Fix and enable Anti-VM routines

h4ckl4bm3 · Jun 17, 2017 · 7a37936 · 7a37936
1 parent ea5662c
commit 7a37936
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 20 deletions.
diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -59,7 +59,7 @@ int main(void)
 	exec_check(&cpuid_hypervisor_vendor, TEXT("Checking hypervisor vendor using cpuid(0x40000000)"));
 	exec_check(&accelerated_sleep, TEXT("Check if time has been accelerated: "));
 
-	///* VirtualBox Detection */
+	/* VirtualBox Detection */
 	print_category(TEXT("VirtualBox Detection"));
 	vbox_reg_key_value();
 	exec_check(&vbox_dir, TEXT("Checking dir oracle\\virtualbox guest additions\\: "));
@@ -84,10 +84,27 @@ int main(void)
 	vmware_devices();
 	exec_check(&vmware_dir, TEXT("Checking VMWare directory: "));
 
+	/* Virtual PC Detection */
+	print_category(TEXT("Virtual PC Detection"));
+	virtual_pc_process();
+
+	/* QEMU Detection */
+	print_category(TEXT("QEMU Detection"));
+	qemu_reg_key_value();
+
+	/* Xen Detection */
+	print_category(TEXT("Xen Detection"));
+	xen_process();
+
 	/* Wine Detection */
+	print_category(TEXT("Wine Detection"));
 	exec_check(&wine_exports, TEXT("Checking Wine via dll exports: "));
 	wine_reg_keys();
 
+	/* Paralles Detection */
+	print_category(TEXT("Paralles Detection"));
+	parallels_process();
+
 	/* Code injections techniques */
 	//CreateRemoteThread_Injection();
 	//SetWindowsHooksEx_Injection();

diff --git a/al-khaser/Anti VM/Parallels.cpp b/al-khaser/Anti VM/Parallels.cpp
@@ -14,10 +14,11 @@ VOID parallels_process()
 	WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
 	for (int i = 0; i < iLength; i++)
 	{
-		_tprintf(TEXT("[*] Checking Parallels process: %s"), szProcesses[i]);
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking Parallels processes: %s"), szProcesses[i]);
 		if (GetProcessIdFromName(szProcesses[i]))
-			print_detected();
+			print_results(TRUE, msg);
 		else
-			print_not_detected();
+			print_results(FALSE, msg);
 	}
 }
diff --git a/al-khaser/Anti VM/Qemu.cpp b/al-khaser/Anti VM/Qemu.cpp
@@ -16,10 +16,11 @@ VOID qemu_reg_key_value()
 
 	for (int i = 0; i < dwLength; i++)
 	{
-		_tprintf(_T("[*] Checking reg key %s:"), szEntries[i][0]);
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking reg key %s: "), szEntries[i][0]);
 		if (Is_RegKeyValueExists(HKEY_LOCAL_MACHINE, szEntries[i][0], szEntries[i][1], szEntries[i][2]))
-			print_detected();
+			print_results(TRUE, msg);
 		else
-			print_not_detected();
+			print_results(FALSE, msg);
 	}
 }
diff --git a/al-khaser/Anti VM/VirtualPC.cpp b/al-khaser/Anti VM/VirtualPC.cpp
@@ -14,10 +14,11 @@ VOID virtual_pc_process()
 	WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
 	for (int i = 0; i < iLength; i++)
 	{
-		_tprintf(TEXT("[*] Checking VirtualPC process: %s"), szProcesses[i]);
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking Virtual PC processes %s: "), szProcesses[i]);
 		if (GetProcessIdFromName(szProcesses[i]))
-			print_detected();
+			print_results(TRUE, msg);
 		else
-			print_not_detected();
+			print_results(FALSE, msg);
 	}
-}
+}
diff --git a/al-khaser/Anti VM/Wine.cpp b/al-khaser/Anti VM/Wine.cpp
@@ -22,8 +22,6 @@ BOOL wine_exports()
 		return TRUE;
 }
 
-
-
 /*
 Check against Wine registry keys
 */

diff --git a/al-khaser/Anti VM/Xen.cpp b/al-khaser/Anti VM/Xen.cpp
@@ -13,10 +13,11 @@ VOID xen_process()
 	WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
 	for (int i = 0; i < iLength; i++)
 	{
-		_tprintf(TEXT("[*] Checking Citrix Xen process: %s"), szProcesses[i]);
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking Citrix Xen process: "), szProcesses[i]);
 		if (GetProcessIdFromName(szProcesses[i]))
-			print_detected();
+			print_results(TRUE, msg);
 		else
-			print_not_detected();
+			print_results(FALSE, msg);
 	}
 }
diff --git a/al-khaser/Shared/Common.cpp b/al-khaser/Shared/Common.cpp
@@ -2,10 +2,10 @@
 #include "Utils.h"
 #include "log.h"
 
-VOID print_detected() 
+VOID print_detected()
 {
 	/* Get handle to standard output */
-	HANDLE nStdHandle = GetStdHandle(STD_OUTPUT_HANDLE);  
+	HANDLE nStdHandle = GetStdHandle(STD_OUTPUT_HANDLE);
 	CONSOLE_SCREEN_BUFFER_INFO ConsoleScreenBufferInfo;
 	SecureZeroMemory(&ConsoleScreenBufferInfo, sizeof(CONSOLE_SCREEN_BUFFER_INFO));
 
@@ -18,10 +18,10 @@ VOID print_detected()
 	SetConsoleTextAttribute(nStdHandle, OriginalColors);
 }
 
-VOID print_not_detected() 
+VOID print_not_detected()
 {
 	/* Get handle to standard output */
-	HANDLE nStdHandle = GetStdHandle(STD_OUTPUT_HANDLE);  
+	HANDLE nStdHandle = GetStdHandle(STD_OUTPUT_HANDLE);
 	CONSOLE_SCREEN_BUFFER_INFO ConsoleScreenBufferInfo;
 	SecureZeroMemory(&ConsoleScreenBufferInfo, sizeof(CONSOLE_SCREEN_BUFFER_INFO));
 

diff --git a/al-khaser/Shared/Main.h b/al-khaser/Shared/Main.h
@@ -36,6 +36,10 @@
 #include "..\Anti VM\VMware.h"
 #include "..\Anti VM\Wine.h"
 #include "..\Anti VM\Generic.h"
+#include "..\Anti VM\VirtualPC.h"
+#include "..\Anti VM\QEMU.h"
+#include "..\Anti VM\Xen.h"
+#include "..\Anti VM\Parallels.h"
 
 /* Code Injections Headers */
 #include "..\Code Injections\CreateRemoteThread.h"
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,8 +22,6 @@ BOOL wine_exports() @@
     		return TRUE;
     }
     /*
     Check against Wine registry keys
     */
@@ Expand Down @@