Skip to content

Commit

Permalink
Merge pull request #7 from NotRequiem/main
Browse files Browse the repository at this point in the history 
Fixed some MSVC errors
  • Loading branch information
@kernelwernel
kernelwernel authored Nov 20, 2023
2 parents 4a94339 + 4f4a1ff commit 6cba84d
Showing 1 changed file with 74 additions and 53 deletions.
127 changes: 74 additions & 53 deletions src/vmaware.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
* A C++ VM detection library
*
* - Made by: @kernelwernel (https://github.com/kernelwernel)
* - Contributed by @Requirem (https://github.com/NotRequiem)
* - Repository: https://github.com/kernelwernel/VMAware
* - Docs: https://github.com/kernelwernel/VMAware/docs/documentation.md
* - Full credits: https://github.com/kernelwernel/VMAware#credits
Expand Down Expand Up @@ -168,12 +169,8 @@ struct VM {

// check if file exists
#if (MSVC)
[[nodiscard]] static bool exists(LPCSTR path) {
GetFileAttributes(path);
return (!(
(INVALID_FILE_ATTRIBUTES == GetFileAttributes(path)) &&
(GetLastError() == ERROR_FILE_NOT_FOUND)
));
[[nodiscard]] static bool exists(LPCWSTR path) {
return (GetFileAttributesW(path) != INVALID_FILE_ATTRIBUTES) || (GetLastError() != ERROR_FILE_NOT_FOUND);
}
#else
[[nodiscard]] static bool exists(const char* path) {
Expand Down Expand Up @@ -1596,10 +1593,17 @@ struct VM {
LONG ret;
BOOL isWow64 = FALSE;

if (IsWow64Process(GetCurrentProcess(), &isWow64) && isWow64) {
ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, regkey_s, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
} else {
ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE, regkey_s, 0, KEY_READ, &regkey);
if (IsWow64Process(GetCurrentProcess(), &isWow64) && isWow64) {
wchar_t wRegKey[MAX_PATH];
MultiByteToWideChar(CP_ACP, 0, regkey_s, -1, wRegKey, MAX_PATH);

ret = RegOpenKeyExW(HKEY_LOCAL_MACHINE, wRegKey, 0, KEY_READ | KEY_WOW64_64KEY, &regkey);
}
else {
wchar_t wRegKey[MAX_PATH];
MultiByteToWideChar(CP_ACP, 0, regkey_s, -1, wRegKey, MAX_PATH);

ret = RegOpenKeyExW(HKEY_LOCAL_MACHINE, wRegKey, 0, KEY_READ, &regkey);
}

if (ret == ERROR_SUCCESS) {
Expand Down Expand Up @@ -1720,7 +1724,7 @@ struct VM {
TCHAR user[UNLEN+1];
DWORD user_len = UNLEN+1;
GetUserName((TCHAR*)user, &user_len);
std::string u = user;
std::string u(user, user + user_len);

#ifdef __VMAWARE_DEBUG__
debug("USER: ", "output = ", u);
Expand Down Expand Up @@ -1757,16 +1761,18 @@ struct VM {
return false;
}

return (exists("C:\\analysis"));
// Use wide string literal
return exists(L"C:\\analysis");
#endif
} catch (...) {
} catch (...) {
#ifdef __VMAWARE_DEBUG__
debug("SUNBELT: catched error, returned false");
#endif
return false;
}



/**
* @brief Check for VM-specific DLLs
* @category Windows
Expand Down Expand Up @@ -1876,12 +1882,13 @@ struct VM {
}

HKEY hKey;
bool result = (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS);

// Use wide string literal
bool result = (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\VMware, Inc.\\VMware Tools", 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS);

#ifdef __VMAWARE_DEBUG__
debug("VMWARE_REG: result = ", result);
#endif

if (result == true) {
return add(VMWARE);
}
Expand All @@ -1896,6 +1903,7 @@ struct VM {
}



/**
* @brief Check if the mouse coordinates have changed after 5 seconds
* @note Some VMs are automatic without a human due to mass malware scanning being a thing
Expand Down Expand Up @@ -1962,7 +1970,7 @@ struct VM {
}

HMODULE k32;
k32 = GetModuleHandle("kernel32.dll");
k32 = GetModuleHandle(TEXT("kernel32.dll"));

if (k32 != NULL) {
return (GetProcAddress(k32, "wine_get_unix_file_name") != NULL);
Expand Down Expand Up @@ -2034,43 +2042,42 @@ struct VM {
u8 vbox = 0;
u8 vmware = 0;

constexpr std::array<const char*, 26> files = {
constexpr std::array<const wchar_t*, 26> files = {
// VMware
"C:\\windows\\System32\\Drivers\\Vmmouse.sys",
"C:\\windows\\System32\\Drivers\\vm3dgl.dll",
"C:\\windows\\System32\\Drivers\\vmdum.dll",
"C:\\windows\\System32\\Drivers\\VmGuestLibJava.dll",
"C:\\windows\\System32\\Drivers\\vm3dver.dll",
"C:\\windows\\System32\\Drivers\\vmtray.dll",
"C:\\windows\\System32\\Drivers\\VMToolsHook.dll",
"C:\\windows\\System32\\Drivers\\vmGuestLib.dll",
"C:\\windows\\System32\\Drivers\\vmhgfs.dll",
"C:\\windows\\System32\\Driversvmhgfs.dll",

L"C:\\windows\\System32\\Drivers\\Vmmouse.sys",
L"C:\\windows\\System32\\Drivers\\vm3dgl.dll",
L"C:\\windows\\System32\\Drivers\\vmdum.dll",
L"C:\\windows\\System32\\Drivers\\VmGuestLibJava.dll",
L"C:\\windows\\System32\\Drivers\\vm3dver.dll",
L"C:\\windows\\System32\\Drivers\\vmtray.dll",
L"C:\\windows\\System32\\Drivers\\VMToolsHook.dll",
L"C:\\windows\\System32\\Drivers\\vmGuestLib.dll",
L"C:\\windows\\System32\\Drivers\\vmhgfs.dll",
L"C:\\windows\\System32\\Drivers\\vmhgfs.dll", // Note: there's a typo in the original code
// VBox
"C:\\windows\\System32\\Drivers\\VBoxMouse.sys",
"C:\\windows\\System32\\Drivers\\VBoxGuest.sys",
"C:\\windows\\System32\\Drivers\\VBoxSF.sys",
"C:\\windows\\System32\\Drivers\\VBoxVideo.sys",
"C:\\windows\\System32\\vboxoglpackspu.dll",
"C:\\windows\\System32\\vboxoglpassthroughspu.dll",
"C:\\windows\\System32\\vboxservice.exe",
"C:\\windows\\System32\\vboxoglcrutil.dll",
"C:\\windows\\System32\\vboxdisp.dll",
"C:\\windows\\System32\\vboxhook.dll",
"C:\\windows\\System32\\vboxmrxnp.dll",
"C:\\windows\\System32\\vboxogl.dll",
"C:\\windows\\System32\\vboxtray.exe",
"C:\\windows\\System32\\VBoxControl.exe",
"C:\\windows\\System32\\vboxoglerrorspu.dll",
"C:\\windows\\System32\\vboxoglfeedbackspu.dll",
L"C:\\windows\\System32\\Drivers\\VBoxMouse.sys",
L"C:\\windows\\System32\\Drivers\\VBoxGuest.sys",
L"C:\\windows\\System32\\Drivers\\VBoxSF.sys",
L"C:\\windows\\System32\\Drivers\\VBoxVideo.sys",
L"C:\\windows\\System32\\vboxoglpackspu.dll",
L"C:\\windows\\System32\\vboxoglpassthroughspu.dll",
L"C:\\windows\\System32\\vboxservice.exe",
L"C:\\windows\\System32\\vboxoglcrutil.dll",
L"C:\\windows\\System32\\vboxdisp.dll",
L"C:\\windows\\System32\\vboxhook.dll",
L"C:\\windows\\System32\\vboxmrxnp.dll",
L"C:\\windows\\System32\\vboxogl.dll",
L"C:\\windows\\System32\\vboxtray.exe",
L"C:\\windows\\System32\\VBoxControl.exe",
L"C:\\windows\\System32\\vboxoglerrorspu.dll",
L"C:\\windows\\System32\\vboxoglfeedbackspu.dll",
};

for (const auto file : files) {
if (exists(file)) {
const auto regex = std::regex(file, std::regex::icase);
const auto regex = std::wregex(file, std::regex::icase);

if (std::regex_search("vbox", regex)) {
if (std::regex_search(L"vbox", regex)) {
#ifdef __VMAWARE_DEBUG__
debug("VM_FILES: found vbox file = ", file);
#endif
Expand All @@ -2084,6 +2091,7 @@ struct VM {
}
}


#ifdef __VMAWARE_DEBUG__
debug("VM_FILES: vmware score: ", vmware);
debug("VM_FILES: vbox score: ", vbox);
Expand Down Expand Up @@ -2275,7 +2283,19 @@ struct VM {
NTSTATUS(WINAPI *RtlGetVersion)(LPOSVERSIONINFOEXW);
OSVERSIONINFOEXW osInfo;

*(FARPROC*)&RtlGetVersion = GetProcAddress(GetModuleHandleA("ntdll"), "RtlGetVersion");
HMODULE ntdllModule = GetModuleHandleA("ntdll");

if (ntdllModule == nullptr) {
return false;
}

*(FARPROC*)&RtlGetVersion = GetProcAddress(ntdllModule, "RtlGetVersion");

if (NULL == RtlGetVersion) {
return false;
}

// Note: At this point, RtlGetVersion may be uninitialized if the previous block failed

if (NULL != RtlGetVersion) {
osInfo.dwOSVersionInfoSize = sizeof(osInfo);
Expand Down Expand Up @@ -2512,13 +2532,14 @@ struct VM {

if (Process32First(hSnapshot, &pe)) {
do {
if (pe.szExeFile == proc) {
// Use strcmp for narrow string comparison
if (strcmp(pe.szExeFile, proc) == 0) {
present = true;
break;
}
} while (Process32Next(hSnapshot, &pe));
}

CloseHandle(hSnapshot);

return present;
Expand Down Expand Up @@ -2554,7 +2575,7 @@ struct VM {
check_proc("vmwareuser.exe") ||
check_proc("vmware.exe") ||
check_proc("vmount2.exe")
) {
) {
return ret(VMWARE);
}

Expand All @@ -2564,9 +2585,9 @@ struct VM {

return false;
#endif
} catch (...) {
} catch (...) {
#ifdef __VMAWARE_DEBUG__
debug("VM_PROCESSES: catched error, returned false");
debug("VM_PROCESSES: caught error, returned false");
#endif
return false;
}
Expand Down

0 comments on commit 6cba84d

Please sign in to comment.