farukuzun/VMBuster.c

## VMBuster.c
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <Setupapi.h>
#include <string.h>

void vmx_check();
void process_name_check();
void class_name_check();
void cpuid_check();
void cpu_cores_check();
void registry_check();
void devices_check();
void drivers_check();

int main(int argc, char **argv)
{
process_name_check();
class_name_check();
vmx_check();
cpuid_check();
cpu_cores_check();
registry_check();
devices_check();
drivers_check();
return 0;
}

void process_name_check()
{
	HANDLE psnap;
	PROCESSENTRY32 pe;
	int i=0;
	char *process_name[] = {"regshot.exe", "wireshark.exe", "vmtoolsd.exe", "vboxtray.exe", "vboxservice.exe", "filemon.exe", "procmon.exe", "vmacthlp.exe"};
	pe.dwSize = sizeof(PROCESSENTRY32);

	psnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	if(!Process32First(psnap, &pe))
	{
		printf("There was an error in retrieving the process information\n");
		return;
	}

	while(Process32Next(psnap, &pe))
	{
		i=0;
		while(i != 8)
		{
			if(lstrcmpi(process_name[i], pe.szExeFile) == 0)
			{
				printf("Found process: %s\n", pe.szExeFile);
			}
			i++;
		}
	}

	return;
}

void cpu_cores_check()
{
	int i=0;

	__asm
	{
		pushad
		mov eax, dword ptr fs:[0x18];
		mov eax, dword ptr ds:[eax+0x30]
		mov eax, dword ptr ds:[eax+0x64];
		cmp eax, 0x1
		jnz done
		xor eax, eax
		inc eax
		mov i, eax
		done:
		popad
	}

	if(i==1)
	{
		printf("Only 1 CPU core assigned to the VM\n");
	}

	return;
}

void cpuid_check()
{
	int i=0;

	__asm
	{
		pushad
		mov eax, 0x1
		cpuid
		and ecx, 0x1
		cmp ecx, 0x1
		jnz done
		xor eax, eax
		inc eax
		mov i, eax
		done:
		popad
	}

	if(i == 1)
	{
		printf("Hypervisor found\n");
	}

	return;
}

void class_name_check()
{
	char *window_names[] = {"VMDisplayChangeControlClass", "VMwareDragDetWndClass", "vmtoolsdControlWndClass", "VMwareTrayIcon"};
	int i=0;

	while(i < 5)
	{
		if(FindWindow(window_names[i], NULL) != NULL)
		{
			printf("Found window name: %s\n", window_names[i]);
		}
		i++;
	}

	return;
}

void registry_check()
{
	HKEY hkey;
	char *buffer;
	int i=0,j=0;
	int size = 256;
	char *vm_names[] = {"vmware", "qemu", "xen"};
	buffer = (char *) malloc(sizeof(char) * size);

	RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", 0, KEY_READ, &hkey);
	RegQueryValueEx(hkey, "0", NULL, NULL, buffer, &size);

	while(*(buffer+i))
	{
		*(buffer+i) = (char) tolower(*(buffer+i));
		i++;
	}

	while(j < 3)
	{
		if(strstr(buffer, vm_names[j]) != NULL)
		{
			printf("Found string %s in Registry\n", vm_names[j]);
		}
		j++;
	}

	return;
}

void vmx_check()
{
	int i=0;

	__asm
	{
		pushad
		mov eax, 0x564d5868
		mov edx, 0x5658
		mov ecx, 0xa
		in eax, dx
		cmp ebx, 0x564d5868
		jnz done
		xor eax, eax
		inc eax
		mov i, eax
		done:
		popad
	}

	if(i == 1)
	{
		printf("Found VMX backdoor\n");
	}

	return;
}

void devices_check()
{
	HDEVINFO devinfo;
	DWORD size;
	char *buffer;
	char *vm_names[] = {"vmware", "qemu", "xen"};
	int i=0,j=0,k=0;
	SP_DEVINFO_DATA DeviceInfoData;
	DeviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA);

	devinfo = SetupDiGetClassDevs(0,0,0,6);
	while(SetupDiEnumDeviceInfo(devinfo, i, &DeviceInfoData) != 0)
	{
		j=k=0;
		SetupDiGetDeviceRegistryProperty(devinfo, &DeviceInfoData, 0, 0, 0, 0, &size);
		buffer = (char *) calloc(0x40, size);
		SetupDiGetDeviceRegistryProperty(devinfo, &DeviceInfoData, 0, 0, buffer, size, 0);
		while(*(buffer+j))
		{
			*(buffer+j) = (char) tolower(*(buffer+j));
			j++;
		}

		while(k < 3)
		{
			if(strstr(buffer, vm_names[k]) != NULL)
			{
				printf("Found Device Name: %s\n", buffer);
			}
			k++;
		}

		i++;
	}

	return;
}

void drivers_check()
{
	char buffer[256];
	char *basedir="c:\\windows\\system32\\drivers\\";
	char *driver_names[]={"vmci.sys","vmhgfs.sys","vmmouse.sys","vmscsi.sys","vmusbmouse.sys","vmx_svga.sys","vmxnet.sys","VBoxMouse.sys"};
	int i=0;

	while(i < 8)
	{
		memset(buffer,'\0',256);
		strcpy(buffer,basedir);
		strcat(buffer,driver_names[i]);

		if(GetFileAttributes(buffer) != INVALID_FILE_ATTRIBUTES)
		{
			printf("Found driver: %s\n",driver_names[i]);
		}

		i++;
	}

	return;
}
	#include <windows.h>
	#include <stdio.h>
	#include <TlHelp32.h>
	#include <Setupapi.h>
	#include <string.h>

	void vmx_check();
	void process_name_check();
	void class_name_check();
	void cpuid_check();
	void cpu_cores_check();
	void registry_check();
	void devices_check();
	void drivers_check();

	int main(int argc, char **argv)
	{
	process_name_check();
	class_name_check();
	vmx_check();
	cpuid_check();
	cpu_cores_check();
	registry_check();
	devices_check();
	drivers_check();
	return 0;
	}

	void process_name_check()
	{
	HANDLE psnap;
	PROCESSENTRY32 pe;
	int i=0;
	char *process_name[] = {"regshot.exe", "wireshark.exe", "vmtoolsd.exe", "vboxtray.exe", "vboxservice.exe", "filemon.exe", "procmon.exe", "vmacthlp.exe"};
	pe.dwSize = sizeof(PROCESSENTRY32);

	psnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	if(!Process32First(psnap, &pe))
	{
	printf("There was an error in retrieving the process information\n");
	return;
	}

	while(Process32Next(psnap, &pe))
	{
	i=0;
	while(i != 8)
	{
	if(lstrcmpi(process_name[i], pe.szExeFile) == 0)
	{
	printf("Found process: %s\n", pe.szExeFile);
	}
	i++;
	}
	}

	return;
	}

	void cpu_cores_check()
	{
	int i=0;

	__asm
	{
	pushad
	mov eax, dword ptr fs:[0x18];
	mov eax, dword ptr ds:[eax+0x30]
	mov eax, dword ptr ds:[eax+0x64];
	cmp eax, 0x1
	jnz done
	xor eax, eax
	inc eax
	mov i, eax
	done:
	popad
	}

	if(i==1)
	{
	printf("Only 1 CPU core assigned to the VM\n");
	}

	return;
	}

	void cpuid_check()
	{
	int i=0;

	__asm
	{
	pushad
	mov eax, 0x1
	cpuid
	and ecx, 0x1
	cmp ecx, 0x1
	jnz done
	xor eax, eax
	inc eax
	mov i, eax
	done:
	popad
	}

	if(i == 1)
	{
	printf("Hypervisor found\n");
	}

	return;
	}

	void class_name_check()
	{
	char *window_names[] = {"VMDisplayChangeControlClass", "VMwareDragDetWndClass", "vmtoolsdControlWndClass", "VMwareTrayIcon"};
	int i=0;

	while(i < 5)
	{
	if(FindWindow(window_names[i], NULL) != NULL)
	{
	printf("Found window name: %s\n", window_names[i]);
	}
	i++;
	}

	return;
	}

	void registry_check()
	{
	HKEY hkey;
	char *buffer;
	int i=0,j=0;
	int size = 256;
	char *vm_names[] = {"vmware", "qemu", "xen"};
	buffer = (char ) malloc(sizeof(char) size);

	RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", 0, KEY_READ, &hkey);
	RegQueryValueEx(hkey, "0", NULL, NULL, buffer, &size);

	while(*(buffer+i))
	{
	(buffer+i) = (char) tolower((buffer+i));
	i++;
	}

	while(j < 3)
	{
	if(strstr(buffer, vm_names[j]) != NULL)
	{
	printf("Found string %s in Registry\n", vm_names[j]);
	}
	j++;
	}

	return;
	}

	void vmx_check()
	{
	int i=0;

	__asm
	{
	pushad
	mov eax, 0x564d5868
	mov edx, 0x5658
	mov ecx, 0xa
	in eax, dx
	cmp ebx, 0x564d5868
	jnz done
	xor eax, eax
	inc eax
	mov i, eax
	done:
	popad
	}

	if(i == 1)
	{
	printf("Found VMX backdoor\n");
	}

	return;
	}

	void devices_check()
	{
	HDEVINFO devinfo;
	DWORD size;
	char *buffer;
	char *vm_names[] = {"vmware", "qemu", "xen"};
	int i=0,j=0,k=0;
	SP_DEVINFO_DATA DeviceInfoData;
	DeviceInfoData.cbSize = sizeof(SP_DEVINFO_DATA);

	devinfo = SetupDiGetClassDevs(0,0,0,6);
	while(SetupDiEnumDeviceInfo(devinfo, i, &DeviceInfoData) != 0)
	{
	j=k=0;
	SetupDiGetDeviceRegistryProperty(devinfo, &DeviceInfoData, 0, 0, 0, 0, &size);
	buffer = (char *) calloc(0x40, size);
	SetupDiGetDeviceRegistryProperty(devinfo, &DeviceInfoData, 0, 0, buffer, size, 0);
	while(*(buffer+j))
	{
	(buffer+j) = (char) tolower((buffer+j));
	j++;
	}

	while(k < 3)
	{
	if(strstr(buffer, vm_names[k]) != NULL)
	{
	printf("Found Device Name: %s\n", buffer);
	}
	k++;
	}

	i++;
	}

	return;
	}

	void drivers_check()
	{
	char buffer[256];
	char *basedir="c:\\windows\\system32\\drivers\\";
	char *driver_names[]={"vmci.sys","vmhgfs.sys","vmmouse.sys","vmscsi.sys","vmusbmouse.sys","vmx_svga.sys","vmxnet.sys","VBoxMouse.sys"};
	int i=0;

	while(i < 8)
	{
	memset(buffer,'\0',256);
	strcpy(buffer,basedir);
	strcat(buffer,driver_names[i]);

	if(GetFileAttributes(buffer) != INVALID_FILE_ATTRIBUTES)
	{
	printf("Found driver: %s\n",driver_names[i]);
	}

	i++;
	}

	return;
	}