ايران ويج

کد: 
//-----------------------------------------------------------------------------

// Object: detect Vmware, VirtualBox, VirtualPc and Qemu by comparing 

//         virtual disk model description

//----------------------------------------------------------------------------

#include <windows.h>

#include <stdio.h>

#include "Drive.h"

// Code was originally written by Lynn McGuire

// http://www.winsim.com/diskid32/winio/diskid32.cpp

// Virtual Harddisk Model Desciptions have to be in uppercase

PCHAR pVirtualDriveModelNames[] = {"VBOX HARDDRIVE",

                                   "QEMU HARDDISK",

                                   "VMWARE VIRTUAL IDE HARD DRIVE",

                                   "VIRTUAL HD"};

//-----------------------------------------------------------------------------

// Name: GetFirstPhysicalDriveModelNames

// Object:  get model name of the first found physical drive

// Parameters :

//           in :

//          out :

//     return : model description on success or NULL

//                caller have to free mem on success!

//-----------------------------------------------------------------------------

PSTR GetFirstPhysicalDriveModelNames()

{

    HANDLE hDrive;

    DWORD dwBytesReturned = 0;

    DWORD dwCnt;

    BYTE bIDInCmd = 0;  

    SENDCMDINPARAMS  Scip;

    BYTE pIDOutCmd[sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE - 1];

    PIDSECTOR pIdSector;

    GETVERSIONOUTPARAMS VersionParams;

    PSTR pszModel = malloc(sizeof(pIdSector->sModelNumber));

    // Open first physical drive

    hDrive = CreateFileA("\\\\.\\PhysicalDrive0", 

                         GENERIC_READ | GENERIC_WRITE, 

                         FILE_SHARE_READ | FILE_SHARE_WRITE, 

                         NULL,

                         OPEN_EXISTING, 

                         0, 

                          NULL);

    if (hDrive == INVALID_HANDLE_VALUE)

    {

        printf ("Unable to open physical drive 0, error code: 0x%lX\n", GetLastError ());

        goto Error;

    }

    memset (&VersionParams, 0, sizeof(VersionParams));

    // Get the version and co, of previousliy opened physical drive driver

    if (!DeviceIoControl(hDrive, 

        DFP_GET_VERSION,

        NULL, 

        0,

        &VersionParams,

        sizeof(VersionParams),

        &dwBytesReturned, 

        NULL))

    {         

        printf ("DFP_GET_VERSION failed error code: 0x%lX\n", GetLastError ());

        goto Error;

    }

    // Is there bit map of IDE devices?

    if (VersionParams.bIDEDeviceMap > 0)

    {

        // Get ID sector and decide if its a ATAPI or ATA disk

        bIDInCmd = (VersionParams.bIDEDeviceMap & 0x10) ? IDE_ATAPI_IDENTIFY : IDE_ATA_IDENTIFY;

        memset (&Scip, 0, sizeof(Scip));

        memset (pIDOutCmd, 0, sizeof(pIDOutCmd));

        // Set up data structures for IDENTIFY command

        Scip.cBufferSize = IDENTIFY_BUFFER_SIZE;

        Scip.irDriveRegs.bFeaturesReg = 0;

        Scip.irDriveRegs.bSectorCountReg = 1;

        Scip.irDriveRegs.bSectorNumberReg = 1;

        Scip.irDriveRegs.bCylLowReg = 0;

        Scip.irDriveRegs.bCylHighReg = 0;

        // Compute the drive number

        Scip.irDriveRegs.bDriveHeadReg = 0xA0 | (1 << 4);

        // The command can either be IDE identify or ATAPI identify

        Scip.irDriveRegs.bCommandReg = bIDInCmd;

        Scip.bDriveNumber = 0;

        Scip.cBufferSize = IDENTIFY_BUFFER_SIZE;

        // Get drive data

        if(!DeviceIoControl(hDrive, 

                            DFP_RECEIVE_DRIVE_DATA,

                            (LPVOID) &Scip,

                            sizeof(SENDCMDINPARAMS) - 1,

                            (LPVOID) pIDOutCmd,

                            sizeof(SENDCMDOUTPARAMS) + IDENTIFY_BUFFER_SIZE - 1,

                            &dwBytesReturned, 

                            NULL))

        {

            printf ("DFP_RECEIVE_DRIVE_DATA failed error code: 0x%lX\n", GetLastError ());

            goto Error;

        }

        // Point to IDSECTOR

        pIdSector = (PIDSECTOR)((PSENDCMDOUTPARAMS)pIDOutCmd)->bBuffer;

        // Exchange every two bytes of sModelNumber 

        for(dwCnt = 0; dwCnt < sizeof(pIdSector->sModelNumber); dwCnt+=2)

        {

            pszModel[dwCnt+1] = pIdSector->sModelNumber[dwCnt];

            pszModel[dwCnt] = pIdSector->sModelNumber[dwCnt+1];

        }

        // Add ending

        pszModel[dwCnt] = '\0';

        return CharUpperA(pszModel);

    }

Error:

    free(pszModel);

    if(hDrive)

        CloseHandle(hDrive);

    return NULL;

}

//-----------------------------------------------------------------------------

// Name: PrintSandboxed

// Object:  print a message through CreateFile which will be analysed by the 

//            sandbox and will appear in the report file

// Parameters :

//     in      : PSTR pszMsg : print message

//       out      :

//     return :

//-----------------------------------------------------------------------------

void PrintSandboxed(PSTR pszMsg)

{

    HANDLE hFile;

    hFile = CreateFileA(pszMsg, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);

    if(hFile != INVALID_HANDLE_VALUE)

        CloseHandle(hFile);

}

int main()

{

    DWORD dwCnt;

    PSTR pszModel = GetFirstPhysicalDriveModelNames();

    printf(pszModel);

    // Compare each model name

    for(dwCnt = 0; dwCnt < sizeof(pVirtualDriveModelNames)/sizeof(PSTR); ++dwCnt)

    {

        if(strstr(pszModel,pVirtualDriveModelNames[dwCnt]))

        {

            PrintSandboxed("Found virtual machine or emulator");

            goto CleanUp;

        }

    }

    PrintSandboxed("We are running on a real system");

CleanUp:

    // GetFirstPhysicalDriveModelNames

    free(pszModel);

    return 0;

}
lord_viper
