Merge pull request ayoubfaouzi#205 from LordNoteworthy/Noteworthy

fix wrong path names in vmware_files() and vbox_files() to adapt to w…
0xF0F1FA · Mar 22, 2020 · db9b49c · db9b49c
2 parents 0648108 + cbb02d5
commit db9b49c
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 
 #### 0.80
 
+- Fixed path names in vmware_files() and vbox_files() due to wow64 fs redirection.
 - Fixed string comparaison in check_adapter_name().
 - Anti anti-debug trick: trap flag.
 - Add check for well known names used by malware sandboxes.

diff --git a/al-khaser/AntiVM/VMWare.cpp b/al-khaser/AntiVM/VMWare.cpp
@@ -63,15 +63,19 @@ VOID vmware_files()
 {
 	/* Array of strings of blacklisted paths */
 	const TCHAR* szPaths[] = {
-		_T("system32\\drivers\\vmmouse.sys"),
-		_T("system32\\drivers\\vmhgfs.sys"),
-		_T("system32\\drivers\\vm3dmp.sys"),
-		_T("system32\\drivers\\vmci.sys"),
-		_T("system32\\drivers\\vmhgfs.sys"),
-		_T("system32\\drivers\\vmmemctl.sys"),
-		_T("system32\\drivers\\vmmouse.sys"),
-		_T("system32\\drivers\\vmrawdsk.sys"),
-		_T("system32\\drivers\\vmusbmouse.sys"),
+		_T("SysNative\\drivers\\vmnet.sys"),
+		_T("SysNative\\drivers\\vmmouse.sys"),
+		_T("SysNative\\drivers\\vmusb.sys"),
+		_T("SysNative\\drivers\\vm3dmp.sys"),
+		_T("SysNative\\drivers\\vmci.sys"),
+		_T("SysNative\\drivers\\vmhgfs.sys"),
+		_T("SysNative\\drivers\\vmmemctl.sys"),
+		_T("SysNative\\drivers\\vmx86.sys"),
+		_T("SysNative\\drivers\\vmrawdsk.sys"),
+		_T("SysNative\\drivers\\vmusbmouse.sys"),
+		_T("SysNative\\drivers\\vmkdb.sys"),
+		_T("SysNative\\drivers\\vmnetuserif.sys"),
+		_T("SysNative\\drivers\\vmnetadapter.sys"),
 	};
 
 	/* Getting Windows Directory */

diff --git a/al-khaser/AntiVM/VirtualBox.cpp b/al-khaser/AntiVM/VirtualBox.cpp
@@ -69,23 +69,23 @@ VOID vbox_files()
 {
 	/* Array of strings of blacklisted paths */
 	const TCHAR* szPaths[] = {
-		_T("system32\\drivers\\VBoxMouse.sys"),
-		_T("system32\\drivers\\VBoxGuest.sys"),
-		_T("system32\\drivers\\VBoxSF.sys"),
-		_T("system32\\drivers\\VBoxVideo.sys"),
-		_T("system32\\vboxdisp.dll"),
-		_T("system32\\vboxhook.dll"),
-		_T("system32\\vboxmrxnp.dll"),
-		_T("system32\\vboxogl.dll"),
-		_T("system32\\vboxoglarrayspu.dll"),
-		_T("system32\\vboxoglcrutil.dll"),
-		_T("system32\\vboxoglerrorspu.dll"),
-		_T("system32\\vboxoglfeedbackspu.dll"),
-		_T("system32\\vboxoglpackspu.dll"),
-		_T("system32\\vboxoglpassthroughspu.dll"),
-		_T("system32\\vboxservice.exe"),
-		_T("system32\\vboxtray.exe"),
-		_T("system32\\VBoxControl.exe"),
+		_T("SysNative\\drivers\\VBoxMouse.sys"),
+		_T("SysNative\\drivers\\VBoxGuest.sys"),
+		_T("SysNative\\drivers\\VBoxSF.sys"),
+		_T("SysNative\\drivers\\VBoxVideo.sys"),
+		_T("SysNative\\vboxdisp.dll"),
+		_T("SysNative\\vboxhook.dll"),
+		_T("SysNative\\vboxmrxnp.dll"),
+		_T("SysNative\\vboxogl.dll"),
+		_T("SysNative\\vboxoglarrayspu.dll"),
+		_T("SysNative\\vboxoglcrutil.dll"),
+		_T("SysNative\\vboxoglerrorspu.dll"),
+		_T("SysNative\\vboxoglfeedbackspu.dll"),
+		_T("SysNative\\vboxoglpackspu.dll"),
+		_T("SysNative\\vboxoglpassthroughspu.dll"),
+		_T("SysNative\\vboxservice.exe"),
+		_T("SysNative\\vboxtray.exe"),
+		_T("SysNative\\VBoxControl.exe"),
 	};
 
 	/* Getting Windows Directory */