add disk size space using IoDeviceControl

README.md

@@ -1,4 +1,4 @@
-##Al-Khaser v0.63
+##Al-Khaser v0.64
 
 ![Logo](https://www.mindmeister.com/files/avatars/0035/8332/original/avatar.jpg)
 
@@ -81,9 +81,10 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - CreateTimerQueueTimer (todo)
 - Big crypto loops (todo)
 
-### Human Interaction [Anti-Sandbox]
+### Human Interaction / Generic [Anti-Sandbox]
 - Mouse movement
 - Total Physical memory (GlobalMemoryStatusEx)
+- Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
 - Mouse (Single click / Double click) (todo)
 - DialogBox (todo)
 - Scrolling (todo)

al-khaser/Al-khaser.cpp

@@ -7,7 +7,7 @@ int main(void)
 	resize_console_window();
 
 	/* Display general informations */
-	_tprintf(_T("[al-khaser version 0.63]"));
+	_tprintf(_T("[al-khaser version 0.64]"));
 	print_os();
 
 	if (IsWoW64())
@@ -50,6 +50,7 @@ int main(void)
 	exec_check(&str_trick, TEXT("Checking Global Descriptor Table location: "));
 	exec_check(&number_cores_wmi, TEXT("Checking Number of cores in machine using WMI: "));
 	exec_check(&disk_size_wmi, TEXT("Checking hard disk size using WMI: "));
+	exec_check(&dizk_size_deviceiocontrol, TEXT("Checking hard disk size using DeviceIoControl: "));
 	exec_check(&setupdi_diskdrive, TEXT("Checking SetupDi_diskdrive: "));
 	exec_check(&mouse_movement, TEXT("Checking mouse movement: "));
 	exec_check(&memory_space, TEXT("Checking memory space using GlobalMemoryStatusEx: "));

al-khaser/Anti VM/Generic.cpp

@@ -253,6 +253,50 @@ BOOL disk_size_wmi()
 }
 
 
+/*
+DeviceIoControl works with disks directly rather than partitions (GetDiskFreeSpaceEx)
+We can send IOCTL_DISK_GET_LENGTH_INFO code to get the raw byte size of the physical disk
+*/
+BOOL dizk_size_deviceiocontrol()
+{
+	HANDLE hDevice = INVALID_HANDLE_VALUE;
+	BOOL bResult = FALSE;
+	GET_LENGTH_INFORMATION size = { 0 };
+	DWORD lpBytesReturned = 0;
+	LONGLONG minHardDiskSize = (80LL * (1024LL * (1024LL * (1024LL))));
+
+	hDevice = CreateFile(_T("\\\\.\\PhysicalDrive0"),
+		GENERIC_READ,                // no access to the drive
+		FILE_SHARE_READ, 			// share mode
+		NULL,						// default security attributes
+		OPEN_EXISTING,				// disposition
+		0,							// file attributes
+		NULL);						// do not copy file attributes
+
+	if (hDevice == INVALID_HANDLE_VALUE) {
+		CloseHandle(hDevice);
+		return FALSE;
+	}
+
+	bResult = DeviceIoControl(
+		hDevice,					// device to be queried
+		IOCTL_DISK_GET_LENGTH_INFO, // operation to perform
+		NULL, 0,					// no input buffer
+		&size, sizeof(GET_LENGTH_INFORMATION),
+		&lpBytesReturned,			// bytes returned
+		(LPOVERLAPPED) NULL);   // synchronous I/O
+
+	if (bResult != NULL) {
+		if (size.Length.QuadPart < minHardDiskSize) // 80GB
+			bResult = TRUE;
+		else
+			bResult = FALSE;
+	}
+
+	CloseHandle(hDevice);
+	return bResult;
+}
+
 
 BOOL setupdi_diskdrive()
 {

al-khaser/Anti VM/Generic.h

@@ -2,6 +2,7 @@
 #include <tchar.h>
 #include <Winternl.h>
 #include <devguid.h>    // Device guids
+#include <winioctl.h>	// IOCTL
 #include <SetupAPI.h>
 #pragma comment(lib, "setupapi.lib")
 
@@ -17,4 +18,5 @@ BOOL number_cores_wmi();
 BOOL disk_size_wmi();
 BOOL setupdi_diskdrive();
 BOOL mouse_movement();
-BOOL memory_space();
+BOOL memory_space();
+BOOL dizk_size_deviceiocontrol();