Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Antidebug trick DeviceIoControl(IOCTL_STORAGE_QUERY_PROPERTY), check matches against qemu, virtual, vmware, xen, vbox,...
- FROM SAMPLE: 9f7149a0965adc1103a67db4980d6e81a3cce1c37ba6e334610a0ea6b34cd860
- char sub_401000()
- {
- DWORD v0; // eax
- unsigned int j; // [esp+0h] [ebp-24Ch]
- int i; // [esp+4h] [ebp-248h]
- int v4; // [esp+Ch] [ebp-240h]
- DWORD BytesReturned; // [esp+14h] [ebp-238h]
- int Dst; // [esp+18h] [ebp-234h]
- int v7; // [esp+24h] [ebp-228h]
- HANDLE hDevice; // [esp+28h] [ebp-224h]
- __int16 Str[130]; // [esp+2Ch] [ebp-220h]
- int v10; // [esp+130h] [ebp-11Ch]
- __int16 OutBuffer[8]; // [esp+134h] [ebp-118h]
- int v12; // [esp+144h] [ebp-108h]
- wchar_t *SubStr; // [esp+234h] [ebp-18h]
- const wchar_t *v14; // [esp+238h] [ebp-14h]
- const wchar_t *v15; // [esp+23Ch] [ebp-10h]
- const wchar_t *v16; // [esp+240h] [ebp-Ch]
- const wchar_t *v17; // [esp+244h] [ebp-8h]
- int v18; // [esp+248h] [ebp-4h]
- SubStr = L"qemu";
- v14 = L"virtual";
- v15 = L"vmware";
- v16 = L"xen";
- v17 = L"vbox";
- v18 = 0;
- v7 = 0;
- v10 = 0;
- hDevice = CreateFileW(L"\\\\.\\PhysicalDrive0", 0, 3u, 0, 3u, 0, 0);
- if ( hDevice != (HANDLE)-1 )
- {
- BytesReturned = 0;
- memset(&Dst, 0, 0xCu);
- Dst = 0;
- memset(OutBuffer, 0, 0x100u);
- memset(Str, 0, 0x100u);
- //IOCTL_STORAGE_QUERY_PROPERTY = 0x2D1400
- if ( DeviceIoControl(hDevice, 0x2D1400u, &Dst, 0xCu, OutBuffer, 0x100u, &BytesReturned, 0) )
- {
- v4 = 0;
- for ( i = v12; OutBuffer[i]; ++i )
- Str[v4++] = OutBuffer[i];
- v0 = wcslen((const wchar_t *)Str);
- CharLowerBuffW((LPWSTR)Str, v0);
- for ( j = 0; j < 5; ++j )
- {
- if ( *(&SubStr)[j] && dowcsstr((wchar_t *)Str, (&SubStr)[j]) )
- return 1;
- }
- }
- CloseHandle(hDevice);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
