Added new generic WMI VM checks

Now checking Win32_CacheMemory, Win32_PhysicalMemory, Win32_MemoryDevice, Win32_MemoryArray, Win32_VoltageProbe, Win32_PortConnector, Win32_SMBIOSMemory, ThermalZoneInfo performance counters, CIM_Memory, CIM_Sensor, CIM_NumericSensor, CIM_TemperatureSensor, CIM_VoltageSensor, CIM_PhysicalConnector, and CIM_Slot.
0xF0F1FA · Apr 13, 2019 · fe0684b · fe0684b
1 parent 9c209b6
commit fe0684b
Show file tree

Hide file tree

Showing 3 changed files with 279 additions and 0 deletions.
diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -127,6 +127,21 @@ int main(void)
 		exec_check(&power_capabilities, TEXT("Checking power capabilities "));
 		exec_check(&cpu_fan_wmi, TEXT("Checking CPU fan using WMI "));
 		exec_check(&query_license_value, TEXT("Checking NtQueryLicenseValue with Kernel-VMDetection-Private "));
+		exec_check(&cachememory_wmi, TEXT("Checking Win32_CacheMemory with WMI "));
+		exec_check(&physicalmemory_wmi, TEXT("Checking Win32_PhysicalMemory with WMI "));
+		exec_check(&memorydevice_wmi, TEXT("Checking Win32_MemoryDevice with WMI "));
+		exec_check(&memoryarray_wmi, TEXT("Checking Win32_MemoryArray with WMI "));
+		exec_check(&voltageprobe_wmi, TEXT("Checking Win32_VoltageProbe with WMI "));
+		exec_check(&portconnector_wmi, TEXT("Checking Win32_PortConnector with WMI "));
+		exec_check(&smbiosmemory_wmi, TEXT("Checking Win32_SMBIOSMemory with WMI "));
+		exec_check(&perfctrs_thermalzoneinfo_wmi, TEXT("Checking ThermalZoneInfo performance counters with WMI "));
+		exec_check(&cim_memory_wmi, TEXT("Checking CIM_Memory with WMI "));
+		exec_check(&cim_sensor_wmi, TEXT("Checking CIM_Sensor with WMI "));
+		exec_check(&cim_numericsensor_wmi, TEXT("Checking CIM_NumericSensor with WMI "));
+		exec_check(&cim_temperaturesensor_wmi, TEXT("Checking CIM_TemperatureSensor with WMI "));
+		exec_check(&cim_voltagesensor_wmi, TEXT("Checking CIM_VoltageSensor with WMI "));
+		exec_check(&cim_physicalconnector_wmi, TEXT("Checking CIM_PhysicalConnector with WMI "));
+		exec_check(&cim_slot_wmi, TEXT("Checking CIM_Slot with WMI "));
 	}
 
 	/* VirtualBox Detection */

diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp
@@ -1117,3 +1117,251 @@ BOOL query_license_value()
 
 	return FALSE;
 }
+
+int wmi_query_count(const _TCHAR* query)
+{
+	IWbemServices *pSvc = NULL;
+	IWbemLocator *pLoc = NULL;
+	IEnumWbemClassObject* pEnumerator = NULL;
+	BOOL bStatus = FALSE;
+	HRESULT hRes;
+
+	int count = 0;
+
+	// Init WMI
+	bStatus = InitWMI(&pSvc, &pLoc, _T("ROOT\\CIMV2"));
+	if (bStatus)
+	{
+		// If success, execute the desired query
+		bStatus = ExecWMIQuery(&pSvc, &pLoc, &pEnumerator, query);
+		if (bStatus)
+		{
+			// Get the data from the query
+			IWbemClassObject *pclsObj = NULL;
+			ULONG uReturn = 0;
+
+			// Iterate over our enumator
+			while (pEnumerator)
+			{
+				hRes = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
+				if (0 == uReturn)
+					break;
+
+				count++;
+
+				pclsObj->Release();
+			}
+
+			// Cleanup
+			pEnumerator->Release();
+			pSvc->Release();
+			pLoc->Release();
+			CoUninitialize();
+		}
+		else
+		{
+			pSvc->Release();
+			pLoc->Release();
+			CoUninitialize();
+		}
+	}
+	else return -1;
+
+	return count;
+}
+
+/*
+Check Win32_CacheMemory for entries
+*/
+BOOL cachememory_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_CacheMemory"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_PhysicalMemory for entries
+*/
+BOOL physicalmemory_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_PhysicalMemory"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_MemoryDevice for entries
+*/
+BOOL memorydevice_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_MemoryDevice"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_MemoryArray for entries
+*/
+BOOL memoryarray_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_MemoryArray"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_VoltageProbe for entries
+*/
+BOOL voltageprobe_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_VoltageProbe"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_PortConnector for entries
+*/
+BOOL portconnector_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_PortConnector"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_SMBIOSMemory for entries
+*/
+BOOL smbiosmemory_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_SMBIOSMemory"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check Win32_PerfFormattedData_Counters_ThermalZoneInformation for entries
+*/
+BOOL perfctrs_thermalzoneinfo_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM Win32_PerfFormattedData_Counters_ThermalZoneInformation"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_Memory for entries
+*/
+BOOL cim_memory_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_Memory"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_NumericSensor for entries
+*/
+BOOL cim_numericsensor_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_NumericSensor"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_PhysicalConnector for entries
+*/
+BOOL cim_physicalconnector_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_PhysicalConnector"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_Sensor for entries
+*/
+BOOL cim_sensor_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_Sensor"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_Slot for entries
+*/
+BOOL cim_slot_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_Slot"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_TemperatureSensor for entries
+*/
+BOOL cim_temperaturesensor_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_TemperatureSensor"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/*
+Check CIM_VoltageSensor for entries
+*/
+BOOL cim_voltagesensor_wmi()
+{
+	int count = wmi_query_count(_T("SELECT * FROM CIM_VoltageSensor"));
+	if (count == 0)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
diff --git a/al-khaser/AntiVM/Generic.h b/al-khaser/AntiVM/Generic.h
@@ -25,3 +25,19 @@ BOOL power_capabilities();
 BOOL hybridanalysismacdetect();
 BOOL cpu_fan_wmi();
 BOOL query_license_value();
+BOOL cachememory_wmi();
+BOOL physicalmemory_wmi();
+BOOL memorydevice_wmi();
+BOOL memoryarray_wmi();
+BOOL voltageprobe_wmi();
+BOOL portconnector_wmi();
+BOOL smbiosmemory_wmi();
+BOOL perfctrs_thermalzoneinfo_wmi();
+BOOL cim_memory_wmi();
+BOOL cim_numericsensor_wmi();
+BOOL cim_physicalconnector_wmi();
+BOOL cim_sensor_wmi();
+BOOL cim_slot_wmi();
+BOOL cim_temperaturesensor_wmi();
+BOOL cim_voltagesensor_wmi();
+