X-Git-Url: http://git.grml.org/?a=blobdiff_plain;f=compile%2Fvmware-detect.c;h=c99e36ff05e67911839177a562088a1b47ad8d3f;hb=34819b81d79e260d1fca486316806bc1b2e33896;hp=d242a388d52d59839c9a39a4022e1c4eb8102665;hpb=e720deae78f1eda5e6f62629606c194f16796762;p=grml-scripts.git

diff --git a/compile/vmware-detect.c b/compile/vmware-detect.c
index d242a38..c99e36f 100644
--- a/compile/vmware-detect.c
+++ b/compile/vmware-detect.c
@@ -1,13 +1,143 @@
-#include <stdio.h>
-int main() {
-  unsigned char idtr[6];
-  asm("sidt %0" : "=m" (idtr));
-  if(0xff==idtr[5])
-  {
-    return 0;
-  }
-  else
-  {
-    return 1;
-  }
+/* Filename:      vmware-detect.c
+*  Purpose:       Detect if running inside vmware
+*  Authors:       grml-team (grml.org), (c) Michael Gebetsroither <gebi@grml.org>
+*  Bug-Reports:   see http://grml.org/bugs/
+*  License:       This file is licensed under the GPL v2.
+*******************************************************************************/
+// return 0 if running inside vmware, 1 otherwise
+
+#include "string.h"
+#include "unistd.h"
+#include "stdio.h"
+#include "stdlib.h"
+#include "signal.h"
+
+#define WRITE(x) write(1, x, strlen(x))
+#define DWRITE(x) do{ \
+    if(debug) { \
+        WRITE(x); \
+    } \
+} while(0);
+#define FALSE 0
+#define TRUE !FALSE
+
+/* doc:
+ * vmware IO backdoor: http://chitchat.at.infoseek.co.jp/vmware/backdoor.html
+ * http://www.honeynet.org/papers/bots/botnet-code.html
+ * http://www.codegurus.be/codegurus/Programming/virtualpc&vmware_en.htm
+ */
+
+// from libowfat {{{
+static inline char tohex(char c) {
+  return c>=10?c-10+'a':c+'0';
 }
+
+unsigned int fmt_xlong(char *dest,unsigned long i) {
+  register unsigned long len,tmp;
+  /* first count the number of bytes needed */
+  for (len=1, tmp=i; tmp>15; ++len) tmp>>=4;
+  if (dest)
+    for (tmp=i, dest+=len; ; ) {
+      *--dest = tohex(tmp&15);
+      if (!(tmp>>=4)) break;
+    }
+  return len;
+}
+// }}}
+
+void printIdtr(const unsigned char* idtr, unsigned size)
+{
+    unsigned i;
+    for(i=0; i<size; ++i) {
+        char out[4] = {0};
+        fmt_xlong(out, idtr[i]);
+        if(strlen(out) == 1)
+            WRITE("0");
+        WRITE(out);
+    }
+    WRITE("\n");
+}
+
+// i386 and x86-64 {{{
+#if defined (__i386__) || defined (__x86_64__)
+int checkVmware(const int debug)
+{
+    unsigned char idtr[10] = {0};
+    asm("sidt %0" : "=m" (idtr));
+    if(debug)
+        printIdtr(idtr, sizeof(idtr));
+    // should normally be the case on amd64, but does not work
+    //return (0xff==idtr[9]) ? 1 : 0;
+    return (0xff==idtr[5]) ? 1 : 0;
+}
+int checkVmwareIO()
+{
+    unsigned int vmaj, vmin, magic, dout = 11;
+    __asm__ __volatile__(
+            "mov $0x564D5868, %%eax; /* magic number */"
+            "mov $0x3c6cf712, %%ebx; /* random number */"
+            "mov $0x0000000A, %%ecx; /* specifies command */"
+            "mov $0x5658, %%edx; /* VMware I/O port */"
+            "in %%dx, %%eax;"
+            "mov %%eax, %0;"
+            "mov %%ebx, %1;"
+            "mov %%ecx, %2;"
+            "mov %%edx, %3;"
+        : "=r"(vmaj), "=r"(magic), "=r"(vmin), "=r"(dout));
+#ifdef DEBUG
+    fprintf(stderr, "version: major=%x, minor=%x, magic=%x, dout=%x\n",
+            vmaj, vmin, magic, dout);
+#endif
+    return (0x564D5868 == magic) ? 1 : 0;
+}
+// }}}
+
+// others {{{
+#else
+// vmware runs only on the archs above
+int checkVmware(const int) { return 0; }
+int checkVmwareIO() { return 0; }
+#endif
+// }}}
+
+static int Killed = FALSE;
+
+// returns 0 if running inside vmware, 1 otherwise
+int main(int argc, char* argv[]) {
+    int debug = FALSE;
+    if(argc == 2 && !strcmp(argv[1], "--debug"))
+        debug = TRUE;
+
+    int a, b;
+    // known to be false positives
+    a = checkVmware(debug);
+    DWRITE("idt-check: ")
+    if(!a) {
+        DWRITE("false\n");
+        if(!debug)
+            return EXIT_FAILURE;
+    } else
+        DWRITE("true\n");
+
+    // never returns if not running under vmware
+    void dummy() { Killed=TRUE; DWRITE("false\n"); exit(1); }
+    signal(SIGSEGV, dummy);
+    DWRITE("ioport-check: ");
+    b = checkVmwareIO();
+    if(b) {
+        DWRITE("true\n");
+        return EXIT_SUCCESS;
+    } else {
+        if(!Killed) {
+            // check unusable or not implemented
+            DWRITE("false\n");
+            DWRITE("Check not implemented, yet!\n");
+            return a ? EXIT_SUCCESS : EXIT_FAILURE;
+        } else {
+            // never reached
+            WRITE("Error: IO check hasn't killed the program but no vmware found either!\n");
+            return EXIT_FAILURE;
+        }
+    }
+}
+// vim: foldmethod=marker