Детект виртуалок

[Quake3]

Функции из журнала "хакер", мб кому пригодится.

VirtualMachineDetect.h

//------------------------------------------------------------------------
//Функции для определения факта запуска приложения под виртуальной машиной
//   определяются VirtualBox, VMware, VirtualPC и Parallels Workstation
//------------------------------------------------------------------------
#include <windows.h>
#include <Tlhelp32.h>
#include <iphlpapi.h>

#pragma comment(lib, "IPHLPAPI.lib")

//обнаружение VMware с помощью backdoor-порта
bool VMwareDetect();

//обнаружение VirtualPC с помощью "неправильных" команд процессора
bool VirtualPCDetect();

//обнаружение VMware имени окна "VMSwitchUserControlClass"
bool VMwareWindowDetect();

//обнаружение VirtualBox имени окна "VBoxTrayToolWndClass"
bool VirtualBoxWindowDetect();

//обнаружение VMware по версии BIOS в реестре
bool VMwareBIOSDetect();

//обнаружение VirtualBox по версии BIOS видеоадаптера в реестре
bool VirtualBoxBIOSDetect();

//обнаружение Parallels Workstatin по наличию ключа PRLSACPI в реестре
bool ParallelsRegDetect();

//обнаружение VirtualBox по имени процесса "VBoxTray.exe"
bool VirtualBoxProcessDetect();

//обнаружение VirtualPC по имени процесса "vmusrvc.exe"
bool VirtualPCProcessDetect();

//обнаружение VMware по имени процесса "vmtoolsd.exe"
bool VMwareProcessDetect();

//обнаружение VirtualBox по имени объекта "Device\VBoxMiniRdrDN" и "Device\VBoxGuest"
bool VirtualBoxDevObjDetect();

//обнаружение VirtualPC по имени объекта "Device\\VMDRV"
bool VirtualPCDevObjDetect();

//обнаружение VirtualBox по идентификатору процессора
bool VirtualBoxCPUIDDetect();

//обнаружение VMware по идентификатору процессора
bool VMwareCPUIDDetect();

//обнаружение Parallels Workstatin по идентификатору процессора
bool ParallelsCPUIDDetect();

//обнаружение VirtualPC по MAC-адресу
bool VirtualPCMACDetect();

//обнаружение VirtualBox по MAC-адресу
bool VirtualBoxMACDetect();

//обнаружение VMware по MAC-адресу
bool VMwareMACDetect();

//обнаружение Parallels Workstatin по MAC-адресу
bool ParallelsMACDetect();

//обнаружение виртуальной машины по идентификатору жесткого диска
//для VirtualPC IDDisk - "DiskVirtual"
//для VirtualBox IDDisk - "DiskVBOX_HARDDISK"
//для VMware IDDisk - "Prod_VMware_Virtual"
bool VirtualMachineIDDiskDetect(char* IDDisk);

//обнаружение Parallels Workstatin по видеоадаптеру
bool ParallelsVideoCardDetect();

//обнаружение VirtualBox по видеоадаптеру
bool VirtualBoxVideoCardDetect();

//обнаружение VirtualPC по видеоадаптеру
bool VirtualPCVideoCardDetect();

VirtualMachineDetect.cpp

#include "VirtualMachineDetect.h"

//----------------------------------------------------------------------
bool VMwareDetect()
{
__try
	{
	__asm
  {
  mov eax, 0x564d5868
  mov ecx, 0x0A
  mov edx, 0x5658
  in eax, dx 
  }
	return true;
	}
__except(EXCEPTION_EXECUTE_HANDLER) 
	{
	return false;
	}
}
//----------------------------------------------------------------------
bool VirtualPCDetect()
{
__try
	{
	__asm
  {
  xor ebx, ebx
  mov eax, 1
  __emit(0x0F)
  __emit(0x3F)
  __emit(0x07)
  __emit(0x0B)  
  }
	return true;
	}
__except(EXCEPTION_EXECUTE_HANDLER) 
	{
  return false;
	}
}
//----------------------------------------------------------------------
bool VMwareWindowDetect()
{
HWND VMwareWindow = NULL;
VMwareWindow = FindWindowA("VMSwitchUserControlClass",NULL);
if(VMwareWindow != NULL)
	{
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxWindowDetect()
{
HWND VBoxWindow = NULL;
VBoxWindow = FindWindowA("VBoxTrayToolWndClass",NULL);
if(VBoxWindow != NULL)
	{
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool VMwareBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVMware[] = {L"VMware Virtual Platform"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
    L"HARDWARE\\DESCRIPTION\\System\\BIOS",
    0,
    KEY_QUERY_VALUE,
    &rKey);

RegQueryValueEx(rKey,
    L"SystemProductName",
    NULL,
    NULL,
    (BYTE*)RegKey,
    &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVMware, 48) == 0)
	{	
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxBIOSDetect()
{
HKEY rKey;
wchar_t RegKey[256];
wchar_t RegVBox[] = {L"Oracle VM VirtualBox"};
DWORD RegPath = sizeof(RegKey);

RegOpenKeyEx(HKEY_LOCAL_MACHINE,
    L"HARDWARE\\DESCRIPTION\\System",
    0,
    KEY_QUERY_VALUE,
    &rKey);

RegQueryValueEx(rKey,
    L"VideoBiosVersion",
    NULL,
    NULL,
    (BYTE*)RegKey,
    &RegPath);

RegCloseKey(rKey);

if (memcmp(RegKey, RegVBox, 40) == 0)
	{
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool ParallelsRegDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
    L"HARDWARE\\ACPI\\DSDT\\PRLS__\\PRLSACPI",
    0,
    KEY_QUERY_VALUE,
    &rKey) == ERROR_SUCCESS)
	{
	RegCloseKey(rKey);
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxProcessDetect()
{
wchar_t VBoxProcessName[] = {L"VBoxTray.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VBoxProcessName, 24) == 0)
	{
  CloseHandle(hSnapShot);
  return true;
	}	
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualPCProcessDetect()
{
wchar_t VirtualPCProcessName[] = {L"vmusrvc.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VirtualPCProcessName, 22) == 0)
	{
  CloseHandle(hSnapShot);
  return true;
	}	
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VMwareProcessDetect()
{
wchar_t VMwareProcessName[] = {L"vmtoolsd.exe"};
PROCESSENTRY32 pe;
HANDLE hSnapShot;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
ZeroMemory (&pe, sizeof(PROCESSENTRY32W));
pe.dwSize = sizeof(PROCESSENTRY32W); 
Process32First(hSnapShot, &pe);
do
{
if (memcmp(pe.szExeFile, VMwareProcessName, 24) == 0)
	{
  CloseHandle(hSnapShot);
  return true;
	}	
}
while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxDevObjDetect()
{
if ((CreateFile(L"\\\\.\\VBoxMiniRdrDN",0,0,0,OPEN_EXISTING,0,0) !=
	INVALID_HANDLE_VALUE)||
	(CreateFile(L"\\\\.\\VBoxGuest",0,0,0,OPEN_EXISTING,0,0) !=
	INVALID_HANDLE_VALUE))
	{
	return true;
	}
else
	{
	return false;
	}
}
//----------------------------------------------------------------------
bool VirtualPCDevObjDetect()
{
if (CreateFile(L"\\\\.\\VMDRV",0,0,0,OPEN_EXISTING,0,0) !=
	INVALID_HANDLE_VALUE)
	{
	return true;
	}
else
	{
	return false;
	}
}
//----------------------------------------------------------------------
bool VirtualBoxCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
	{
	mov eax, 0x1
	cpuid
	mov eax, 0x40000000
	cpuid
	mov ID_1, ebx
	mov ID_2, ecx
	mov ID_3, edx
	}
if ((ID_1 == 0x00000340)&&(ID_2 == 0x00000340))
	{
	return true;
	}
else
	{
	return false;
	}
}
//----------------------------------------------------------------------
bool VMwareCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
	{
	mov eax, 0x1
	cpuid
	mov eax, 0x40000000
	cpuid
	mov ID_1, ebx
	mov ID_2, ecx
	mov ID_3, edx
	}
if ((ID_1 == 0x61774d56)&&(ID_2 == 0x4d566572)&&(ID_3 == 0x65726177))
	{
	return true;
	}
else
	{
	return false;
	}
}
//----------------------------------------------------------------------
bool ParallelsCPUIDDetect()
{
DWORD ID_1, ID_2, ID_3;
_asm
	{
	mov eax, 0x1
	cpuid
	mov eax, 0x40000000
	cpuid
	mov ID_1, ebx
	mov ID_2, ecx
	mov ID_3, edx
	}
if ((ID_1 == 0x70726c20)&&(ID_2 == 0x68797065)&&(ID_3 == 0x72762020))
	{
	return true;
	}
else
	{
	return false;
	}
}
//----------------------------------------------------------------------
bool VirtualPCMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x03) &&
	((BYTE)AdapterInfo->Address[2] == 0xff) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x12) &&
	((BYTE)AdapterInfo->Address[2] == 0x5a) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x1d) &&
	((BYTE)AdapterInfo->Address[2] == 0xd8) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x15) &&
	((BYTE)AdapterInfo->Address[2] == 0x5d) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x22) &&
	((BYTE)AdapterInfo->Address[2] == 0x48) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x0d) &&
	((BYTE)AdapterInfo->Address[2] == 0x3a) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x17) &&
	((BYTE)AdapterInfo->Address[2] == 0xfa) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x25) &&
	((BYTE)AdapterInfo->Address[2] == 0xae) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x50) &&
	((BYTE)AdapterInfo->Address[2] == 0xf2) ||
	((BYTE)AdapterInfo->Address[0] == 0x28) &&
	((BYTE)AdapterInfo->Address[1] == 0x18) &&
	((BYTE)AdapterInfo->Address[2] == 0x78) ||
	((BYTE)AdapterInfo->Address[0] == 0x60) &&
	((BYTE)AdapterInfo->Address[1] == 0x45) &&
	((BYTE)AdapterInfo->Address[2] == 0xbd) ||
	((BYTE)AdapterInfo->Address[0] == 0x7c) &&
	((BYTE)AdapterInfo->Address[1] == 0x1e) &&
	((BYTE)AdapterInfo->Address[2] == 0x52) ||
	((BYTE)AdapterInfo->Address[0] == 0x7c) &&
	((BYTE)AdapterInfo->Address[1] == 0xed) &&
	((BYTE)AdapterInfo->Address[2] == 0x8d) ||
	((BYTE)AdapterInfo->Address[0] == 0xdc) &&
	((BYTE)AdapterInfo->Address[1] == 0xb4) &&
	((BYTE)AdapterInfo->Address[2] == 0xc4))
	{
	delete(AdapterInfo);
	return true;
	}
else
	{
	delete(AdapterInfo);
	return false;
	}  
}
//----------------------------------------------------------------------
bool VirtualBoxMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x08) &&
	((BYTE)AdapterInfo->Address[1] == 0x00) &&
	((BYTE)AdapterInfo->Address[2] == 0x27) ||
	((BYTE)AdapterInfo->Address[0] == 0x08) &&
	((BYTE)AdapterInfo->Address[1] == 0x00) &&
	((BYTE)AdapterInfo->Address[2] == 0x20))
	{
	delete(AdapterInfo);
	return true;
	}
else
	{
	delete(AdapterInfo);
	return false;
	}  
}
//----------------------------------------------------------------------

bool VMwareMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x05) &&
	((BYTE)AdapterInfo->Address[2] == 0x69) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x0c) &&
	((BYTE)AdapterInfo->Address[2] == 0x29) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x1c) &&
	((BYTE)AdapterInfo->Address[2] == 0x14) ||
	((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x50) &&
	((BYTE)AdapterInfo->Address[2] == 0x56))
	{
	delete(AdapterInfo);
	return true;
	}
else
	{
	delete(AdapterInfo);
	return false;
	}  
}
//----------------------------------------------------------------------
bool ParallelsMACDetect()
{
PIP_ADAPTER_INFO AdapterInfo = NULL;
DWORD OutBufLen;
GetAdaptersInfo(AdapterInfo, &OutBufLen);
AdapterInfo = (PIP_ADAPTER_INFO) new(char[OutBufLen]);
GetAdaptersInfo(AdapterInfo, &OutBufLen);
if (((BYTE)AdapterInfo->Address[0] == 0x00) &&
	((BYTE)AdapterInfo->Address[1] == 0x1c) &&
	((BYTE)AdapterInfo->Address[2] == 0x42))
	{
	delete(AdapterInfo);
	return true;
	}
else
	{
	delete(AdapterInfo);
	return false;
	}  
}
//----------------------------------------------------------------------
bool VirtualMachineIDDiskDetect(char* IDDisk)
{
HKEY rKey;
char RegKey[4096];
DWORD RegPath = sizeof(RegKey);
DWORD Type = REG_SZ;

RegOpenKeyExA(HKEY_LOCAL_MACHINE,
    "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum",
    0,
    KEY_QUERY_VALUE,
    &rKey);

RegQueryValueExA(rKey,
    "0",
    NULL,
    &Type,
    (LPBYTE)RegKey,
    &RegPath);

RegCloseKey(rKey);

if (strstr(RegKey, IDDisk) != 0)
	{
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool ParallelsVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
    L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00",
    0,
    KEY_QUERY_VALUE,
    &rKey) == ERROR_SUCCESS)
	{
	RegCloseKey(rKey);
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool VirtualBoxVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
    L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00",
    0,
    KEY_QUERY_VALUE,
    &rKey) == ERROR_SUCCESS)
	{
	RegCloseKey(rKey);
	return true;
	}
return false;
}
//----------------------------------------------------------------------
bool VirtualPCVideoCardDetect()
{
HKEY rKey;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
    L"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00",
    0,
    KEY_QUERY_VALUE,
    &rKey) == ERROR_SUCCESS)
	{
	RegCloseKey(rKey);
	return true;
	}
return false;
}
//----------------------------------------------------------------------

Они же на пастебин
http://pastebin.com/ifRxHXC0
http://pastebin.com/j50TPtjn

 

[ximera]

О норм, надо что-то накатать на основании этого.

 

[valentin_p]

источник:

http://www.anti-reversing.com/category/the-a-r-f-project/

 

[DeScWD]

спасибо, полезная статья

 

[n3utrino]

На github есть замечательный проект по теме - pafish

Pafish is a demo tool that performs some anti(debugger/VM/sandbox) tricks. Most of them are often used by malware to avoid debugging and dynamic analysis.

 

[klink]

bool IsSandboxed() 
{
	HANDLE hPhysicalDriveIOCTL = 0;
	int j = 0,k = 0;
	char szModel[128],szBuffer[128];
	char *szDrives[] = {
  "qemu",
  "virtual",
  "vmware",
  NULL
	};
	
	hPhysicalDriveIOCTL = CreateFile ("\\\\.\\PhysicalDrive0", 0,FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,OPEN_EXISTING, 0, NULL);
	if (hPhysicalDriveIOCTL != INVALID_HANDLE_VALUE)
	{
  STORAGE_PROPERTY_QUERY query;
  DWORD cbBytesReturned = 0;
  memset ((void *) & query, 0, sizeof (query));
  query.PropertyId = StorageDeviceProperty;
  memset (szBuffer, 0, sizeof (szBuffer));
  memset (szModel, 0, sizeof (szModel));
  if (DeviceIoControl(hPhysicalDriveIOCTL, IOCTL_STORAGE_QUERY_PROPERTY,& query,sizeof (query),& szBuffer,sizeof (szBuffer),& cbBytesReturned, NULL)){ 
  	STORAGE_DEVICE_DESCRIPTOR *descrip = (STORAGE_DEVICE_DESCRIPTOR*)&szBuffer;
  	int pos = descrip->ProductIdOffset;
  	int m = 0;
  	for(int g = pos;szBuffer[g] != '\0';g++){
    szModel[m++] = szBuffer[g];
  	}
  	CharLowerBuff(szModel,strlen(szModel));
  	for (int i = 0; i < (sizeof(szDrives)/sizeof(LPSTR)) - 1; i++ ) {
    if (szDrives[i][0] != 0) {
    	if(strstr(szModel,szDrives[i]))
      return TRUE;
    }
  	}
  }
  CloseHandle (hPhysicalDriveIOCTL);
	}
	return FALSE;
}

if(IsSandboxed() || GetModuleHandle("SbieDll.dll") || GetModuleHandle("SbieDllX.dll")) 
{
	ExitProcess(0);
}