/*
Check against VMWare blacklisted files
*/
VOID vmware_files()
{
/* Array of strings of blacklisted paths */
TCHAR* szPaths[] = {
_T("system32\\drivers\\vmmouse.sys"),
_T("system32\\drivers\\vmhgfs.sys"),
};
/* Getting Windows Directory */
WORD dwlength = sizeof(szPaths) / sizeof(szPaths[0]);
TCHAR szWinDir[MAX_PATH] = _T("");
TCHAR szPath[MAX_PATH] = _T("");
GetWindowsDirectory(szWinDir, MAX_PATH);
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
PathCombine(szPath, szWinDir, szPaths[i]);
_tprintf(TEXT("[*] Checking file %s: "), szPath);
if (is_FileExists(szPath))
print_detected();
else
print_not_detected();
}
}
/*
Check against virtualbox registry keys
*/
VOID vbox_check_registry_keys()
{
/* Array of strings of blacklisted registry keys */
TCHAR* szKeys[] = {
_T("HARDWARE\\ACPI\\RSDT\\VBOX__"),
_T("HARDWARE\\ACPI\\FADT\\VBOX__"),
_T("HARDWARE\\ACPI\\RSDT\\VBOX__"),
_T("SOFTWARE\\Oracle\\VirtualBox Guest Additions"),
_T("SYSTEM\\ControlSet001\\Services\\VBoxGuest"),
_T("SYSTEM\\ControlSet001\\Services\\VBoxMouse"),
_T("SYSTEM\\ControlSet001\\Services\\VBoxService"),
_T("SYSTEM\\ControlSet001\\Services\\VBoxSF"),
_T("SYSTEM\\ControlSet001\\Services\\VBoxVideo")
};
WORD dwlength = sizeof(szKeys) / sizeof(szKeys[0]);
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
_tprintf(TEXT("[*] Checking reg key %s: "), szKeys[i]);
if (Is_RegKeyExists(HKEY_LOCAL_MACHINE, szKeys[i]))
print_detected();
else
print_not_detected();
}
}
VOID exec_check(int(*callback)(), TCHAR* text_log)
{
int check_result;
/* Call our check */
check_result = callback();
_tprintf(TEXT("[*] %s"), text_log);
if (check_result == TRUE)
print_detected();
else
print_not_detected();
}
VOID xen_process()
{
TCHAR *szProcesses[] = {
_T("xenservice.exe"),
};
WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
for (int i = 0; i < iLength; i++)
{
_tprintf(TEXT("[*] Checking Citrix Xen process: %s"), szProcesses[i]);
if (GetProcessIdFromName(szProcesses[i]))
print_detected();
else
print_not_detected();
}
}
VOID vmware_processes()
{
TCHAR *szProcesses[] = {
_T("vmtoolsd.exe"),
};
WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
for (int i = 0; i < iLength; i++)
{
_tprintf(TEXT("[*] Checking vmware processe %s: "), szProcesses[i]);
if (GetProcessIdFromName(szProcesses[i]))
print_detected();
else
print_not_detected();
}
}
VOID vbox_processes()
{
TCHAR *szProcesses[] = {
_T("vboxservice.exe"),
_T("vboxtray.exe")
};
WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
for (int i = 0; i < iLength; i++)
{
_tprintf(TEXT("[*] Checking virtual box processe %s: "), szProcesses[i]);
if (GetProcessIdFromName(szProcesses[i]))
print_detected();
else
print_not_detected();
}
}
/*
Check against VMWare pseaudo-devices
*/
VOID vmware_devices()
{
TCHAR *devices[] = {
_T("\\\\.\\HGFS"),
_T("\\\\.\\vmci"),
};
WORD iLength = sizeof(devices) / sizeof(devices[0]);
for (int i = 0; i < iLength; i++)
{
HANDLE hFile = CreateFile(devices[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
_tprintf(TEXT("[*] Checking device %s: "), devices[i]);
if (hFile != INVALID_HANDLE_VALUE)
print_detected();
else
print_not_detected();
}
}
/*
Check against VMWare registry keys
*/
VOID vmware_reg_keys()
{
/* Array of strings of blacklisted registry keys */
TCHAR* szKeys[] = {
_T("SOFTWARE\\VMware, Inc.\\VMware Tools"),
};
WORD dwlength = sizeof(szKeys) / sizeof(szKeys[0]);
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
_tprintf(TEXT("[*] Checking reg key %s: "), szKeys[i]);
if (Is_RegKeyExists(HKEY_LOCAL_MACHINE, szKeys[i]))
print_detected();
else
print_not_detected();
}
}
/*
Check against VMWare registry key values
*/
VOID vmware_reg_key_value()
{
/* Array of strings of blacklisted registry key values */
TCHAR *szEntries[][3] = {
{ _T("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"), _T("Identifier"), _T("VMWARE") },
{ _T("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"), _T("Identifier"), _T("VMWARE") },
{ _T("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"), _T("Identifier"), _T("VMWARE") },
};
WORD dwLength = sizeof(szEntries) / sizeof(szEntries[0]);
for (int i = 0; i < dwLength; i++)
{
_tprintf(_T("[*] Checking reg key %s:"), szEntries[i][0]);
if (Is_RegKeyValueExists(HKEY_LOCAL_MACHINE, szEntries[i][0], szEntries[i][1], szEntries[i][2]))
print_detected();
else
print_not_detected();
}
}
/*
Check against pseaudo-devices
*/
VOID vbox_devices()
{
TCHAR *devices[] = {
_T("\\\\.\\VBoxMiniRdrDN"),
_T("\\\\.\\VBoxGuest"),
_T("\\\\.\\pipe\\VBoxMiniRdDN"),
_T("\\\\.\\VBoxTrayIPC"),
_T("\\\\.\\pipe\\VBoxTrayIPC")
};
WORD iLength = sizeof(devices) / sizeof(devices[0]);
for (int i = 0; i < iLength; i++)
{
HANDLE hFile = CreateFile(devices[i], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
_tprintf(TEXT("[*] Checking device %s: "), devices[i]);
if (hFile != INVALID_HANDLE_VALUE)
print_detected();
else
print_not_detected();
}
}
/*
Check against virtualbox blacklisted files
*/
VOID vbox_check_files()
{
/* Array of strings of blacklisted paths */
TCHAR* szPaths[] = {
_T("system32\\drivers\\VBoxMouse.sys"),
_T("system32\\drivers\\VBoxGuest.sys"),
_T("system32\\drivers\\VBoxSF.sys"),
_T("system32\\drivers\\VBoxVideo.sys"),
_T("system32\\vboxdisp.dll"),
_T("system32\\vboxhook.dll"),
_T("system32\\vboxmrxnp.dll"),
_T("system32\\vboxogl.dll"),
_T("system32\\vboxoglarrayspu.dll"),
_T("system32\\vboxoglcrutil.dll"),
_T("system32\\vboxoglerrorspu.dll"),
_T("system32\\vboxoglfeedbackspu.dll"),
_T("system32\\vboxoglpackspu.dll"),
_T("system32\\vboxoglpassthroughspu.dll"),
_T("system32\\vboxservice.exe"),
_T("system32\\vboxtray.exe"),
_T("system32\\VBoxControl.exe"),
};
/* Getting Windows Directory */
WORD dwlength = sizeof(szPaths) / sizeof(szPaths[0]);
TCHAR szWinDir[MAX_PATH] = _T("");
TCHAR szPath[MAX_PATH] = _T("");
GetWindowsDirectory(szWinDir, MAX_PATH);
/* Check one by one */
for (int i = 0; i < dwlength; i++)
{
PathCombine(szPath, szWinDir, szPaths[i]);
_tprintf(TEXT("[*] Checking file %s: "), szPath);
if (is_FileExists(szPath))
print_detected();
else
print_not_detected();
}
}
/*
Check VMWare NIC MAC addresses
*/
VOID vmware_mac()
{
/* VMWre blacklisted mac adr */
CHAR *szMac[] = {
"\x00\x05\x69",
"\x00\x0C\x29",
"\x00\x1C\x14",
"\x00\x50\x56",
};
WORD dwLength = sizeof(szMac) / sizeof(szMac[0]);
/* Check one by one */
for (int i = 0; i < dwLength; i++)
{
printf("[*] Checking MAC %s: ", szMac[i]);
if (check_mac_addr(szMac[i]))
print_detected();
else
print_not_detected();
}
}