waliedassar

Detect VirtualBox (TYPE 0x7E TRICK)

Oct 7th, 2012
943
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //The following code parses the SMBiosData retrieved from the Windows registry and searches for any structures of TYPE TYPE_INACTIVE (126, 0x7E). This is a sign of VirtualBox existence.
  3. #include "stdafx.h"
  4. #include "windows.h"
  5. #include "stdio.h"
  6.  
  7. #define TYPE_BIOS 0x0    //e.g. Bios Brand and Version
  8. #define TYPE_SYSTEM 0x1  //System Manufacturer and Model
  9. #define TYPE_BASEBOARD 0x2
  10. #define TYPE_SYSTEM_ENCLOSURE 0x3
  11. #define TYPE_PROCESSOR 0x4
  12. #define TYPE_CACHE_INFO 0x7
  13. #define TYPE_SYSTEM_SLOTS 0x9
  14. #define TYPE_OEM_STRINGS 0xB
  15. #define TYPE_PHYSICAL_MEM_ARRAY 0x10
  16. #define TYPE_MEMORY_DEVICE    0x11
  17. #define TYPE_MEMORY_ARRAY_MAPPED_ADDRESS 0x13
  18. #define TYPE_SYSTEM_BOOT_INFORMATION 0x20
  19. #define TYPE_INACTIVE 0x7E //???? this one
  20. #define TYPE_END_OF_STRUCTURE 0x7F
  21.  
  22. //----This structure is only need for parsing SMBiosData retrieved from Registry.
  23. //Not needed for parsing SMBiosData retrieved Via WMI
  24. struct BIOS_DATA_HEAD
  25. {
  26.     unsigned char a1;
  27.     unsigned char a2;
  28.     unsigned char a3;
  29.     unsigned char a4;
  30.     unsigned long length;
  31. };
  32.  
  33. struct HeadER
  34. {
  35.     unsigned char Type;  //0 for bios, 1 for system, and so on.
  36.     unsigned char section_length;
  37.     unsigned short handles;
  38. };
  39.  
  40. void AllToUpper(char* str,unsigned long len)
  41. {
  42.     for(unsigned long c=0;c<len;c++)
  43.     {
  44.         if(str[c]>='a' && str[c]<='z')
  45.         {
  46.             str[c]-=32;
  47.         }
  48.     }
  49. }
  50.  
  51. void PrintType(unsigned char type)
  52. {
  53.      printf("----------------------------------------\r\n");
  54.      if(type==TYPE_BIOS) printf("Type: BIOS\r\n");
  55.      else if(type==TYPE_SYSTEM) printf("Type: SYSTEM INFO\r\n");
  56.      else if(type==TYPE_BASEBOARD) printf("Type: BASEBOARD\r\n");
  57.      else if(type==TYPE_SYSTEM_ENCLOSURE) printf("Type: BIOS\r\n");
  58.      else if(type==TYPE_PROCESSOR) printf("Type: PROCESSOR\r\n");
  59.      else if(type==TYPE_CACHE_INFO) printf("Type: CACHE INFO\r\n");
  60.      else if(type==TYPE_SYSTEM_SLOTS) printf("Type: SYSTEM SLOTS\r\n");
  61.      else if(type==TYPE_OEM_STRINGS) printf("Type: OEM STRINGS\r\n");
  62.      else if(type==TYPE_PHYSICAL_MEM_ARRAY) printf("Type: PHYSICAL MEMORY ARRAY\r\n");
  63.      else if(type==TYPE_MEMORY_DEVICE) printf("Type: MEMORY DEVICE\r\n");
  64.      else if(type==TYPE_MEMORY_ARRAY_MAPPED_ADDRESS) printf("Type: MEMORY ARRAY MAPPED ADDRESS\r\n");
  65.      else if(type==TYPE_SYSTEM_BOOT_INFORMATION) printf("Type: SYSTEM BOOT INFORMATION\r\n");
  66.      else if(type==TYPE_END_OF_STRUCTURE)   printf("Type: END OF STRUCTURE\r\n");
  67.      else printf("Type: %X\r\n",type);
  68. }
  69. //index 1 represents the first string
  70. char* PrintString(char* pString,unsigned long index)
  71. {
  72.     index--;
  73.     while(index)
  74.     {
  75.         unsigned long length=strlen(pString);
  76.         pString+=(length+1);
  77.         if(*pString==0)
  78.         {
  79.             printf("String is: Error retrieving string\r\n");
  80.             return 0;
  81.         }
  82.         index--;
  83.     }
  84.     printf("String is: %s\r\n",pString);
  85.     return pString;
  86. }
  87.  
  88. unsigned char* ScanDataForString(unsigned char* data,unsigned long data_length,unsigned char* string2)
  89. {
  90.     unsigned long string_length=strlen((char*)string2);
  91.     for(unsigned long i=0;i<=(data_length-string_length);i++)
  92.     {
  93.         if(strncmp((char*)(&data[i]),(char*)string2,string_length)==0) return &data[i];
  94.     }
  95.     return 0;
  96. }
  97.  
  98. int main(int argc, char* argv[])
  99. {
  100.     HKEY hk=0;
  101.     int ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\mssmbios\\data",0,KEY_ALL_ACCESS,&hk);
  102.     if(ret==ERROR_SUCCESS)
  103.     {
  104.         unsigned long type=0;
  105.         unsigned long length=0;
  106.         ret=RegQueryValueEx(hk,"SMBiosData",0,&type,0,&length);
  107.         if(ret==ERROR_SUCCESS)
  108.         {
  109.             if(length)
  110.             {
  111.                 char* p=(char*)LocalAlloc(LMEM_ZEROINIT,length);
  112.                 if(p)
  113.                 {
  114.                     ret=RegQueryValueEx(hk,"SMBiosData",0,&type,(unsigned char*)p,&length);
  115.                     if(ret==ERROR_SUCCESS)
  116.                     {
  117.                         //--------------------------Only when parsing SMBiosData retrieved from Registry------------------
  118.                         unsigned long new_length=((BIOS_DATA_HEAD*)p)->length;  //length-8
  119.                         p+=0x8;
  120.                         printf("Length is: %X\r\n",new_length);
  121.                         //------------------------------------------------------------------------------------------------
  122.                         unsigned long i=0;
  123.                         while(i<new_length)
  124.                         {
  125.                             unsigned char type=((HeadER*)(p+i))->Type;
  126.                             PrintType(type);
  127.                             unsigned char section_size=((HeadER*)(p+i))->section_length;
  128.                             printf("Section length is: %X\r\n",section_size);
  129.                             unsigned short handles=((HeadER*)(p+i))->handles;
  130.                             printf("Handle is: %X\r\n",handles);
  131.  
  132.                             if(type==0x7F) break; //End-Of-Table
  133.  
  134.                             if(type==TYPE_INACTIVE) //0x7E
  135.                             {
  136.                                 PrintString(p+i+section_size,*(p+i+4));   //print Brand
  137.                                 PrintString(p+i+section_size,*(p+i+5));   //print Version
  138.                                 MessageBox(0,"VirtualBox detected","waliedassar",0);
  139.                             }
  140.                             //---Get End of Structure--------------
  141.                             unsigned char* pxp=(unsigned char*)p+i+section_size;
  142.                             while(*(unsigned short*)pxp!=0) pxp++;
  143.                             pxp++;
  144.                             pxp++;
  145.                             //-------------------------------------
  146.                             i=(pxp-((unsigned char*)p));
  147.                         }
  148.                     }
  149.                     LocalFree(p);
  150.                 }
  151.             }
  152.         }
  153.         RegCloseKey(hk);
  154.     }
  155.     return 0;
  156. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×