Anti-Wireshark und Anti-VM Methoden

[G36KV]

Entstanden aus dem Thread: http://free-hack.com/video-tutorials...rk-modden.html

Credits: BlackBerry, Microsoft, istealer
Sprache: Mix aus C und C++, programmiert mit VS 2010

5 Anti-Wireshark Methoden
2 Anti-VM Methoden

werde wohl noch paar mehr adden, wenn ich Zeit hab... Wenn jemand noch welche hat einfach posten...

Includes und Prototypes weggekürzt so dass es in den Thread passt.

Code:

DWORD pid;

DWORD get_wireshark_1(void)
{
	HWND hwnd;
	pid = 0;

	if ((hwnd = FindWindow("gdkWindowToplevel", 0)))
	{
		GetWindowThreadProcessId(hwnd, &pid);
		return pid;
	}
	return 0;
}

DWORD get_wireshark_2(void)
{
	DWORD processes[100];
	DWORD szneeded1;
	DWORD szneeded2;
	HANDLE hProcess;
	HMODULE mods[100];
	char pname[50];
	DWORD i;
	DWORD j;

	if (!EnumProcesses(processes, sizeof(processes), &szneeded1))
		return 0;
	for(i = 0; i < (szneeded1 / sizeof(DWORD) ); i++)
	{
		if (!(hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 0, processes[i])))
			continue;
		if (!(EnumProcessModules(hProcess, mods, sizeof(mods), &szneeded2)))
			continue;

		for(j = 0; j < (szneeded2 / sizeof(HMODULE)); j++)
		{
			if (GetModuleBaseName(hProcess, mods[j], pname, sizeof(pname) - 1))
			{
				if (!_stricmp(pname, "libwireshark.dll"))
				{
					pid = processes[i];
					return pid;
				}
			}
		}
	}
	return 0;
}

DWORD get_wireshark_3(void)
{
	pid = 0;
	EnumWindows((WNDENUMPROC)ShowAllWindows, 0);
	return pid;
}

DWORD get_wireshark_4(void) {
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;
	pid = 0;
	hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
	pe32.dwSize = sizeof( PROCESSENTRY32 );
	Process32First( hProcessSnap, &pe32 );

	do {
		if (!_stricmp(pe32.szExeFile, "dumpcap.exe") || !_stricmp(pe32.szExeFile, "wireshark.exe"))
		{
			pid = pe32.th32ProcessID;
			break;
		}

	} while( Process32Next( hProcessSnap, &pe32 ) );

	CloseHandle( hProcessSnap );

	return pid;
}

void get_wireshark_5(void)
{
	char pfad[MAX_PATH];

	SHGetSpecialFolderPath(0,pfad, CSIDL_PROGRAM_FILES, FALSE);

	strcat_s(pfad, MAX_PATH, "\\Wireshark");

	if (GetFileAttributes(pfad) != INVALID_FILE_ATTRIBUTES)
	{
		printf("Wireshark found - Method 5\n");
	}
}

BOOL CALLBACK ShowAllWindows(HWND hwnd,LPARAM lParam)
{
	char pcWinTitle[256];
	GetWindowText(hwnd, pcWinTitle, 255);
	std::string s = pcWinTitle;
	if ((s.find("ireshark") != -1) || (s.find("Analyzer") != -1) || (s.find("Capturing") != -1))
	{
		GetWindowThreadProcessId(hwnd, &pid);
	}

	return true;
}

void vm_detect1(void)
{
	printf("\nVM Check 1: ");
	__asm {
			RDTSC
			xor		ecx, ecx
			add		ecx, eax
			RDTSC	
			sub		eax, ecx
			cmp		eax, 0xFF
			jg		C_Detected
			jmp		C_notDetected
	}
C_notDetected:
	printf("not ");
C_Detected:
	printf("detected\n");
}

//VMWare spezifisch
void vm_detect2(void)
{
	printf("\nVM Check 2: ");
	__try
	{

		__asm
		{
				mov    eax, 'VMXh'
				mov    ebx, 1337
				mov    ecx, 10
				mov    edx, 'VX'
				in     eax, dx
				cmp    ebx, 'VMXh'
				je C_Detected
				jmp C_notDetected
		}
C_notDetected:
		printf("not ");
C_Detected:
		printf("detected\n");
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		printf("not detected\n");
	}
}


int main(int argc, char *argv[])
{    
	printf("Wireshark Detection Checker\n\n");

	if (get_wireshark_1())
	{
		printf("Wireshark found - Method 1\nPID: %u\n\n",pid);
	}
	if (get_wireshark_2()) {
		printf("Wireshark found - Method 2\nPID: %u\n\n",pid);
	}
	if (get_wireshark_3()) {
		printf("Wireshark found - Method 3\nPID: %u\n\n",pid);
	}
	if (get_wireshark_4()) {
		printf("Wireshark found - Method 4\nPID: %u\n\n",pid);
	}
	get_wireshark_5();

	vm_detect1();
	vm_detect2();

	printf("\nCheck finished\n");

	getchar();
	return 0;
}