From f3290f3097749c4a704cec4466df1d728a3e8c0d Mon Sep 17 00:00:00 2001 From: Existential-Kernel Date: Fri, 1 Dec 2023 00:50:32 +0000 Subject: [PATCH] msvc gamarue test --- src/vmaware.hpp | 69 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 66 insertions(+), 3 deletions(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index b6179e3..3184d9c 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -213,6 +213,7 @@ struct VM { static constexpr const char* VPC = "Virtual PC"; static constexpr const char* ANUBIS = "Anubis"; static constexpr const char* JOEBOX = "JoeBox"; + static constexpr const char* THREADEXPERT = "Thread Expert"; // VM scoreboard table specifically for VM::brand() #if (MSVC) @@ -519,6 +520,9 @@ struct VM { MEMORY = 1ULL << 35, VM_PROCESSES = 1ULL << 36, LINUX_USER_HOST = 1ULL << 37, + WINDOWS_NUMBER = 1ULL << 38, + VBOX_WINDOW_CLASS = 1ULL << 39, + GAMARUE = 1ULL << 40, // settings NO_MEMO = 1ULL << 63, @@ -2053,7 +2057,7 @@ struct VM { L"C:\\windows\\System32\\Drivers\\VMToolsHook.dll", L"C:\\windows\\System32\\Drivers\\vmGuestLib.dll", L"C:\\windows\\System32\\Drivers\\vmhgfs.dll", - L"C:\\windows\\System32\\Drivers\\vmhgfs.dll", // Note: there's a typo in the original code + // VBox L"C:\\windows\\System32\\Drivers\\VBoxMouse.sys", L"C:\\windows\\System32\\Drivers\\VBoxGuest.sys", @@ -2632,7 +2636,7 @@ struct VM { * @author Al-Khaser Project */ [[nodiscard]] static bool vbox_window_class() try { - if disabled(VBOX_WINDOW_CLASS) { + if (disabled(VBOX_WINDOW_CLASS)) { return false; } @@ -2692,6 +2696,63 @@ struct VM { } + /** + * @brief Gamarue ransomware check + * @category Windows + */ + [[nodiscard]] static bool gamarue_technique() try { + if (disabled(GAMARUE)) { + return false; + } + + #if (!MSVC) + return false; + #else + HKEY hOpen; + char *szBuff; + int iBuffSize; + HANDLE hMod; + BOOL bResult = FALSE; + LONG nRes; + + szBuff (char*)calloc(512, sizeof(char)); + + hMod = GetModuleHandle("SbieDll.dll"); // Sandboxie + if (hMod != 0) { + return add(SANDBOXIE); + } + + hMod = GetModuleHandle("dbghelp.dll"); // Thread Expert + if (hMod != 0) { + return add(THREADEXPERT); + } + + nRes = RegOpenKeyEz(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion", 0L, KEY_QUERY_VALUE, &hOpen); + if (nRes == ERROR_SUCCESS) { + iBuffSize = SizeOf(szBuff); + nRes = RegQueryValueEx(hOpen, "ProductId", NULL, NULL (unsigned char*)szBuff, &iBuffsize); + if (nRes == ERROR_SUCCESS) { + if (strcmp(szBuff, "55274-640-2673064-23950") == 0) { // joebox + return add(JOEBOX); + } else if (strcmp(szBuff, "76487-644-3177037-23510") == 0) { + return true; // CW Sandbox + } else if (strcmp(szBuff, "76487-337-8429955-22614") == 0) { // anubis + return add(ANUBIS); + } else { + return false; + } + } + RegCloseKey(hOpen); + } + return false; + #endif + } catch (...) { + #ifdef __VMAWARE_DEBUG__ + debug("GAMARUE: catched error, returned false"); + #endif + return false; + } + // __LABEL (ignore this, it's just a label so I can easily teleport to this line on my IDE with CTRL+F) @@ -2988,7 +3049,9 @@ const std::map VM::table = { { VM::HOSTNAME, { 25, VM::hostname_match }}, { VM::MEMORY, { 35, VM::low_memory_space }}, { VM::VM_PROCESSES, { 30, VM::vm_processes }}, - { VM::LINUX_USER_HOST, { 35, VM::linux_user_host }} + { VM::LINUX_USER_HOST, { 35, VM::linux_user_host }}, + { VM::VBOX_WINDOW_CLASS, { 15, VM::vbox_window_class }}, + { VM::WINDOWS_NUMBER, { 20, VM::windows_number }} // { VM::, { , }} // ^ line template for personal use