PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Anti-Wireshark und Anti-VM Methoden


G36KV
11.07.2010, 12:10
Entstanden aus dem Thread: http://free-hack.com/video-tutorials/59571-wireshark-modden.html

Credits: BlackBerry, Microsoft, istealer
Sprache: Mix aus C und C++, programmiert mit VS 2010

5 Anti-Wireshark Methoden
2 Anti-VM Methoden

werde wohl noch paar mehr adden, wenn ich Zeit hab... Wenn jemand noch welche hat einfach posten...

Includes und Prototypes weggekürzt so dass es in den Thread passt.


DWORD pid;

DWORD get_wireshark_1(void)
{
HWND hwnd;
pid = 0;

if ((hwnd = FindWindow("gdkWindowToplevel", 0)))
{
GetWindowThreadProcessId(hwnd, &pid);
return pid;
}
return 0;
}

DWORD get_wireshark_2(void)
{
DWORD processes[100];
DWORD szneeded1;
DWORD szneeded2;
HANDLE hProcess;
HMODULE mods[100];
char pname[50];
DWORD i;
DWORD j;

if (!EnumProcesses(processes, sizeof(processes), &szneeded1))
return 0;
for(i = 0; i < (szneeded1 / sizeof(DWORD) ); i++)
{
if (!(hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 0, processes[i])))
continue;
if (!(EnumProcessModules(hProcess, mods, sizeof(mods), &szneeded2)))
continue;

for(j = 0; j < (szneeded2 / sizeof(HMODULE)); j++)
{
if (GetModuleBaseName(hProcess, mods[j], pname, sizeof(pname) - 1))
{
if (!_stricmp(pname, "libwireshark.dll"))
{
pid = processes[i];
return pid;
}
}
}
}
return 0;
}

DWORD get_wireshark_3(void)
{
pid = 0;
EnumWindows((WNDENUMPROC)ShowAllWindows, 0);
return pid;
}

DWORD get_wireshark_4(void) {
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
pid = 0;
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First( hProcessSnap, &pe32 );

do {
if (!_stricmp(pe32.szExeFile, "dumpcap.exe") || !_stricmp(pe32.szExeFile, "wireshark.exe"))
{
pid = pe32.th32ProcessID;
break;
}

} while( Process32Next( hProcessSnap, &pe32 ) );

CloseHandle( hProcessSnap );

return pid;
}

void get_wireshark_5(void)
{
char pfad[MAX_PATH];

SHGetSpecialFolderPath(0,pfad, CSIDL_PROGRAM_FILES, FALSE);

strcat_s(pfad, MAX_PATH, "\\Wireshark");

if (GetFileAttributes(pfad) != INVALID_FILE_ATTRIBUTES)
{
printf("Wireshark found - Method 5\n");
}
}

BOOL CALLBACK ShowAllWindows(HWND hwnd,LPARAM lParam)
{
char pcWinTitle[256];
GetWindowText(hwnd, pcWinTitle, 255);
std::string s = pcWinTitle;
if ((s.find("ireshark") != -1) || (s.find("Analyzer") != -1) || (s.find("Capturing") != -1))
{
GetWindowThreadProcessId(hwnd, &pid);
}

return true;
}

void vm_detect1(void)
{
printf("\nVM Check 1: ");
__asm {
RDTSC
xor ecx, ecx
add ecx, eax
RDTSC
sub eax, ecx
cmp eax, 0xFF
jg C_Detected
jmp C_notDetected
}
C_notDetected:
printf("not ");
C_Detected:
printf("detected\n");
}

//VMWare spezifisch
void vm_detect2(void)
{
printf("\nVM Check 2: ");
__try
{

__asm
{
mov eax, 'VMXh'
mov ebx, 1337
mov ecx, 10
mov edx, 'VX'
in eax, dx
cmp ebx, 'VMXh'
je C_Detected
jmp C_notDetected
}
C_notDetected:
printf("not ");
C_Detected:
printf("detected\n");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
printf("not detected\n");
}
}


int main(int argc, char *argv[])
{
printf("Wireshark Detection Checker\n\n");

if (get_wireshark_1())
{
printf("Wireshark found - Method 1\nPID: %u\n\n",pid);
}
if (get_wireshark_2()) {
printf("Wireshark found - Method 2\nPID: %u\n\n",pid);
}
if (get_wireshark_3()) {
printf("Wireshark found - Method 3\nPID: %u\n\n",pid);
}
if (get_wireshark_4()) {
printf("Wireshark found - Method 4\nPID: %u\n\n",pid);
}
get_wireshark_5();

vm_detect1();
vm_detect2();

printf("\nCheck finished\n");

getchar();
return 0;
}
G36KV
24.07.2010, 11:23
Hab hier noch ne böse Methode:


void get_wireshark_6(void)
{
LPVOID drivers[1024];
DWORD cbNeeded;
int cDrivers, i;

if( EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers))
{
char szDriver[1024];

cDrivers = cbNeeded / sizeof(drivers[0]);

for (i=0; i < cDrivers; i++ )
{
if(GetDeviceDriverBaseName(drivers[i], szDriver, sizeof(szDriver) / sizeof(szDriver[0])))
{
if (!_stricmp("npf.sys", szDriver))
{
printf("Sniffer found - Method 6\n\n");
}
}
}
}
else printf("EnumDeviceDrivers failed; array size needed is %d\n", cbNeeded / sizeof(LPVOID));

}
Mofo
18.10.2010, 21:04
Könnte jemand evtl. vm_detect1 testen und den Wert von eax posten..
Selbst virtualisiert wächst das bei mir nicht annähernd über 255
Saedelaere
18.10.2010, 21:09
Wird unter Verwendung von CPU Virtualisierung auch nicht mehr funktionieren.