-
Notifications
You must be signed in to change notification settings - Fork 204
/
Copy pathevade_vm.rs
344 lines (274 loc) · 12.6 KB
/
evade_vm.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
/*
Anti-Virtualization / Full-System Emulation
For More Malware POC: https://github.com/Whitecat18/Rust-for-Malware-Development.git
Resources Used: https://github.com/LordNoteworthy/al-khaser
By @5mukx
*/
/*
Note:
[Dev Machine] -> Installed VM's Softwares and some development tools for malware testing.
I have comment out some code due to testing purpose. If you execute this code on development machines[Dev Machine] , ofcouse its gonna result out
{Machine Running in Vitrualmachine}. So to avoid testing, i have commented out some codes with // sus // tag.
If you are executing this on normal machines such as schools and office computers, means you can uncomment codes that was tagged with -> // sus //
[+] This is an All in one resource gathered together and coded..
If you want to exec even more fast 1.1 to 0.2 secs.
Reduce the content of the program or artifacts and keep up the main one for
*/
use std::process::Command;
use std::fs;
use raw_cpuid::CpuId;
macro_rules! okey {
($msg:expr) => {
println!("\n----[+]\\ {} //[+]----\n",format!($msg));
}
}
macro_rules! error {
($msg:expr) => {
println!("\n----[-]\\ {} //[-]----\n\n", format!($msg));
}
}
fn main(){
let vm_detect = check_vm();
if vm_detect{
error!("VM Detected. Malware Running in sandbox"); // bruh... ;(
}else{
okey!("Malware Runnung on main Machine"); // Yayy .. ;)
}
}
fn check_vm() -> bool{
//##=> Registry key value artifacts
let registry_keys_value_artifacts = vec![
// (r#"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"#, "",""), // Example test case to see if this reg key attri wokrs ! Dont uncomment this !
(r#"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"#, "Identifier", "VMWARE"),
(r#"HKLM\SOFTWARE\VMware, Inc.\VMware Tools"#, "", ""),
(r#"HKLM\HARDWARE\Description\System\SystemBiosVersion"#, "", "VMWARE"),
(r#"HKLM\HARDWARE\Description\System\SystemBiosVersion"#, "", "VBOX"),
(r#"HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions"#, "", ""),
(r#"HKLM\HARDWARE\ACPI\DSDT\VBOX__"#, "", ""),
(r#"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"#, "Identifier", "VBOX"),
(r#"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"#, "Identifier", "QEMU"),
(r#"HKLM\HARDWARE\Description\System\SystemBiosVersion"#, "", "VBOX"),
(r#"HKLM\HARDWARE\Description\System\SystemBiosVersion"#, "", "QEMU"),
(r#"HKLM\HARDWARE\Description\System\VideoBiosVersion"#, "", "VIRTUALBOX"),
(r#"HKLM\HARDWARE\Description\System\SystemBiosDate"#, "", "06/23/99"),
(r#"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0"#, "Identifier", "VMWARE"),
(r#"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0"#, "Identifier", "VMWARE"),
(r#"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0"#, "Identifier", "VMWARE"),
(r#"HKLM\SYSTEM\ControlSet001\Control\SystemInformation"#, "SystemManufacturer", "VMWARE"),
(r#"HKLM\SYSTEM\ControlSet001\Control\SystemInformation"#, "SystemProductName", "VMWARE"),
];
let registry_keys_value_artifacts_value = registry_keys_value_artifacts.iter().any(|&(key, value_name, expected_value)| {
let key_exists = registry_key_exists(key);
let value_matches = registry_value_matches(key, value_name, expected_value);
key_exists && value_matches
});
//##==> Registry Keys artifacts
let registry_keys_artifacts = vec![
r#"HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__"#,
r#"HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__"#,
r#"HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__"#,
r#"HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions"#,
r#"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest"#,
r#"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse"#,
r#"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxService"#,
r#"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxSF"#,
r#"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo"#,
r#"HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools"#,
r#"HKEY_LOCAL_MACHINE\SOFTWARE\Wine"#,
r#"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters"#,
// // Main machines contains this reg key. So uncomment this !
// If you are exec it on developer machine means ofcourse the reg contains in it ..
// r#"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\Enum"#, // sus //
// r#"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE"#, // sus //
// r#"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI"#, // sus //
];
let registry_keys_artifacts_value = registry_keys_artifacts.iter().any(|&key| registry_key_exists(key));
//##==> Checking File System artifacts !
let file_system_artifacts = vec![
r#"C:\Windows\system32\drivers\VBoxMouse.sys"#,
r#"C:\Windows\system32\drivers\VBoxGuest.sys"#,
r#"C:\Windows\system32\drivers\VBoxSF.sys"#,
r#"C:\Windows\system32\drivers\VBoxVideo.sys"#,
r#"C:\Windows\system32\vboxdisp.dll"#,
r#"C:\Windows\system32\vboxhook.dll"#,
r#"C:\Windows\system32\vboxmrxnp.dll"#,
r#"C:\Windows\system32\vboxogl.dll"#,
r#"C:\Windows\system32\vboxoglarrayspu.dll"#,
r#"C:\Windows\system32\vboxoglcrutil.dll"#,
r#"C:\Windows\system32\vboxoglerrorspu.dll"#,
r#"C:\Windows\system32\vboxoglfeedbackspu.dll"#,
r#"C:\Windows\system32\vboxoglpackspu.dll"#,
r#"C:\Windows\system32\vboxoglpassthroughspu.dll"#,
r#"C:\Windows\system32\vboxservice.exe"#,
r#"C:\Windows\system32\vboxtray.exe"#,
r#"C:\Windows\system32\VBoxControl.exe"#,
r#"C:\Windows\system32\drivers\vmmouse.sys"#,
r#"C:\Windows\system32\drivers\vmhgfs.sys"#,
r#"C:\Windows\system32\drivers\vm3dmp.sys"#,
r#"C:\Windows\system32\drivers\vmhgfs.sys"#,
r#"C:\Windows\system32\drivers\vmmemctl.sys"#,
r#"C:\Windows\system32\drivers\vmmouse.sys"#,
r#"C:\Windows\system32\drivers\vmrawdsk.sys"#,
r#"C:\Windows\system32\drivers\vmusbmouse.sys"#,
// wtf is this -> VMCI.sys is the driver for the VMware Virtual Machine Communication Interface (VMCI).
// It's responsible for communication between the host operating system and a virtual machine,
// or between two or more virtual machines on the same host
// So if you are testing with your development machine (vmware installed). This file artifact will contains in the main machine so i commented out it !
// IF you did not installed vm's on you dev machine, then you can uncomment this !
// r#"C:\Windows\system32\drivers\vmci.sys"#, // sus //
];
let file_system_artifacts_value = file_system_artifacts.iter().any(|&path| file_artifacts(path));
//##=> Check running process !
// Fastest Approach ever 0.3 secs
let all_processes = get_running_processes();
let target_processes = vec![
"vboxservice.exe",
"vboxtray.exe",
"vmtoolsd.exe",
"vmwaretray.exe",
"vmwareuser.exe",
"VGAuthService.exe",
"vmacthlp.exe",
"vmsrvc.exe",
"vmusrvc.exe",
"prl_cc.exe",
"prl_tools.exe",
"xenservice.exe",
"qemu-ga.exe",
];
let target_process_value = target_processes.iter()
.any(|target_process| process_exists(&all_processes, target_process));
//##==> Check Mac Address...!
// let mac_address = get_mac_address();
let mac_address = match get_mac_address(){
Some(mac) => mac,
None => return false,
};
let vm_mac_addresses = vec![
vec![0x08, 0x00, 0x27], // VBOX
vec![0x00, 0x05, 0x69], // VMWARE
vec![0x00, 0x0C, 0x29], // VMWARE
vec![0x00, 0x1C, 0x14], // VMWARE
vec![0x00, 0x50, 0x56], // VMWARE
vec![0x00, 0x1C, 0x42], // Parallels
vec![0x00, 0x16, 0x3E], // Xen
vec![0x0A, 0x00, 0x27], // Hybrid Analysis
];
let mac_address_value = match find_matching_pattern(&mac_address, &vm_mac_addresses) {
Some(_) => true,
None => false,
};
//##==> Check CPU Instructions
let cpuid = CpuId::new();
let vm_presence = cpuid.get_feature_info().map_or(false, |info| {
info.has_hypervisor()
});
let vm_vendor = cpuid.get_vendor_info().map_or(false, |info| {
info.as_str().contains("KVMKVMKVM") || // KVM
info.as_str().contains("Microsoft Hv") || // Microsoft Hyper-V or Windows Virtual PC
info.as_str().contains("VMwareVMware") || // VMware
info.as_str().contains("XenVMMXenVMM") || // Xen
info.as_str().contains("prl hyperv") || // Parallels
info.as_str().contains("VBoxVBoxVBox") // VirtualBox
});
let cpu_vendor_value = vm_presence || vm_vendor;
//##=> WMI Quaries !! Soon ...!
registry_keys_value_artifacts_value ||
registry_keys_artifacts_value ||
file_system_artifacts_value ||
target_process_value ||
mac_address_value ||
cpu_vendor_value
}
fn registry_key_exists(key: &str) -> bool {
let output = Command::new("reg")
.args(&["query", &key])
.output()
.expect("Failed to execute reg query cmd");
output.status.success()
}
// Program to check registry keys with artifacts ..!
fn registry_value_matches(key: &str, value_name: &str, expected_value: &str) -> bool {
let output = Command::new("reg")
.args(&["query", &key, "/v", value_name])
.output()
.expect("Failed to execute reg query cmd");
if output.status.success() {
let stdout = String::from_utf8_lossy(&output.stdout);
stdout.contains(expected_value)
} else {
false
}
}
// Progran to check if file exists !
fn file_artifacts(path: &str)-> bool{
fs::metadata(path).is_ok()
}
// Programs to check for current running process !
fn get_running_processes() -> Vec<String>{
let output = Command::new("wmic")
.args(&["process","get","name"])
.output()
.expect("Failed to execute wmic cmd");
let output_str = String::from_utf8_lossy(&output.stdout);
let processes: Vec<String> = output_str
.lines()
.skip(1)
.map(|line| line.trim().to_lowercase())
.collect();
processes
}
fn process_exists(processes: &[String], target: &str) -> bool {
processes.iter().any(|process| process.contains(target))
}
// Function to find mac addresses
fn get_mac_address() -> Option<Vec<u8>> {
let output = Command::new("ipconfig")
.args(&["/all"])
.output()
.expect("Failed to Exec ipconfing");
let output_str = String::from_utf8_lossy(&output.stdout);
for line in output_str.lines() {
if line.contains("Physical Address") {
let parts: Vec<&str> = line.split_whitespace().collect();
if parts.len() >= 3 {
let mac_address_str = parts[2].replace("-", ":");
let mac_bytes: Vec<u8> = mac_address_str.split(":")
.map(|s| u8::from_str_radix(s, 16).unwrap_or_default())
.collect();
return Some(mac_bytes);
}
}
}
None
}
fn find_matching_pattern<'a>(mac_address: &'a Vec<u8>, patterns: &'a Vec<Vec<u8>>) -> Option<&'a Vec<u8>> {
for pattern in patterns {
if mac_address.starts_with(pattern) {
return Some(pattern);
}
}
None
}
// Programs to find thr presence of Specific CPU Instructions !
// There is an create that will take care of it !!
// fn check_cpu_instruction(eax_value: u32) -> bool {
// let eax_value_str = format!("{:#x}", eax_value);
// let output = Command::new("cpuid")
// .args(&["-l", &eax_value_str])
// .output()
// .expect("Failed to execute cpuid cmd");
// let output_str = String::from_utf8_lossy(&output.stdout);
// output_str.contains(&eax_value_str)
// }
// fn detect_vendor_string(vendor_string: &str) -> bool {
// let output = Command::new("cpuid")
// .args(&["-s", "0"])
// .output()
// .expect("Failed to execute cpuid cmd");
// let output_str = String::from_utf8_lossy(&output.stdout);
// output_str.contains(vendor_string)
// }
// Program to use WMI Quaries to retrieve sys info !
// System Firmware tables
// Get Syetem frimwares => soon !