Skip to content

Commit b6abb49

Browse files
author
hippwn
committed
Add checkFileSystem() for windows
1 parent 1737917 commit b6abb49

File tree

1 file changed

+71
-0
lines changed

1 file changed

+71
-0
lines changed

vmdetect/windows.go

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,73 @@ func checkRegistry() (bool, string) {
156156
return false, "none"
157157
}
158158

159+
func checkFileSystem() bool {
160+
// check for known path on the filesystem, either files or directories
161+
generalPath := []string{
162+
`c:\take_screenshot.ps1`,
163+
`c:\loaddll.exe`,
164+
`c:\symbols\aagmmc.pdb`,
165+
}
166+
167+
168+
prlPath := []string{
169+
`c:\windows\system32\drivers\prleth.sys`,
170+
`c:\windows\system32\drivers\prlfs.sys`,
171+
`c:\windows\system32\drivers\prlmouse.sys`,
172+
`c:\windows\system32\drivers\prlvideo.sys`,
173+
`c:\windows\system32\drivers\prltime.sys`,
174+
`c:\windows\system32\drivers\prl_pv32.sys`,
175+
`c:\windows\system32\drivers\prl_paravirt_32.sys`,
176+
}
177+
178+
vboxPath := []string{
179+
`c:\windows\system32\drivers\VBoxMouse.sys`,
180+
`c:\windows\system32\drivers\VBoxGuest.sys`,
181+
`c:\windows\system32\drivers\VBoxSF.sys`,
182+
`c:\windows\system32\drivers\VBoxVideo.sys`,
183+
`c:\windows\system32\vboxdisp.dll`,
184+
`c:\windows\system32\vboxhook.dll`,
185+
`c:\windows\system32\vboxmrxnp.dll`,
186+
`c:\windows\system32\vboxogl.dll`,
187+
`c:\windows\system32\vboxoglarrayspu.dll`,
188+
`c:\windows\system32\vboxoglcrutil.dll`,
189+
`c:\windows\system32\vboxoglerrorspu.dll`,
190+
`c:\windows\system32\vboxoglfeedbackspu.dll`,
191+
`c:\windows\system32\vboxoglpackspu.dll`,
192+
`c:\windows\system32\vboxoglpassthroughspu.dll`,
193+
`c:\windows\system32\vboxservice.exe`,
194+
`c:\windows\system32\vboxtray.exe`,
195+
`c:\windows\system32\VBoxControl.exe`,
196+
}
197+
198+
vmwarePath := []string{
199+
`c:\windows\system32\drivers\vmmouse.sys`,
200+
`c:\windows\system32\drivers\vmnet.sys`,
201+
`c:\windows\system32\drivers\vmxnet.sys`,
202+
`c:\windows\system32\drivers\vmhgfs.sys`,
203+
`c:\windows\system32\drivers\vmx86.sys`,
204+
`c:\windows\system32\drivers\hgfs.sys`
205+
}
206+
207+
virtualpcPath := []string{
208+
`c:\windows\system32\drivers\vmsrvc.sys`,
209+
`c:\windows\system32\drivers\vpc-s3.sys`
210+
}
211+
212+
allPath := [][]string{virtualpcPath, prlPath, vmwarePath, vboxPath, generalPath}
213+
214+
for _, paths := range allPath {
215+
for _, path := range paths {
216+
if DoesFileExist(path) {
217+
return true, path
218+
}
219+
}
220+
}
221+
222+
return false, "none"
223+
224+
}
225+
159226
/*
160227
Public function returning true if a VM is detected.
161228
If so, a non-empty string is also returned to tell how it was detected.
@@ -169,5 +236,9 @@ func IsRunningInVirtualMachine() (bool, string) {
169236
return vmDetected, fmt.Sprintf("Registry key (%v)", registryKey)
170237
}
171238

239+
if vmDetected, path := checkFileSystem(); vmDetected {
240+
return vmDetected, fmt.Sprintf("Path (%v)", path)
241+
}
242+
172243
return false, "nothing"
173244
}

0 commit comments

Comments
 (0)