G36KV
11.07.2010, 12:10
Entstanden aus dem Thread: http://free-hack.com/video-tutorials/59571-wireshark-modden.html
Credits: BlackBerry, Microsoft, istealer
Sprache: Mix aus C und C++, programmiert mit VS 2010
5 Anti-Wireshark Methoden
2 Anti-VM Methoden
werde wohl noch paar mehr adden, wenn ich Zeit hab... Wenn jemand noch welche hat einfach posten...
Includes und Prototypes weggekürzt so dass es in den Thread passt.
DWORD pid;
DWORD get_wireshark_1(void)
{
HWND hwnd;
pid = 0;
if ((hwnd = FindWindow("gdkWindowToplevel", 0)))
{
GetWindowThreadProcessId(hwnd, &pid);
return pid;
}
return 0;
}
DWORD get_wireshark_2(void)
{
DWORD processes[100];
DWORD szneeded1;
DWORD szneeded2;
HANDLE hProcess;
HMODULE mods[100];
char pname[50];
DWORD i;
DWORD j;
if (!EnumProcesses(processes, sizeof(processes), &szneeded1))
return 0;
for(i = 0; i < (szneeded1 / sizeof(DWORD) ); i++)
{
if (!(hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 0, processes[i])))
continue;
if (!(EnumProcessModules(hProcess, mods, sizeof(mods), &szneeded2)))
continue;
for(j = 0; j < (szneeded2 / sizeof(HMODULE)); j++)
{
if (GetModuleBaseName(hProcess, mods[j], pname, sizeof(pname) - 1))
{
if (!_stricmp(pname, "libwireshark.dll"))
{
pid = processes[i];
return pid;
}
}
}
}
return 0;
}
DWORD get_wireshark_3(void)
{
pid = 0;
EnumWindows((WNDENUMPROC)ShowAllWindows, 0);
return pid;
}
DWORD get_wireshark_4(void) {
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
pid = 0;
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First( hProcessSnap, &pe32 );
do {
if (!_stricmp(pe32.szExeFile, "dumpcap.exe") || !_stricmp(pe32.szExeFile, "wireshark.exe"))
{
pid = pe32.th32ProcessID;
break;
}
} while( Process32Next( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return pid;
}
void get_wireshark_5(void)
{
char pfad[MAX_PATH];
SHGetSpecialFolderPath(0,pfad, CSIDL_PROGRAM_FILES, FALSE);
strcat_s(pfad, MAX_PATH, "\\Wireshark");
if (GetFileAttributes(pfad) != INVALID_FILE_ATTRIBUTES)
{
printf("Wireshark found - Method 5\n");
}
}
BOOL CALLBACK ShowAllWindows(HWND hwnd,LPARAM lParam)
{
char pcWinTitle[256];
GetWindowText(hwnd, pcWinTitle, 255);
std::string s = pcWinTitle;
if ((s.find("ireshark") != -1) || (s.find("Analyzer") != -1) || (s.find("Capturing") != -1))
{
GetWindowThreadProcessId(hwnd, &pid);
}
return true;
}
void vm_detect1(void)
{
printf("\nVM Check 1: ");
__asm {
RDTSC
xor ecx, ecx
add ecx, eax
RDTSC
sub eax, ecx
cmp eax, 0xFF
jg C_Detected
jmp C_notDetected
}
C_notDetected:
printf("not ");
C_Detected:
printf("detected\n");
}
//VMWare spezifisch
void vm_detect2(void)
{
printf("\nVM Check 2: ");
__try
{
__asm
{
mov eax, 'VMXh'
mov ebx, 1337
mov ecx, 10
mov edx, 'VX'
in eax, dx
cmp ebx, 'VMXh'
je C_Detected
jmp C_notDetected
}
C_notDetected:
printf("not ");
C_Detected:
printf("detected\n");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
printf("not detected\n");
}
}
int main(int argc, char *argv[])
{
printf("Wireshark Detection Checker\n\n");
if (get_wireshark_1())
{
printf("Wireshark found - Method 1\nPID: %u\n\n",pid);
}
if (get_wireshark_2()) {
printf("Wireshark found - Method 2\nPID: %u\n\n",pid);
}
if (get_wireshark_3()) {
printf("Wireshark found - Method 3\nPID: %u\n\n",pid);
}
if (get_wireshark_4()) {
printf("Wireshark found - Method 4\nPID: %u\n\n",pid);
}
get_wireshark_5();
vm_detect1();
vm_detect2();
printf("\nCheck finished\n");
getchar();
return 0;
}
Credits: BlackBerry, Microsoft, istealer
Sprache: Mix aus C und C++, programmiert mit VS 2010
5 Anti-Wireshark Methoden
2 Anti-VM Methoden
werde wohl noch paar mehr adden, wenn ich Zeit hab... Wenn jemand noch welche hat einfach posten...
Includes und Prototypes weggekürzt so dass es in den Thread passt.
DWORD pid;
DWORD get_wireshark_1(void)
{
HWND hwnd;
pid = 0;
if ((hwnd = FindWindow("gdkWindowToplevel", 0)))
{
GetWindowThreadProcessId(hwnd, &pid);
return pid;
}
return 0;
}
DWORD get_wireshark_2(void)
{
DWORD processes[100];
DWORD szneeded1;
DWORD szneeded2;
HANDLE hProcess;
HMODULE mods[100];
char pname[50];
DWORD i;
DWORD j;
if (!EnumProcesses(processes, sizeof(processes), &szneeded1))
return 0;
for(i = 0; i < (szneeded1 / sizeof(DWORD) ); i++)
{
if (!(hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 0, processes[i])))
continue;
if (!(EnumProcessModules(hProcess, mods, sizeof(mods), &szneeded2)))
continue;
for(j = 0; j < (szneeded2 / sizeof(HMODULE)); j++)
{
if (GetModuleBaseName(hProcess, mods[j], pname, sizeof(pname) - 1))
{
if (!_stricmp(pname, "libwireshark.dll"))
{
pid = processes[i];
return pid;
}
}
}
}
return 0;
}
DWORD get_wireshark_3(void)
{
pid = 0;
EnumWindows((WNDENUMPROC)ShowAllWindows, 0);
return pid;
}
DWORD get_wireshark_4(void) {
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
pid = 0;
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First( hProcessSnap, &pe32 );
do {
if (!_stricmp(pe32.szExeFile, "dumpcap.exe") || !_stricmp(pe32.szExeFile, "wireshark.exe"))
{
pid = pe32.th32ProcessID;
break;
}
} while( Process32Next( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return pid;
}
void get_wireshark_5(void)
{
char pfad[MAX_PATH];
SHGetSpecialFolderPath(0,pfad, CSIDL_PROGRAM_FILES, FALSE);
strcat_s(pfad, MAX_PATH, "\\Wireshark");
if (GetFileAttributes(pfad) != INVALID_FILE_ATTRIBUTES)
{
printf("Wireshark found - Method 5\n");
}
}
BOOL CALLBACK ShowAllWindows(HWND hwnd,LPARAM lParam)
{
char pcWinTitle[256];
GetWindowText(hwnd, pcWinTitle, 255);
std::string s = pcWinTitle;
if ((s.find("ireshark") != -1) || (s.find("Analyzer") != -1) || (s.find("Capturing") != -1))
{
GetWindowThreadProcessId(hwnd, &pid);
}
return true;
}
void vm_detect1(void)
{
printf("\nVM Check 1: ");
__asm {
RDTSC
xor ecx, ecx
add ecx, eax
RDTSC
sub eax, ecx
cmp eax, 0xFF
jg C_Detected
jmp C_notDetected
}
C_notDetected:
printf("not ");
C_Detected:
printf("detected\n");
}
//VMWare spezifisch
void vm_detect2(void)
{
printf("\nVM Check 2: ");
__try
{
__asm
{
mov eax, 'VMXh'
mov ebx, 1337
mov ecx, 10
mov edx, 'VX'
in eax, dx
cmp ebx, 'VMXh'
je C_Detected
jmp C_notDetected
}
C_notDetected:
printf("not ");
C_Detected:
printf("detected\n");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
printf("not detected\n");
}
}
int main(int argc, char *argv[])
{
printf("Wireshark Detection Checker\n\n");
if (get_wireshark_1())
{
printf("Wireshark found - Method 1\nPID: %u\n\n",pid);
}
if (get_wireshark_2()) {
printf("Wireshark found - Method 2\nPID: %u\n\n",pid);
}
if (get_wireshark_3()) {
printf("Wireshark found - Method 3\nPID: %u\n\n",pid);
}
if (get_wireshark_4()) {
printf("Wireshark found - Method 4\nPID: %u\n\n",pid);
}
get_wireshark_5();
vm_detect1();
vm_detect2();
printf("\nCheck finished\n");
getchar();
return 0;
}