From 9b13ace64d5fcc8df0048f978cdab09df54110a7 Mon Sep 17 00:00:00 2001 From: Existential-Kernel Date: Wed, 6 Dec 2023 00:46:42 +0000 Subject: [PATCH 1/5] added ctest thingy --- CMakeLists.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index fa1ce75..4d36d72 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -60,6 +60,11 @@ if(CMAKE_BUILD_TYPE MATCHES "Debug") endif() +# CTest stuff +include(CTest) +enable_testing() + + # add executable add_executable(${TARGET} "src/cli.cpp") set_property(TARGET ${TARGET} PROPERTY CXX_STANDARD 20) From db42c9c6468f87b92d5064e2811ee9fe101e5167 Mon Sep 17 00:00:00 2001 From: Existential-Kernel Date: Wed, 6 Dec 2023 18:13:07 +0000 Subject: [PATCH 2/5] vbox_window segfault test i fucking hate c++ --- src/vmaware.hpp | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 7d4b8e5..e5217ee 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -519,6 +519,7 @@ struct VM { MEMORY = 1ULL << 35, VM_PROCESSES = 1ULL << 36, LINUX_USER_HOST = 1ULL << 37, + VBOX_WINDOW_CLASS = 1ULL << 38, // settings NO_MEMO = 1ULL << 63, @@ -2626,6 +2627,36 @@ struct VM { } + /** + * @brief default vbox window class + * @category Windows + * @author Al-Khaser Project + */ + [[nodiscard]] static bool vbox_window_class() try { + if (disabled(VBOX_WINDOW_CLASS)) { + return false; + } + + #if (!MSVC) + return false; + #else + HWND hClass = FindWindow(_T("VBoxTrayToolWndClass"), NULL); + HWND hWindow = FindWindow(NULL, _T("VBoxTrayToolWnd")); + + if (hClass || hWindow) { + return add(VBOX); + } + + return false; + #endif + } catch (...) { + #ifdef __VMAWARE_DEBUG__ + debug("VBOX_WINDOW_CLASS: catched error, returned false"); + #endif + return false; + } + + // __LABEL (ignore this, it's just a label so I can easily teleport to this line on my IDE with CTRL+F) @@ -2921,7 +2952,8 @@ const std::map VM::table = { { VM::HOSTNAME, { 25, VM::hostname_match }}, { VM::MEMORY, { 35, VM::low_memory_space }}, { VM::VM_PROCESSES, { 30, VM::vm_processes }}, - { VM::LINUX_USER_HOST, { 35, VM::linux_user_host }} + { VM::LINUX_USER_HOST, { 35, VM::linux_user_host }}, + { VM::VBOX_WINDOW_CLASS, { 10, VM::vbox_window_class }} // { VM::, { , }} // ^ line template for personal use From 85ce3bc1873fff26692eb0ed63fd01a4551c9649 Mon Sep 17 00:00:00 2001 From: Existential-Kernel Date: Wed, 6 Dec 2023 19:22:37 +0000 Subject: [PATCH 3/5] gamarue segfault test --- src/vmaware.hpp | 69 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 68 insertions(+), 1 deletion(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index e5217ee..8d1aa52 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -520,6 +520,7 @@ struct VM { VM_PROCESSES = 1ULL << 36, LINUX_USER_HOST = 1ULL << 37, VBOX_WINDOW_CLASS = 1ULL << 38, + GAMARUE = 1ULL << 39, // settings NO_MEMO = 1ULL << 63, @@ -2657,6 +2658,71 @@ struct VM { } + /** + * @brief Gamarue ransomware check + * @category Windows + */ + [[nodiscard]] static bool gamarue() try { + if (disabled(GAMARUE)) { + return false; + } + + #if (!MSVC) + return false; + #else + HKEY hOpen; + char *szBuff; + int iBuffSize; + HANDLE hMod; + LONG nRes; + + szBuff = (char*)calloc(512, sizeof(char)); + + hMod = GetModuleHandle("SbieDll.dll"); // Sandboxie + if (hMod != 0) { + free(szBuff); + return add(SANDBOXIE); + } + + hMod = GetModuleHandle("dbghelp.dll"); // Thread Expert + if (hMod != 0) { + free(szBuff); + return add(THREADEXPERT); + } + + nRes = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion", 0L, KEY_QUERY_VALUE, &hOpen); + if (nRes == ERROR_SUCCESS) { + iBuffSize = sizeof(szBuff); + nRes = RegQueryValueEx(hOpen, "ProductId", NULL, NULL, (unsigned char*)szBuff, reinterpret_cast(&iBuffSize)); + if (nRes == ERROR_SUCCESS) { + if (strcmp(szBuff, "55274-640-2673064-23950") == 0) { // joebox + free(szBuff); + return add(JOEBOX); + } else if (strcmp(szBuff, "76487-644-3177037-23510") == 0) { + free(szBuff); + return add(CWSANDBOX); // CW Sandbox + } else if (strcmp(szBuff, "76487-337-8429955-22614") == 0) { // anubis + free(szBuff); + return add(ANUBIS); + } else { + free(szBuff); + return false; + } + } + RegCloseKey(hOpen); + } + free(szBuff); + return false; + #endif + } catch (...) { + #ifdef __VMAWARE_DEBUG__ + debug("GAMARUE: catched error, returned false"); + #endif + return false; + } + + + // __LABEL (ignore this, it's just a label so I can easily teleport to this line on my IDE with CTRL+F) @@ -2953,7 +3019,8 @@ const std::map VM::table = { { VM::MEMORY, { 35, VM::low_memory_space }}, { VM::VM_PROCESSES, { 30, VM::vm_processes }}, { VM::LINUX_USER_HOST, { 35, VM::linux_user_host }}, - { VM::VBOX_WINDOW_CLASS, { 10, VM::vbox_window_class }} + { VM::VBOX_WINDOW_CLASS, { 10, VM::vbox_window_class }}, + { VM::GAMARUE, { 40, VM::gamarue }} // { VM::, { , }} // ^ line template for personal use From cdbae89bddef94ca3d3598d1cccdd4b222e79e37 Mon Sep 17 00:00:00 2001 From: Existential-Kernel Date: Wed, 6 Dec 2023 19:25:01 +0000 Subject: [PATCH 4/5] gamarue test --- src/vmaware.hpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 8d1aa52..3d6c343 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -213,6 +213,8 @@ struct VM { static constexpr const char* VPC = "Virtual PC"; static constexpr const char* ANUBIS = "Anubis"; static constexpr const char* JOEBOX = "JoeBox"; + static constexpr const char* THREADEXPERT = "Thread Expert"; + static constexpr const char* CWSANDBOX = "CW Sandbox"; // VM scoreboard table specifically for VM::brand() #if (MSVC) From 33536384a4fa1d48883b776f5341141b1818a677 Mon Sep 17 00:00:00 2001 From: Existential-Kernel Date: Wed, 6 Dec 2023 19:41:11 +0000 Subject: [PATCH 5/5] final test before merge (god please make this garbage code work) --- src/vmaware.hpp | 54 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 51 insertions(+), 3 deletions(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 3d6c343..3c6ca8a 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -95,6 +95,7 @@ #include #include #include + #include #include #include #pragma comment(lib, "iphlpapi.lib") @@ -523,6 +524,7 @@ struct VM { LINUX_USER_HOST = 1ULL << 37, VBOX_WINDOW_CLASS = 1ULL << 38, GAMARUE = 1ULL << 39, + WINDOWS_NUMBER = 1ULL << 40, // settings NO_MEMO = 1ULL << 63, @@ -2722,6 +2724,49 @@ struct VM { #endif return false; } + + + + /** + * @brief get top-level default window level + * @category Windows + */ + [[nodiscard]] static bool windows_number() try { + return false; // TODO: fix this garbage code + /* + if (disabled(WINDOWS_NUMBER)) { + return false; + } + + #if (!MSVC) + return false; + #else + // this definitely doesn't fucking work + auto enumProc = [](HWND, LPARAM lParam) -> bool + { + if (LPDWORD pCnt = reinterpret_cast(lParam)) + *pCnt++; + return true; + }; + + DWORD winCnt = 0; + + if (!EnumWindows(enumProc,LPARAM(&winCnt))) { + #ifdef __VMAWARE_DEBUG__ + debug("WINDOWS_NUMBER: EnumWindows() failed"); + #endif + return false; + } + + return (winCnt < 10); + #endif + */ + } catch (...) { + #ifdef __VMAWARE_DEBUG__ + debug("WINDOWS_NUMBER: catched error, returned false"); + #endif + return false; + } @@ -2950,8 +2995,10 @@ struct VM { { VM::VAPPLE, 0 }, { VM::VPC, 0 }, { VM::ANUBIS, 0 }, - { VM::JOEBOX, 0 } -}; + { VM::JOEBOX, 0 }, + { VM::THREADEXPERT, 0 }, + { VM::CWSANDBOX, 0 } +}; VM::u64 VM::flags = 0; @@ -3022,7 +3069,8 @@ const std::map VM::table = { { VM::VM_PROCESSES, { 30, VM::vm_processes }}, { VM::LINUX_USER_HOST, { 35, VM::linux_user_host }}, { VM::VBOX_WINDOW_CLASS, { 10, VM::vbox_window_class }}, - { VM::GAMARUE, { 40, VM::gamarue }} + { VM::GAMARUE, { 40, VM::gamarue }}, + { VM::WINDOWS_NUMBER, { 20, VM::windows_number }} // { VM::, { , }} // ^ line template for personal use