2009年1月11日日曜日

Detect Vmware, VirtualPc, VirtualBox, Qemu, Anubis, Theat Ex

//-----------------------------------------------------------------------------
// Object: detect Vmware, VirtualBox, VirtualPc, Qemu, Anubis and Threat Expert by comparing virtual disk model description
//----------------------------------------------------------------------------

#include
#include
#include "Drive.h"

// Code was originally written by Lynn McGuire
// http://www.winsim.com/diskid32/winio/diskid32.cpp

// Virtual Harddisk Model Desciptions have to be in uppercase
PCHAR pVirtualDriveModelNames[] = {"VBOX HARDDRIVE",
"QEMU HARDDISK",
"VMWARE VIRTUAL IDE HARD DRIVE",
"VIRTUAL HD"};

//-----------------------------------------------------------------------------
// Name: GetFirstPhysicalDriveModelNames
// Object: get model name of the first found physical drive
// Parameters :
// in :
// out :
// return : model description on success or NULL
// caller have to free mem on success!
//-----------------------------------------------------------------------------
PSTR GetFirstPhysicalDriveModelNames()
{
HANDLE hDrive;
DWORD dwBytesReturned = 0;
DWORD dwCnt;
BYTE bIDInCmd = 0;
SENDCMDINPARAMS Scip;
BYTE pIDOutCmd[sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE - 1];
PIDSECTOR pIdSector;
GETVERSIONOUTPARAMS VersionParams;
PSTR pszModel = malloc(sizeof(pIdSector->sModelNumber));

// Open first physical drive
hDrive = CreateFileA("\\\\.\\PhysicalDrive0",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);

if (hDrive == INVALID_HANDLE_VALUE)
{
printf ("Unable to open physical drive 0, error code: 0x%lX\n", GetLastError ());
goto Error;
}

memset (&VersionParams, 0, sizeof(VersionParams));

// Get the version and co, of previousliy opened physical drive driver
if (!DeviceIoControl(hDrive,
DFP_GET_VERSION,
NULL,
0,
&VersionParams,
sizeof(VersionParams),
&dwBytesReturned,
NULL))
{
printf ("DFP_GET_VERSION failed error code: 0x%lX\n", GetLastError ());
goto Error;
}

// Is there bit map of IDE devices?
if (VersionParams.bIDEDeviceMap > 0)
{
// Get ID sector and decide if its a ATAPI or ATA disk
bIDInCmd = (VersionParams.bIDEDeviceMap & 0x10) ? IDE_ATAPI_IDENTIFY : IDE_ATA_IDENTIFY;

memset (&Scip, 0, sizeof(Scip));
memset (pIDOutCmd, 0, sizeof(pIDOutCmd));

// Set up data structures for IDENTIFY command
Scip.cBufferSize = IDENTIFY_BUFFER_SIZE;
Scip.irDriveRegs.bFeaturesReg = 0;
Scip.irDriveRegs.bSectorCountReg = 1;
Scip.irDriveRegs.bSectorNumberReg = 1;
Scip.irDriveRegs.bCylLowReg = 0;
Scip.irDriveRegs.bCylHighReg = 0;

// Compute the drive number
Scip.irDriveRegs.bDriveHeadReg = 0xA0 | (1 << 4);

// The command can either be IDE identify or ATAPI identify
Scip.irDriveRegs.bCommandReg = bIDInCmd;
Scip.bDriveNumber = 0;
Scip.cBufferSize = IDENTIFY_BUFFER_SIZE;

// Get drive data
if(!DeviceIoControl(hDrive,
DFP_RECEIVE_DRIVE_DATA,
(LPVOID) &Scip,
sizeof(SENDCMDINPARAMS) - 1,
(LPVOID) pIDOutCmd,
sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE - 1,
&dwBytesReturned,
NULL))
{
printf ("DFP_RECEIVE_DRIVE_DATA failed error code: 0x%lX\n", GetLastError ());
goto Error;
}

// Point to IDSECTOR
pIdSector = (PIDSECTOR)((PSENDCMDOUTPARAMS)pIDOutCmd)->bBuffer;

// Exchange every two bytes of sModelNumber
for(dwCnt = 0; dwCnt < sizeof(pIdSector->sModelNumber); dwCnt+=2)
{
pszModel[dwCnt+1] = pIdSector->sModelNumber[dwCnt];
pszModel[dwCnt] = pIdSector->sModelNumber[dwCnt+1];
}

// Add ending
pszModel[dwCnt] = '\0';

return CharUpperA(pszModel);
}

Error:
free(pszModel);
if(hDrive)
CloseHandle(hDrive);
return NULL;
}

//-----------------------------------------------------------------------------
// Name: PrintSandboxed
// Object: print a message through CreateFile which will be analysed by the
// sandbox and will appear in the report file
// Parameters :
// in : PSTR pszMsg : print message
// out :
// return :
//-----------------------------------------------------------------------------
void PrintSandboxed(PSTR pszMsg)
{
HANDLE hFile;
hFile = CreateFileA(pszMsg, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);

if(hFile != INVALID_HANDLE_VALUE)
CloseHandle(hFile);
}

int main()
{
DWORD dwCnt;
PSTR pszModel = GetFirstPhysicalDriveModelNames();

printf(pszModel);

// Compare each model name
for(dwCnt = 0; dwCnt < sizeof(pVirtualDriveModelNames)/sizeof(PSTR); ++dwCnt)
{
if(strstr(pszModel,pVirtualDriveModelNames[dwCnt]))
{
PrintSandboxed("Found virtual machine or emulator");
goto CleanUp;
}
}

PrintSandboxed("We are running on a real system");

CleanUp:

// GetFirstPhysicalDriveModelNames
free(pszModel);

return 0;
}

0 件のコメント:

コメントを投稿