static void print_dominfo(struct domain *dominfo,
FILE *d)
{
print_value(d, "Name", dominfo->name);
print_value(d, "UUID", dominfo->uuid);
print_value(d, "Bootloader", dominfo->bootloader);
print_value(d, " args", dominfo->bootloader_args);
fprintf(d, "Actions: : P:%i R:%i C:%i\n",
dominfo->on_poweroff,
dominfo->on_reboot,
dominfo->on_crash);
print_os(dominfo, d);
}
int main(void)
{
/* enable functions */
BOOL ENABLE_TLS_CHECKS = TRUE;
BOOL ENABLE_DEBUG_CHECKS = TRUE;
BOOL ENABLE_INJECTION_CHECKS = TRUE;
BOOL ENABLE_GEN_SANDBOX_CHECKS = TRUE;
BOOL ENABLE_VBOX_CHECKS = TRUE;
BOOL ENABLE_VMWARE_CHECKS = TRUE;
BOOL ENABLE_VPC_CHECKS = TRUE;
BOOL ENABLE_QEMU_CHECKS = TRUE;
BOOL ENABLE_XEN_CHECKS = TRUE;
BOOL ENABLE_WINE_CHECKS = TRUE;
BOOL ENABLE_PARALLELS_CHECKS = TRUE;
BOOL ENABLE_CODE_INJECTIONS = FALSE;
BOOL ENABLE_TIMING_ATTACKS = TRUE;
BOOL ENABLE_DUMPING_CHECK = TRUE;
BOOL ENABLE_ANALYSIS_TOOLS_CHECK = TRUE;
/* Resize the console window for better visibility */
resize_console_window();
/* Display general informations */
_tprintf(_T("[al-khaser version 0.77]"));
if (IsWoW64())
_tprintf(_T("Process is running under WOW64\n\n"));
print_category(TEXT("Initialisation"));
API::Init();
print_os();
API::PrintAvailabilityReport();
if (ENABLE_DEBUG_CHECKS) PageExceptionInitialEnum();
/* TLS checks */
if (ENABLE_TLS_CHECKS) {
print_category(TEXT("TLS Callbacks"));
exec_check(&TLSCallbackProcess, TEXT("TLS process attach callback "));
exec_check(&TLSCallbackThread, TEXT("TLS thread attach callback "));
}
/* Debugger Detection */
if (ENABLE_DEBUG_CHECKS) {
print_category(TEXT("Debugger Detection"));
exec_check(&IsDebuggerPresentAPI, TEXT("Checking IsDebuggerPresent API "));
exec_check(&IsDebuggerPresentPEB, TEXT("Checking PEB.BeingDebugged "));
exec_check(&CheckRemoteDebuggerPresentAPI, TEXT("Checking CheckRemoteDebuggerPresent API "));
exec_check(&NtGlobalFlag, TEXT("Checking PEB.NtGlobalFlag "));
exec_check(&HeapFlags, TEXT("Checking ProcessHeap.Flags "));
exec_check(&HeapForceFlags, TEXT("Checking ProcessHeap.ForceFlags "));
exec_check(&NtQueryInformationProcess_ProcessDebugPort, TEXT("Checking NtQueryInformationProcess with ProcessDebugPort "));
exec_check(&NtQueryInformationProcess_ProcessDebugFlags, TEXT("Checking NtQueryInformationProcess with ProcessDebugFlags "));
exec_check(&NtQueryInformationProcess_ProcessDebugObject, TEXT("Checking NtQueryInformationProcess with ProcessDebugObject "));
exec_check(&WUDF_IsAnyDebuggerPresent, TEXT("Checking WudfIsAnyDebuggerPresent API "));
exec_check(&WUDF_IsKernelDebuggerPresent, TEXT("Checking WudfIsKernelDebuggerPresent API "));
exec_check(&WUDF_IsUserDebuggerPresent, TEXT("Checking WudfIsUserDebuggerPresent API "));
exec_check(&NtSetInformationThread_ThreadHideFromDebugger, TEXT("Checking NtSetInformationThread with ThreadHideFromDebugger "));
exec_check(&CloseHandle_InvalideHandle, TEXT("Checking CloseHandle with an invalide handle "));
exec_check(&UnhandledExcepFilterTest, TEXT("Checking UnhandledExcepFilterTest "));
exec_check(&OutputDebugStringAPI, TEXT("Checking OutputDebugString "));
exec_check(&HardwareBreakpoints, TEXT("Checking Hardware Breakpoints "));
exec_check(&SoftwareBreakpoints, TEXT("Checking Software Breakpoints "));
exec_check(&Interrupt_0x2d, TEXT("Checking Interupt 0x2d "));
exec_check(&Interrupt_3, TEXT("Checking Interupt 1 "));
exec_check(&MemoryBreakpoints_PageGuard, TEXT("Checking Memory Breakpoints PAGE GUARD "));
exec_check(&IsParentExplorerExe, TEXT("Checking If Parent Process is explorer.exe "));
exec_check(&CanOpenCsrss, TEXT("Checking SeDebugPrivilege "));
exec_check(&NtQueryObject_ObjectTypeInformation, TEXT("Checking NtQueryObject with ObjectTypeInformation "));
exec_check(&NtQueryObject_ObjectAllTypesInformation, TEXT("Checking NtQueryObject with ObjectAllTypesInformation "));
exec_check(&NtYieldExecutionAPI, TEXT("Checking NtYieldExecution "));
exec_check(&SetHandleInformatiom_ProtectedHandle, TEXT("Checking CloseHandle protected handle trick "));
exec_check(&NtQuerySystemInformation_SystemKernelDebuggerInformation, TEXT("Checking NtQuerySystemInformation with SystemKernelDebuggerInformation "));
exec_check(&SharedUserData_KernelDebugger, TEXT("Checking SharedUserData->KdDebuggerEnabled "));
exec_check(&ProcessJob, TEXT("Checking if process is in a job "));
exec_check(&VirtualAlloc_WriteWatch_BufferOnly, TEXT("Checking VirtualAlloc write watch (buffer only) "));
exec_check(&VirtualAlloc_WriteWatch_APICalls, TEXT("Checking VirtualAlloc write watch (API calls) "));
exec_check(&VirtualAlloc_WriteWatch_IsDebuggerPresent, TEXT("Checking VirtualAlloc write watch (IsDebuggerPresent) "));
exec_check(&VirtualAlloc_WriteWatch_CodeWrite, TEXT("Checking VirtualAlloc write watch (code write) "));
exec_check(&PageExceptionBreakpointCheck, TEXT("Checking for page exception breakpoints "));
exec_check(&ModuleBoundsHookCheck, TEXT("Checking for API hooks outside module bounds "));
}
if (ENABLE_INJECTION_CHECKS) {
print_category(TEXT("DLL Injection Detection"));
exec_check(&ScanForModules_EnumProcessModulesEx_32bit, TEXT("Enumerating modules with EnumProcessModulesEx [32-bit] "));
exec_check(&ScanForModules_EnumProcessModulesEx_64bit, TEXT("Enumerating modules with EnumProcessModulesEx [64-bit] "));
exec_check(&ScanForModules_EnumProcessModulesEx_All, TEXT("Enumerating modules with EnumProcessModulesEx [ALL] "));
exec_check(&ScanForModules_ToolHelp32, TEXT("Enumerating modules with ToolHelp32 "));
exec_check(&ScanForModules_LdrEnumerateLoadedModules, TEXT("Enumerating the process LDR via LdrEnumerateLoadedModules "));
exec_check(&ScanForModules_LDR_Direct, TEXT("Enumerating the process LDR directly "));
exec_check(&ScanForModules_MemoryWalk_GMI, TEXT("Walking process memory with GetModuleInformation "));
exec_check(&ScanForModules_MemoryWalk_Hidden, TEXT("Walking process memory for hidden modules "));
}
/* Generic sandbox detection */
if (ENABLE_GEN_SANDBOX_CHECKS) {
print_category(TEXT("Generic Sandboxe/VM Detection"));
loaded_dlls();
exec_check(&NumberOfProcessors, TEXT("Checking Number of processors in machine "));
exec_check(&idt_trick, TEXT("Checking Interupt Descriptor Table location "));
exec_check(&ldt_trick, TEXT("Checking Local Descriptor Table location "));
exec_check(&gdt_trick, TEXT("Checking Global Descriptor Table location "));
exec_check(&str_trick, TEXT("Checking Store Task Register "));
exec_check(&number_cores_wmi, TEXT("Checking Number of cores in machine using WMI "));
exec_check(&disk_size_wmi, TEXT("Checking hard disk size using WMI "));
exec_check(&dizk_size_deviceiocontrol, TEXT("Checking hard disk size using DeviceIoControl "));
exec_check(&setupdi_diskdrive, TEXT("Checking SetupDi_diskdrive "));
exec_check(&mouse_movement, TEXT("Checking mouse movement "));
exec_check(&memory_space, TEXT("Checking memory space using GlobalMemoryStatusEx "));
exec_check(&disk_size_getdiskfreespace, TEXT("Checking disk size using GetDiskFreeSpaceEx "));
exec_check(&cpuid_is_hypervisor, TEXT("Checking if CPU hypervisor field is set using cpuid(0x1)"));
exec_check(&cpuid_hypervisor_vendor, TEXT("Checking hypervisor vendor using cpuid(0x40000000)"));
exec_check(&accelerated_sleep, TEXT("Check if time has been accelerated "));
exec_check(&VMDriverServices, TEXT("VM Driver Services "));
exec_check(&serial_number_bios_wmi, TEXT("Checking SerialNumber from BIOS using WMI "));
exec_check(&model_computer_system_wmi, TEXT("Checking Model from ComputerSystem using WMI "));
exec_check(&manufacturer_computer_system_wmi, TEXT("Checking Manufacturer from ComputerSystem using WMI "));
exec_check(¤t_temperature_acpi_wmi, TEXT("Checking Current Temperature using WMI "));
exec_check(&process_id_processor_wmi, TEXT("Checking ProcessId using WMI "));
exec_check(&power_capabilities, TEXT("Checking power capabilities "));
exec_check(&cpu_fan_wmi, TEXT("Checking CPU fan using WMI "));
exec_check(&query_license_value, TEXT("Checking NtQueryLicenseValue with Kernel-VMDetection-Private "));
exec_check(&cachememory_wmi, TEXT("Checking Win32_CacheMemory with WMI "));
exec_check(&physicalmemory_wmi, TEXT("Checking Win32_PhysicalMemory with WMI "));
exec_check(&memorydevice_wmi, TEXT("Checking Win32_MemoryDevice with WMI "));
exec_check(&memoryarray_wmi, TEXT("Checking Win32_MemoryArray with WMI "));
exec_check(&voltageprobe_wmi, TEXT("Checking Win32_VoltageProbe with WMI "));
exec_check(&portconnector_wmi, TEXT("Checking Win32_PortConnector with WMI "));
exec_check(&smbiosmemory_wmi, TEXT("Checking Win32_SMBIOSMemory with WMI "));
exec_check(&perfctrs_thermalzoneinfo_wmi, TEXT("Checking ThermalZoneInfo performance counters with WMI "));
exec_check(&cim_memory_wmi, TEXT("Checking CIM_Memory with WMI "));
exec_check(&cim_sensor_wmi, TEXT("Checking CIM_Sensor with WMI "));
exec_check(&cim_numericsensor_wmi, TEXT("Checking CIM_NumericSensor with WMI "));
exec_check(&cim_temperaturesensor_wmi, TEXT("Checking CIM_TemperatureSensor with WMI "));
exec_check(&cim_voltagesensor_wmi, TEXT("Checking CIM_VoltageSensor with WMI "));
exec_check(&cim_physicalconnector_wmi, TEXT("Checking CIM_PhysicalConnector with WMI "));
exec_check(&cim_slot_wmi, TEXT("Checking CIM_Slot with WMI "));
}
/* VirtualBox Detection */
if (ENABLE_VBOX_CHECKS) {
print_category(TEXT("VirtualBox Detection"));
vbox_reg_key_value();
exec_check(&vbox_dir, TEXT("Checking VirtualBox Guest Additions directory "));
vbox_files();
vbox_reg_keys();
exec_check(&vbox_check_mac, TEXT("Checking Mac Address start with 08:00:27 "));
exec_check(&hybridanalysismacdetect, TEXT("Checking MAC address (Hybrid Analysis) "));
vbox_devices();
exec_check(&vbox_window_class, TEXT("Checking VBoxTrayToolWndClass / VBoxTrayToolWnd "));
exec_check(&vbox_network_share, TEXT("Checking VirtualBox Shared Folders network provider "));
vbox_processes();
exec_check(&vbox_pnpentity_pcideviceid_wmi, TEXT("Checking Win32_PnPDevice DeviceId from WMI for VBox PCI device "));
exec_check(&vbox_pnpentity_controllers_wmi, TEXT("Checking Win32_PnPDevice Name from WMI for VBox controller hardware "));
exec_check(&vbox_pnpentity_vboxname_wmi, TEXT("Checking Win32_PnPDevice Name from WMI for VBOX names "));
exec_check(&vbox_bus_wmi, TEXT("Checking Win32_Bus from WMI "));
exec_check(&vbox_baseboard_wmi, TEXT("Checking Win32_BaseBoard from WMI "));
exec_check(&vbox_mac_wmi, TEXT("Checking MAC address from WMI "));
exec_check(&vbox_eventlogfile_wmi, TEXT("Checking NTEventLog from WMI "));
exec_check(&vbox_firmware_SMBIOS, TEXT("Checking SMBIOS firmware "));
exec_check(&vbox_firmware_ACPI, TEXT("Checking ACPI tables "));
}
/* VMWare Detection */
if (ENABLE_VMWARE_CHECKS) {
print_category(TEXT("VMWare Detection"));
vmware_reg_key_value();
vmware_reg_keys();
vmware_files();
vmware_mac();
exec_check(&vmware_adapter_name, TEXT("Checking VMWare network adapter name "));
vmware_devices();
exec_check(&vmware_dir, TEXT("Checking VMWare directory "));
exec_check(&vmware_firmware_SMBIOS, TEXT("Checking SMBIOS firmware "));
exec_check(&vmware_firmware_ACPI, TEXT("Checking ACPI tables "));
}
/* Virtual PC Detection */
if (ENABLE_VPC_CHECKS) {
print_category(TEXT("Virtual PC Detection"));
virtual_pc_process();
virtual_pc_reg_keys();
}
/* QEMU Detection */
if (ENABLE_QEMU_CHECKS) {
print_category(TEXT("QEMU Detection"));
qemu_reg_key_value();
qemu_processes();
exec_check(&qemu_firmware_SMBIOS, TEXT("Checking SMBIOS firmware "));
exec_check(&qemu_firmware_ACPI, TEXT("Checking ACPI tables "));
}
/* Xen Detection */
if (ENABLE_XEN_CHECKS) {
print_category(TEXT("Xen Detection"));
xen_process();
exec_check(&xen_check_mac, TEXT("Checking Mac Address start with 08:16:3E "));
}
/* Wine Detection */
if (ENABLE_WINE_CHECKS) {
print_category(TEXT("Wine Detection"));
exec_check(&wine_exports, TEXT("Checking Wine via dll exports "));
wine_reg_keys();
}
/* Paralles Detection */
if (ENABLE_PARALLELS_CHECKS) {
print_category(TEXT("Paralles Detection"));
parallels_process();
exec_check(¶llels_check_mac, TEXT("Checking Mac Address start with 08:1C:42 "));
}
/* Code injections techniques */
if (ENABLE_CODE_INJECTIONS) {
CreateRemoteThread_Injection();
SetWindowsHooksEx_Injection();
NtCreateThreadEx_Injection();
RtlCreateUserThread_Injection();
QueueUserAPC_Injection();
GetSetThreadContext_Injection();
}
/* Timing Attacks */
if (ENABLE_TIMING_ATTACKS) {
print_category(TEXT("Timing-attacks"));
UINT delayInSeconds = 600U;
UINT delayInMillis = delayInSeconds * 1000U;
printf("\n[*] Delay value is set to %u minutes ...\n", delayInSeconds / 60);
exec_check(timing_NtDelayexecution, delayInMillis, TEXT("Performing a sleep using NtDelayExecution ..."));
exec_check(timing_sleep_loop, delayInMillis, TEXT("Performing a sleep() in a loop ..."));
exec_check(timing_SetTimer, delayInMillis, TEXT("Delaying execution using SetTimer ..."));
exec_check(timing_timeSetEvent, delayInMillis, TEXT("Delaying execution using timeSetEvent ..."));
exec_check(timing_WaitForSingleObject, delayInMillis, TEXT("Delaying execution using WaitForSingleObject ..."));
exec_check(timing_IcmpSendEcho, delayInMillis, TEXT("Delaying execution using IcmpSendEcho ..."));
exec_check(timing_CreateWaitableTimer, delayInMillis, TEXT("Delaying execution using CreateWaitableTimer ..."));
exec_check(timing_CreateTimerQueueTimer, delayInMillis, TEXT("Delaying execution using CreateTimerQueueTimer ..."));
exec_check(&rdtsc_diff_locky, TEXT("Checking RDTSC Locky trick "));
exec_check(&rdtsc_diff_vmexit, TEXT("Checking RDTSC which force a VM Exit (cpuid) "));
}
/* Malware analysis tools */
if (ENABLE_ANALYSIS_TOOLS_CHECK) {
print_category(TEXT("Analysis-tools"));
analysis_tools_process();
}
/* Anti Dumping */
if (ENABLE_DUMPING_CHECK) {
print_category(TEXT("Anti Dumping"));
ErasePEHeaderFromMemory();
SizeOfImage();
}
_tprintf(_T("\n\nAnalysis done, I hope you didn't get red flags :)"));
getchar();
return 0;
}
static int
sysinfo_cb (char *word[], char *word_eol[], void *userdata)
{
error_printed = 0;
int announce = 0;
int buffer;
char format[bsize];
if (!hexchat_pluginpref_get_str (ph, "format", format))
{
hexchat_printf (ph, "%s\tError reading config file!", name);
return HEXCHAT_EAT_ALL;
}
if (hexchat_list_int (ph, NULL, "type") >= 2)
{
announce = 1;
}
if (!g_ascii_strcasecmp ("HELP", word[2]))
{
hexchat_printf (ph, sysinfo_help);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("LIST", word[2]))
{
list_settings ();
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("SET", word[2]))
{
if (!g_ascii_strcasecmp ("", word_eol[4]))
{
hexchat_printf (ph, "%s\tEnter a value!\n", name);
return HEXCHAT_EAT_ALL;
}
if (!g_ascii_strcasecmp ("format", word[3]))
{
hexchat_pluginpref_set_str (ph, "format", word_eol[4]);
hexchat_printf (ph, "%s\tformat is set to: %s\n", name, word_eol[4]);
}
else if (!g_ascii_strcasecmp ("percent", word[3]))
{
buffer = atoi (word[4]); /* don't use word_eol, numbers must not contain spaces */
if (buffer > 0 && buffer < INT_MAX)
{
hexchat_pluginpref_set_int (ph, "percent", buffer);
hexchat_printf (ph, "%s\tpercent is set to: %d\n", name, buffer);
}
else
{
hexchat_printf (ph, "%s\tInvalid input!\n", name);
}
}
else if (!g_ascii_strcasecmp ("pciids", word[3]))
{
hexchat_pluginpref_set_str (ph, "pciids", word_eol[4]);
hexchat_printf (ph, "%s\tpciids is set to: %s\n", name, word_eol[4]);
}
else
{
hexchat_printf (ph, "%s\tInvalid variable name! Use 'pciids', 'format' or 'percent'!\n", name);
return HEXCHAT_EAT_ALL;
}
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("RESET", word[2]))
{
reset_settings ();
hexchat_printf (ph, "%s\tSettings have been restored to defaults.\n", name);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("OS", word[2]))
{
print_os (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("DISTRO", word[2]))
{
print_distro (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("CPU", word[2]))
{
print_cpu (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("RAM", word[2]))
{
print_ram (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("DISK", word[2]))
{
print_disk (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("VGA", word[2]))
{
print_vga (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("SOUND", word[2]))
{
print_sound (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("ETHERNET", word[2]))
{
print_ethernet (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("UPTIME", word[2]))
{
print_uptime (announce, format);
return HEXCHAT_EAT_ALL;
}
else if (!g_ascii_strcasecmp ("", word[2]))
{
print_summary (announce, format);
return HEXCHAT_EAT_ALL;
}
else
{
hexchat_printf (ph, sysinfo_help);
return HEXCHAT_EAT_ALL;
}
}
