void exec_check(char * text, int (*callback)(), char * text_log, char * text_trace) { int check_result; int (*callback_writeslog)(int) = callback; /* Handle functions that write logs */ if (text_log) check_result = callback(); else check_result = callback_writeslog(TRUE); printf("[*] %s ... ", text); if (check_result == TRUE) { /* Some checks write their own logs */ if (text_log) write_log(text_log); print_traced(); write_trace(text_trace); } else print_not_traced(); }
int main(int argc, char *argv[]) { char icon[] = "Blue fish icon thanks to http://www.fasticon.com/", winverstr[32], aux[1024]; OSVERSIONINFO winver; write_log("Start"); init_cmd_colors(); print_header(); winver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&winver); snprintf(winverstr, sizeof(winverstr), "%d.%d build %d", winver.dwMajorVersion, winver.dwMinorVersion, winver.dwBuildNumber); printf("[*] Windows version: %s\n", winverstr); snprintf(aux, sizeof(aux), "Windows version: %s", winverstr); write_log(aux); printf("[*] Running checks ...\n"); /* Debuggers detection tricks */ printf("\n[-] Debuggers detection\n"); printf("[*] Using IsDebuggerPresent() ... "); if (debug_isdebuggerpresent() == 0) { write_log("Debugger traced using IsDebuggerPresent()"); print_traced(); write_trace("hi_debugger"); } else { print_not_traced(); } /* This is only working on MS Windows systems prior to Vista */ if (winver.dwMajorVersion < 6) { printf("[*] Using OutputDebugString() ... "); if (debug_outputdebugstring() == 0) { write_log("Debugger traced using OutputDebugString()"); print_traced(); write_trace("hi_debugger"); } else { print_not_traced(); } } /* Generic sandbox detection tricks */ printf("\n[-] Generic sandbox detection\n"); printf("[*] Using mouse activity ... "); if (gensandbox_mouse_act() == 0) { print_traced(); write_log("Sandbox traced using mouse activity"); write_trace("hi_sandbox"); } else { print_not_traced(); } printf("[*] Checking username ... "); if (gensandbox_username() == 0) { print_traced(); write_log("Sandbox traced by checking username"); write_trace("hi_sandbox"); } else { print_not_traced(); } printf("[*] Checking file path ... "); if (gensandbox_path() == 0) { print_traced(); write_log("Sandbox traced by checking file path"); write_trace("hi_sandbox"); } else { print_not_traced(); } /* Sandboxie detection tricks */ printf("\n[-] Sandboxie detection\n"); printf("[*] Using sbiedll.dll ... "); if (sboxie_detect_sbiedll() == 0) { write_log("Sandboxie traced using sbiedll.dll"); print_traced(); write_trace("hi_sandboxie"); } else { print_not_traced(); } /* Wine detection tricks */ printf("\n[-] Wine detection\n"); printf("[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... "); if (wine_detect_get_unix_file_name() == 0) { write_log("Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll"); print_traced(); write_trace("hi_wine"); } else { print_not_traced(); } /* VirtualBox detection tricks */ printf("\n[-] VirtualBox detection\n"); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); if (vbox_reg_key1() == 0) { write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); print_traced(); write_trace("hi_virtualbox"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); if (vbox_reg_key2() == 0) { write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); print_traced(); write_trace("hi_virtualbox"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions) ... "); if (vbox_reg_key3() == 0) { write_log("VirtualBox traced using Reg key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions"); print_traced(); write_trace("hi_virtualbox"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\") ... "); if (vbox_reg_key4() == 0) { write_log("VirtualBox traced using Reg key HKLM\\HARDWARE\\Description\\System \"VideoBiosVersion\""); print_traced(); write_trace("hi_virtualbox"); } else { print_not_traced(); } printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys ... "); if (vbox_sysfile1() == 0) { write_log("VirtualBox traced using file C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys"); print_traced(); write_trace("hi_virtualbox"); } else { print_not_traced(); } /* VMware detection tricks */ printf("\n[-] VMware detection\n"); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); if (vmware_reg_key1() == 0) { write_log("VMWare traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); print_traced(); write_trace("hi_vmware"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools) ... "); if (vmware_reg_key2() == 0) { write_log("VMware traced using Reg key HKLM\\SOFTWARE\\VMware, Inc.\\VMware Tools"); print_traced(); write_trace("hi_vmware"); } else { print_not_traced(); } printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmmouse.sys ... "); if (vmware_sysfile1() == 0) { write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmmouse.sys"); print_traced(); write_trace("hi_vmware"); } else { print_not_traced(); } printf("[*] Looking for C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys ... "); if (vmware_sysfile2() == 0) { write_log("VMware traced using file C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys"); print_traced(); write_trace("hi_vmware"); } else { print_not_traced(); } /* Qemu detection tricks */ printf("\n[-] Qemu detection\n"); printf("[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... "); if (qemu_reg_key1() == 0) { write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 \"Identifier\""); print_traced(); write_trace("hi_qemu"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\") ... "); if (qemu_reg_key2() == 0) { write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System \"SystemBiosVersion\""); print_traced(); write_trace("hi_qemu"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 \"ProcessorNameString\") ... "); if (qemu_reg_key3() == 0) { write_log("Qemu traced using Reg key HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 \"ProcessorNameString\""); print_traced(); write_trace("hi_qemu"); } else { print_not_traced(); } printf("[*] Reg key (HKLM\\HARDWARE\\Description\\System\\BIOS \"SystemProductName\") ... "); if (qemu_reg_key4() == 0) { write_log("Qemu traced using Reg key HKLM\\HARDWARE\\Description\\System\\BIOS \"SystemProductName\""); print_traced(); write_trace("hi_qemu"); } else { print_not_traced(); } printf("\n\n"); printf("[-] Finished, feel free to RE me."); write_log("End"); fflush(stdin); getchar(); return 0; }