re a0rtega#33 Add VMware MAC detection, minor refactor

kaze0mx · May 30, 2015 · ea28881 · ea28881
1 parent 6cae2f7
commit ea28881
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 30 deletions.
diff --git a/pafish/main.c b/pafish/main.c
@@ -401,6 +401,14 @@ int main(void)
 	}
 	else print_not_traced();
 
+	printf("[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... ");
+	if (vmware_mac() == TRUE) {
+		write_log("VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56");
+		print_traced();
+		write_trace("hi_vmware");
+	}
+	else print_not_traced();
+
 	printf("[*] Looking for pseudo devices ... ");
 	if (vmware_devices(TRUE) == TRUE) {
 		/* Log written inside function */

diff --git a/pafish/utils.c b/pafish/utils.c
@@ -1,8 +1,13 @@
 
+#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <windows.h>
 #include <ctype.h>
+#include <winsock2.h>
+#include <iphlpapi.h>
+#include <tlhelp32.h>
 
 #include "utils.h"
 #include "types.h"
@@ -122,3 +127,34 @@ inline int pafish_exists_file(char * filename) {
 	return (res != INVALID_FILE_ATTRIBUTES) ? TRUE : FALSE;
 }
 
+int pafish_check_mac_vendor(char * mac_vendor) {
+	WSADATA WSD;
+	int res = FALSE;
+
+	if(!WSAStartup(MAKEWORD(2,2),&WSD)){
+		unsigned long alist_size = 0;
+		int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
+		if(ret==ERROR_BUFFER_OVERFLOW) {
+			IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
+			if(palist) {
+				GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
+				IP_ADAPTER_ADDRESSES* ppalist=palist;
+				char mac[6]={0};
+				while (ppalist){
+					if (ppalist->PhysicalAddressLength==0x6){
+						memcpy(mac,ppalist->PhysicalAddress,0x6);
+						if (!memcmp(mac_vendor, mac, 3)) { /* First 3 bytes are the same */
+							res = TRUE;
+							break;
+						}
+					}
+					ppalist = ppalist->Next;
+				}
+				LocalFree(palist);
+			}
+		}
+		WSACleanup();
+	}
+	return res;
+}
+
diff --git a/pafish/utils.h b/pafish/utils.h
@@ -14,4 +14,6 @@ inline int pafish_exists_regkey_value_str(HKEY, char *, char *, char *);
 
 inline int pafish_exists_file(char * filename);
 
+int pafish_check_mac_vendor(char * mac_vendor);
+
 #endif
diff --git a/pafish/vbox.c b/pafish/vbox.c
@@ -1,11 +1,9 @@
 
 #define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
 
-#include <winsock2.h>
 #include <windows.h>
 #include <string.h>
 #include <stdio.h>
-#include <iphlpapi.h>
 #include <tlhelp32.h>
 
 #include "vbox.h"
@@ -153,34 +151,8 @@ int vbox_sysfile2(int writelogs) {
 * NIC MAC check
 **/
 int vbox_mac() {
-	WSADATA WSD;
-	int res = FALSE;
-
-	if(!WSAStartup(MAKEWORD(2,2),&WSD)){
-		unsigned long alist_size = 0;
-		int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
-		if(ret==ERROR_BUFFER_OVERFLOW) {
-			IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
-			if(palist) {
-				GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,palist,&alist_size);
-				IP_ADAPTER_ADDRESSES* ppalist=palist;
-				char mac[6]={0};
-				while (ppalist){
-					if (ppalist->PhysicalAddressLength==0x6){
-						memcpy(mac,ppalist->PhysicalAddress,0x6);
-						if(mac[0]==0x08 && mac[1]==0x00 && mac[2]==0x27) { // VirtualBox mac starts with 08:00:27
-							res = TRUE;
-							break;
-						}
-					}
-					ppalist = ppalist->Next;
-				}
-				LocalFree(palist);
-			}
-		}
-		WSACleanup();
-	}
-	return res;
+	/* VirtualBox mac starts with 08:00:27 */
+	return pafish_check_mac_vendor("\x08\x00\x27");
 }
 
 /**

diff --git a/pafish/vmware.c b/pafish/vmware.c
@@ -30,6 +30,31 @@ int vmware_sysfile2() {
 	return pafish_exists_file("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys");
 }
 
+int vmware_mac() {
+	/*
+		VMware is any of
+		00:05:69
+		00:0C:29
+		00:1C:14
+		00:50:56
+	*/
+	if (pafish_check_mac_vendor("\x00\x05\x69")) {
+		return TRUE;
+	}
+	else if (pafish_check_mac_vendor("\x00\x0C\x29")) {
+		return TRUE;
+	}
+	else if (pafish_check_mac_vendor("\x00\x1C\x14")) {
+		return TRUE;
+	}
+	else if (pafish_check_mac_vendor("\x00\x50\x56")) {
+		return TRUE;
+	}
+	else {
+		return FALSE;
+	}
+}
+
 int vmware_devices(int writelogs) {
 	HANDLE h;
 	const int count = 2;

diff --git a/pafish/vmware.h b/pafish/vmware.h
@@ -10,6 +10,8 @@ int vmware_sysfile1();
 
 int vmware_sysfile2();
 
+int vmware_mac();
+
 int vmware_devices();
 
 #endif
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,4 +14,6 @@ inline int pafish_exists_regkey_value_str(HKEY, char , char , char *);

		inline int pafish_exists_file(char * filename);

		int pafish_check_mac_vendor(char * mac_vendor);

		#endif