)) | |
| { | |
| *(buffer+i) = (char) tolower(*(buffer+i)); | |
| i++; | |
| } | |
| while(j < 3) | |
| { | |
| if(strstr(buffer, vm_names[j]) != NULL) | |
| { | |
| printf("Found string %s in Registry\n", vm_names[j]); | |
| } | |
| j++; | |
| } | |
| return; | |
| } | |
| void vmx_check() | |
| { | |
| int i=0; | |
| __asm | |
| { | |
| pushad | |
| mov eax, 0x564d5868 | |
| mov edx, 0x5658 | |
| mov ecx, 0xa | |
| in eax, dx | |
| cmp ebx, 0x564d5868 | |
| jnz done | |
| xor eax, eax | |
| inc eax | |
| mov i, eax | |
| done: | |
| popad | |
| } | |
| if(i == 1) | |
| { | |
| printf("Found VMX backdoor\n"); | |
| } | |
| return; | |
| } | |
| void devices_check() | |
| { | |
| HDEVINFO devinfo; | |
| DWORD size; | |
| char *buffer; | |
| char *vm_names[] = {"vmware", "qemu", "xen"}; | |
| int i=0,j=0,k=0; | |
| SP_DEVINFO_DATA DeviceInfoData; | |
| DeviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA); | |
| devinfo = SetupDiGetClassDevs(0,0,0,6); | |
| while(SetupDiEnumDeviceInfo(devinfo, i, &DeviceInfoData) != 0) | |
| { | |
| j=k=0; | |
| SetupDiGetDeviceRegistryProperty(devinfo, &DeviceInfoData, 0, 0, 0, 0, &size); | |
| buffer = (char *) calloc(0x40, size); | |
| SetupDiGetDeviceRegistryProperty(devinfo, &DeviceInfoData, 0, 0, buffer, size, 0); | |
| while(*(buffer+j)) | |
| { | |
| *(buffer+j) = (char) tolower(*(buffer+j)); | |
| j++; | |
| } | |
| while(k < 3) | |
| { | |
| if(strstr(buffer, vm_names[k]) != NULL) | |
| { | |
| printf("Found Device Name: %s\n", buffer); | |
| } | |
| k++; | |
| } | |
| i++; | |
| } | |
| return; | |
| } | |
| void drivers_check() | |
| { | |
| char buffer[256]; | |
| char *basedir="c:\\windows\\system32\\drivers\\"; | |
| char *driver_names[]={"vmci.sys","vmhgfs.sys","vmmouse.sys","vmscsi.sys","vmusbmouse.sys","vmx_svga.sys","vmxnet.sys","VBoxMouse.sys"}; | |
| int i=0; | |
| while(i < 8) | |
| { | |
| memset(buffer,'\0',256); | |
| strcpy(buffer,basedir); | |
| strcat(buffer,driver_names[i]); | |
| if(GetFileAttributes(buffer) != INVALID_FILE_ATTRIBUTES) | |
| { | |
| printf("Found driver: %s\n",driver_names[i]); | |
| } | |
| i++; | |
| } | |
| return; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment