Merge pull request #65 from LordNoteworthy/Noteworthy

Noteworthy

README.md

@@ -1,4 +1,4 @@
-##Al-Khaser v0.61
+##Al-Khaser v0.64
 
 ![Logo](https://www.mindmeister.com/files/avatars/0035/8332/original/avatar.jpg)
 
@@ -81,9 +81,10 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - CreateTimerQueueTimer (todo)
 - Big crypto loops (todo)
 
-### Human Interaction [Anti-Sandbox]
+### Human Interaction / Generic [Anti-Sandbox]
 - Mouse movement
 - Total Physical memory (GlobalMemoryStatusEx)
+- Disk size using DeviceIoControl (IOCTL_DISK_GET_LENGTH_INFO)
 - Mouse (Single click / Double click) (todo)
 - DialogBox (todo)
 - Scrolling (todo)
@@ -106,7 +107,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 	- HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 (Identifier) (VMWARE)
 
 - **Registry Keys artifacts**
-	- "HARDWARE\\ACPI\\RSDT\\VBOX__"
+	- "HARDWARE\\ACPI\\DSDT\\VBOX__"
 	- "HARDWARE\\ACPI\\FADT\\VBOX__"
 	- "HARDWARE\\ACPI\\RSDT\\VBOX__"
 	- "SOFTWARE\\Oracle\\VirtualBox Guest Additions"

al-khaser/Al-khaser.cpp

@@ -7,7 +7,7 @@ int main(void)
 	resize_console_window();
 
 	/* Display general informations */
-	_tprintf(_T("[al-khaser version 0.61]"));
+	_tprintf(_T("[al-khaser version 0.64]"));
 	print_os();
 
 	if (IsWoW64())
@@ -50,6 +50,7 @@ int main(void)
 	exec_check(&str_trick, TEXT("Checking Global Descriptor Table location: "));
 	exec_check(&number_cores_wmi, TEXT("Checking Number of cores in machine using WMI: "));
 	exec_check(&disk_size_wmi, TEXT("Checking hard disk size using WMI: "));
+	exec_check(&dizk_size_deviceiocontrol, TEXT("Checking hard disk size using DeviceIoControl: "));
 	exec_check(&setupdi_diskdrive, TEXT("Checking SetupDi_diskdrive: "));
 	exec_check(&mouse_movement, TEXT("Checking mouse movement: "));
 	exec_check(&memory_space, TEXT("Checking memory space using GlobalMemoryStatusEx: "));

al-khaser/Anti VM/Generic.cpp

@@ -253,6 +253,54 @@ BOOL disk_size_wmi()
 }
 
 
+/*
+DeviceIoControl works with disks directly rather than partitions (GetDiskFreeSpaceEx)
+We can send IOCTL_DISK_GET_LENGTH_INFO code to get the raw byte size of the physical disk
+*/
+BOOL dizk_size_deviceiocontrol()
+{
+	HANDLE hDevice = INVALID_HANDLE_VALUE;
+	BOOL bResult = FALSE;
+	GET_LENGTH_INFORMATION size = { 0 };
+	DWORD lpBytesReturned = 0;
+	LONGLONG minHardDiskSize = (80LL * (1024LL * (1024LL * (1024LL))));
+
+	// This technique required admin priviliege starting from Vira Windows Vista
+	if (!IsElevated() && IsWindowsVistaOrGreater())
+		return FALSE;
+
+	hDevice = CreateFile(_T("\\\\.\\PhysicalDrive0"),
+		GENERIC_READ,                // no access to the drive
+		FILE_SHARE_READ, 			// share mode
+		NULL,						// default security attributes
+		OPEN_EXISTING,				// disposition
+		0,							// file attributes
+		NULL);						// do not copy file attributes
+
+	if (hDevice == INVALID_HANDLE_VALUE) {
+		CloseHandle(hDevice);
+		return FALSE;
+	}
+
+	bResult = DeviceIoControl(
+		hDevice,					// device to be queried
+		IOCTL_DISK_GET_LENGTH_INFO, // operation to perform
+		NULL, 0,					// no input buffer
+		&size, sizeof(GET_LENGTH_INFORMATION),
+		&lpBytesReturned,			// bytes returned
+		(LPOVERLAPPED) NULL);   // synchronous I/O
+
+	if (bResult != NULL) {
+		if (size.Length.QuadPart < minHardDiskSize) // 80GB
+			bResult = TRUE;
+		else
+			bResult = FALSE;
+	}
+
+	CloseHandle(hDevice);
+	return bResult;
+}
+
 
 BOOL setupdi_diskdrive()
 {

al-khaser/Anti VM/Generic.h

@@ -2,10 +2,12 @@
 #include <tchar.h>
 #include <Winternl.h>
 #include <devguid.h>    // Device guids
+#include <winioctl.h>	// IOCTL
 #include <SetupAPI.h>
 #pragma comment(lib, "setupapi.lib")
 
 #include "../Shared/Utils.h"
+#include "../Shared/VersionHelpers.h"
 
 VOID loaded_dlls();
 BOOL NumberOfProcessors();
@@ -17,4 +19,5 @@ BOOL number_cores_wmi();
 BOOL disk_size_wmi();
 BOOL setupdi_diskdrive();
 BOOL mouse_movement();
-BOOL memory_space();
+BOOL memory_space();
+BOOL dizk_size_deviceiocontrol();

al-khaser/Anti VM/VirtualBox.cpp

@@ -34,7 +34,7 @@ VOID vbox_reg_keys()
 {
 	/* Array of strings of blacklisted registry keys */
 	TCHAR* szKeys[] = {
-		_T("HARDWARE\\ACPI\\RSDT\\VBOX__"),
+		_T("HARDWARE\\ACPI\\DSDT\\VBOX__"),
 		_T("HARDWARE\\ACPI\\FADT\\VBOX__"),
 		_T("HARDWARE\\ACPI\\RSDT\\VBOX__"),
 		_T("SOFTWARE\\Oracle\\VirtualBox Guest Additions"),

al-khaser/Shared/Utils.cpp

@@ -755,4 +755,25 @@ UCHAR* get_str_base()
 
 	// printf("STR base: 0x%02x%02x%02x%02x\n", mem[0], mem[1], mem[2], mem[3]);
 	return mem;
+}
+
+/*
+Check if a process is running with admin rights
+*/
+BOOL IsElevated() 
+{
+	BOOL fRet = FALSE;
+	HANDLE hToken = NULL;
+
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
+		TOKEN_ELEVATION Elevation;
+		DWORD cbSize = sizeof(TOKEN_ELEVATION);
+		if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &cbSize)) {
+			fRet = Elevation.TokenIsElevated;
+		}
+	}
+	if (hToken) {
+		CloseHandle(hToken);
+	}
+	return fRet;
 }

al-khaser/Shared/Utils.h

@@ -35,6 +35,7 @@ ULONG get_idt_base();
 ULONG get_ldt_base();
 ULONG get_gdt_base();
 UCHAR* get_str_base();
+BOOL IsElevated();
 
 #define	MALLOC(x)	HeapAlloc(GetProcessHeap(), 0, x)
 #define FREE(x)		HeapFree(GetProcessHeap(), 0, x)