projects
/
grml-scripts.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
reverted rev 82
[grml-scripts.git]
/
compile
/
vmware-detect.c
diff --git
a/compile/vmware-detect.c
b/compile/vmware-detect.c
index
8ee1a7c
..
7662a5a
100644
(file)
--- a/
compile/vmware-detect.c
+++ b/
compile/vmware-detect.c
@@
-2,6
+2,7
@@
#include "unistd.h"
#include "stdio.h"
#include "stdlib.h"
#include "unistd.h"
#include "stdio.h"
#include "stdlib.h"
+#include "signal.h"
#define WRITE(x) write(1, x, strlen(x))
#define DWRITE(x) do{ \
#define WRITE(x) write(1, x, strlen(x))
#define DWRITE(x) do{ \
@@
-12,6
+13,12
@@
#define FALSE 0
#define TRUE !FALSE
#define FALSE 0
#define TRUE !FALSE
+/* doc:
+ * vmware IO backdoor: http://chitchat.at.infoseek.co.jp/vmware/backdoor.html
+ * http://www.honeynet.org/papers/bots/botnet-code.html
+ * http://www.codegurus.be/codegurus/Programming/virtualpc&vmware_en.htm
+ */
+
// from libowfat {{{
static inline char tohex(char c) {
return c>=10?c-10+'a':c+'0';
// from libowfat {{{
static inline char tohex(char c) {
return c>=10?c-10+'a':c+'0';
@@
-33,7
+40,7
@@
unsigned int fmt_xlong(char *dest,unsigned long i) {
void printIdtr(const unsigned char* idtr, unsigned size)
{
unsigned i;
void printIdtr(const unsigned char* idtr, unsigned size)
{
unsigned i;
- for(i=0; i<
=
size; ++i) {
+ for(i=0; i<size; ++i) {
char out[4] = {0};
fmt_xlong(out, idtr[i]);
WRITE(out);
char out[4] = {0};
fmt_xlong(out, idtr[i]);
WRITE(out);
@@
-41,6
+48,7
@@
void printIdtr(const unsigned char* idtr, unsigned size)
WRITE("\n");
}
WRITE("\n");
}
+// i386 {{{
#if defined (__i386__)
int checkVmware(const int debug)
{
#if defined (__i386__)
int checkVmware(const int debug)
{
@@
-52,7
+60,7
@@
int checkVmware(const int debug)
}
int checkVmwareIO()
{
}
int checkVmwareIO()
{
- unsigned int vmaj, vmin, magic, dout;
+ unsigned int vmaj, vmin, magic, dout
= 11
;
__asm__ __volatile__(
"mov $0x564D5868, %%eax; /* magic number */"
"mov $0x3c6cf712, %%ebx; /* random number */"
__asm__ __volatile__(
"mov $0x564D5868, %%eax; /* magic number */"
"mov $0x3c6cf712, %%ebx; /* random number */"
@@
-64,8
+72,15
@@
int checkVmwareIO()
"mov %%ecx, %2;"
"mov %%edx, %3;"
: "=r"(vmaj), "=r"(magic), "=r"(vmin), "=r"(dout));
"mov %%ecx, %2;"
"mov %%edx, %3;"
: "=r"(vmaj), "=r"(magic), "=r"(vmin), "=r"(dout));
+#ifdef DEBUG
+ fprintf(stderr, "version: major=%x, minor=%x, magic=%x, dout=%x\n",
+ vmaj, vmin, magic, dout);
+#endif
return (0x564D5868 == magic) ? 1 : 0;
}
return (0x564D5868 == magic) ? 1 : 0;
}
+// }}}
+
+// x86-64 {{{
#elif defined (__x86_64__)
// only guessed, possible need to check against 0xffff?
int checkVmware(const int debug)
#elif defined (__x86_64__)
// only guessed, possible need to check against 0xffff?
int checkVmware(const int debug)
@@
-77,11
+92,15
@@
int checkVmware(const int debug)
return (0xff==idtr[9]) ? 1 : 0;
}
int checkVmwareIO() { return 0; }
return (0xff==idtr[9]) ? 1 : 0;
}
int checkVmwareIO() { return 0; }
+// }}}
+
+// others {{{
#else
// vmware runs only on the archs above
int checkVmware(const int) { return 0; }
int checkVmwareIO() { return 0; }
#endif
#else
// vmware runs only on the archs above
int checkVmware(const int) { return 0; }
int checkVmwareIO() { return 0; }
#endif
+// }}}
// returns 0 if running inside vmware, 1 otherwise
int main(int argc, char* argv[]) {
// returns 0 if running inside vmware, 1 otherwise
int main(int argc, char* argv[]) {
@@
-95,9
+114,10
@@
int main(int argc, char* argv[]) {
DWRITE("idt-check: ")
if(!a) {
DWRITE("false\n");
DWRITE("idt-check: ")
if(!a) {
DWRITE("false\n");
- return 1;
- }
- DWRITE("true\n");
+ if(!debug)
+ return EXIT_FAILURE;
+ } else
+ DWRITE("true\n");
// never returns if not running under vmware
void dummy() { DWRITE("false\n"); exit(1); }
// never returns if not running under vmware
void dummy() { DWRITE("false\n"); exit(1); }
@@
-106,9
+126,10
@@
int main(int argc, char* argv[]) {
b = checkVmwareIO();
if(b) {
DWRITE("true\n");
b = checkVmwareIO();
if(b) {
DWRITE("true\n");
- return
0
;
+ return
EXIT_SUCCESS
;
}
// never reached
}
// never reached
- return 1;
+ WRITE("Error: IO check hasn't killed the program but no vmware found either!\n");
+ return EXIT_FAILURE;
}
// vim: foldmethod=marker
}
// vim: foldmethod=marker