waliedassar

Detect VirtualBox (Bios Brand & Bios Version Trick)

Oct 5th, 2012
1,735
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Reading "SMBiosData" to extract Bios Brand and Bios Version strings from registry.
  3. //If the Bios Brand string is "innotek GmbH" or Bios Version is "VirtualBox", then it is a sign that we are running in VirtualBox.
  4. //You can also use WMI to extract the same info.
  5. #include "stdafx.h"
  6. #include "windows.h"
  7. #include "stdio.h"
  8.  
  9.  
  10. void AllToUpper(char* str,unsigned long len)
  11. {
  12.     for(unsigned long c=0;c<len;c++)
  13.     {
  14.         if(str[c]>='a' && str[c]<='z')
  15.         {
  16.             str[c]-=32;
  17.         }
  18.     }
  19. }
  20.  
  21. unsigned char* ScanDataForString(unsigned char* data,unsigned long data_length,unsigned char* string2)
  22. {
  23.     unsigned long string_length=strlen((char*)string2);
  24.     for(unsigned long i=0;i<=(data_length-string_length);i++)
  25.     {
  26.         if(strncmp((char*)(&data[i]),(char*)string2,string_length)==0) return &data[i];
  27.     }
  28.     return 0;
  29. }
  30.  
  31. int main(int argc, char* argv[])
  32. {
  33.     HKEY hk=0;
  34.     int ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\mssmbios\\data",0,KEY_ALL_ACCESS,&hk);
  35.     if(ret==ERROR_SUCCESS)
  36.     {
  37.         unsigned long type=0;
  38.         unsigned long length=0;
  39.         ret=RegQueryValueEx(hk,"SMBiosData",0,&type,0,&length);
  40.         if(ret==ERROR_SUCCESS)
  41.         {
  42.             if(length)
  43.             {
  44.                 char* p=(char*)LocalAlloc(LMEM_ZEROINIT,length);
  45.                 if(p)
  46.                 {
  47.                     ret=RegQueryValueEx(hk,"SMBiosData",0,&type,(unsigned char*)p,&length);
  48.                     if(ret==ERROR_SUCCESS)
  49.                     {
  50.                           AllToUpper(p,length);
  51.                           unsigned char* x1=ScanDataForString((unsigned char*)p,length,(unsigned char*)"INNOTEK GMBH");
  52.                           unsigned char* x2=ScanDataForString((unsigned char*)p,length,(unsigned char*)"VIRTUALBOX");
  53.                           unsigned char* x3=ScanDataForString((unsigned char*)p,length,(unsigned char*)"SUN MICROSYSTEMS");
  54.                           unsigned char* x4=ScanDataForString((unsigned char*)p,length,(unsigned char*)"VIRTUAL MACHINE");
  55.                           unsigned char* x5=ScanDataForString((unsigned char*)p,length,(unsigned char*)"VBOXVER");
  56.                           if(x1 || x2 || x3 || x4 || x5)
  57.                           {
  58.                               printf("VirtualBox detected\r\n");
  59.                               printf("Some Strings found:\r\n");
  60.                               if(x1) printf("%s\r\n",x1);
  61.                               if(x2) printf("%s\r\n",x2);
  62.                               if(x3) printf("%s\r\n",x3);
  63.                               if(x4) printf("%s\r\n",x4);
  64.                               if(x5) printf("%s\r\n",x5);
  65.                           }
  66.                     }
  67.                     LocalFree(p);
  68.                 }
  69.             }
  70.         }
  71.         RegCloseKey(hk);
  72.     }
  73.     return 0;
  74. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×