From 1f7c4a6309872b80b8876ca4a7d63b245f0693c0 Mon Sep 17 00:00:00 2001 From: CyberGreg05 <62875146+CyberGreg05@users.noreply.github.com> Date: Sat, 17 Feb 2024 02:00:33 +0300 Subject: [PATCH] Checking the virtual machine through the number of SMBIOS tables (#267) * checking the virtual machine through the number of SMBIOS tables * Update README.md --- README.md | 1 + al-khaser/Al-khaser.cpp | 1 + al-khaser/AntiVM/Generic.cpp | 85 ++++++++++++++++++++++++++++++++++++ al-khaser/AntiVM/Generic.h | 1 + 4 files changed, 88 insertions(+) diff --git a/README.md b/README.md index d1bacb1..02ce4bc 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in - SMBIOS string checks (VirtualBox) - SMBIOS string checks (VMWare) - SMBIOS string checks (Qemu) + - SMBIOS number of tables (Qemu, VirtualBox) - ACPI string checks (VirtualBox) - ACPI string checks (VMWare) - ACPI string checks (Qemu) diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp index e05c92d..dbacb71 100644 --- a/al-khaser/Al-khaser.cpp +++ b/al-khaser/Al-khaser.cpp @@ -213,6 +213,7 @@ int main(int argc, char* argv[]) exec_check(&pirated_windows, TEXT("Checking if Windows is Genuine ")); exec_check(®istry_services_disk_enum, TEXT("Checking Services\\Disk\\Enum entries for VM strings ")); exec_check(®istry_disk_enum, TEXT("Checking Enum\\IDE and Enum\\SCSI entries for VM strings ")); + exec_check(&number_SMBIOS_tables, TEXT("Checking SMBIOS tables ")); } /* VirtualBox Detection */ diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp index c90fb0b..03c7702 100755 --- a/al-khaser/AntiVM/Generic.cpp +++ b/al-khaser/AntiVM/Generic.cpp @@ -1927,3 +1927,88 @@ BOOL registry_disk_enum() } return bFound; } + +BOOL handle_one_table(BYTE* currentPosition, UINT& bias, BYTE* smBiosTableBoundary) +{ + struct SmbiosTableHeader + { + BYTE type; // Table type + BYTE length; // Length of the table + WORD handle; // Handle of the table + }; + + SmbiosTableHeader* tableHeader = reinterpret_cast(currentPosition); + SmbiosTableHeader* tableBoundary = reinterpret_cast(smBiosTableBoundary); + + const BYTE lastEntry = 127; + if (tableHeader->type == lastEntry) { + // End of tables reached + return TRUE; + } + + currentPosition += tableHeader->length * sizeof(BYTE); + UINT i = 0; + // Find the end of the table + while (!(currentPosition[i] == 0 && currentPosition[i + 1] == 0) + && (currentPosition[i + 1] < smBiosTableBoundary[0])) + { + i++; + } + //pair of terminal zeros + i += 2; + bias = i + tableHeader->length; + + return FALSE; +} + +BOOL check_tables_number(const PBYTE smbios) +{ + struct RawSMBIOSData + { + BYTE method; // Access method(obsolete) + BYTE mjVer; // Major part of the SMB version(major) + BYTE mnVer; // Minor part of the SMB version(minor) + BYTE dmiRev; // DMI version(obsolete) + DWORD length; // Data table size + BYTE tableData[]; // Table data + }; + + RawSMBIOSData* smBiosData = reinterpret_cast(smbios); + BYTE* smBiosTableBoundary = smBiosData->tableData + smBiosData->length; + BYTE* currentPosition = smBiosData->tableData; + UINT tableNumber = 0; + + while (currentPosition < smBiosTableBoundary) { + UINT biasNewTable = 0; + tableNumber++; + if (handle_one_table(currentPosition, biasNewTable, smBiosTableBoundary)) + { + break; + } + currentPosition += biasNewTable * sizeof(BYTE); + } + + const UINT tableMinReal = 40; + if (tableNumber <= tableMinReal) + { + return TRUE; + } + return FALSE; +} + +/* +Check for SMBIOS tables number +*/ +BOOL number_SMBIOS_tables() +{ + BOOL result = FALSE; + + DWORD smbiosSize = 0; + PBYTE smbios = get_system_firmware(static_cast('RSMB'), 0x0000, &smbiosSize); + if (smbios != NULL) + { + result = check_tables_number(smbios); + free(smbios); + } + return result; +} \ No newline at end of file diff --git a/al-khaser/AntiVM/Generic.h b/al-khaser/AntiVM/Generic.h index 8b47ac6..3d9c4d9 100755 --- a/al-khaser/AntiVM/Generic.h +++ b/al-khaser/AntiVM/Generic.h @@ -49,3 +49,4 @@ BOOL cim_voltagesensor_wmi(); BOOL pirated_windows(); BOOL registry_services_disk_enum(); BOOL registry_disk_enum(); +BOOL number_SMBIOS_tables(); \ No newline at end of file