Looking Glass, VirtualDisplayDriver & PCI VID scan VM detection methods (#287)

* Add Looking-Glass & VDD processes check

Signed-off-by: dmfrpro <[email protected]>

* Add PCI Vendor ID registry scan

Signed-off-by: dmfrpro <[email protected]>

---------

Signed-off-by: dmfrpro <[email protected]>

Author: dmfrpro

README.md

@@ -242,6 +242,8 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
   - prl_tools.exe(Parallels)
   - xenservice.exe(Citrix Xen)
   - qemu-ga.exe (QEMU)
+  - looking-glass-host.exe (GENERIC)
+  - VDDSysTray.exe (GENERIC)
 - **WMI**
   - SELECT * FROM Win32_Bios (SerialNumber) (GENERIC)
   - SELECT * FROM Win32_PnPEntity (DeviceId) (VBOX)

al-khaser/Al-khaser.cpp

@@ -170,6 +170,7 @@ int main(int argc, char* argv[])
 		known_usernames();
 		known_hostnames();
 		other_known_sandbox_environment_checks();
+		looking_glass_vdd_processes();
 		exec_check(&NumberOfProcessors, TEXT("Checking Number of processors in machine "));
 		exec_check(&idt_trick, TEXT("Checking Interupt Descriptor Table location "));
 		exec_check(&ldt_trick, TEXT("Checking Local Descriptor Table location "));
@@ -267,6 +268,7 @@ int main(int argc, char* argv[])
 	if (ENABLE_QEMU_CHECKS) {
 		print_category(TEXT("QEMU Detection"));
 		qemu_reg_key_value();
+		qemu_reg_keys();
 		qemu_processes();
 		qemu_dir();
 		exec_check(&qemu_firmware_SMBIOS, TEXT("Checking SMBIOS firmware  "));
@@ -277,13 +279,14 @@ int main(int argc, char* argv[])
 	/* Xen Detection */
 	if (ENABLE_XEN_CHECKS) {
 		print_category(TEXT("Xen Detection"));
+		xen_reg_keys();
 		xen_process();
 		exec_check(&xen_check_mac, TEXT("Checking Mac Address start with 08:16:3E "));
 	}
 
 	/* KVM Detection */
 	if (ENABLE_KVM_CHECKS) {
-		print_category(TEXT("Xen Detection"));
+		print_category(TEXT("KVM Detection"));
 		kvm_files();
 		kvm_reg_keys();
 		exec_check(&kvm_dir, TEXT("Checking KVM virio directory "));
@@ -296,9 +299,10 @@ int main(int argc, char* argv[])
 		wine_reg_keys();
 	}
 
-	/* Paralles Detection */
+	/* Parallels Detection */
 	if (ENABLE_PARALLELS_CHECKS) {
-		print_category(TEXT("Paralles Detection"));
+		print_category(TEXT("Parallels Detection"));
+		parallels_reg_keys();
 		parallels_process();
 		exec_check(&parallels_check_mac, TEXT("Checking Mac Address start with 00:1C:42 "));
 	}

al-khaser/AntiVM/Generic.cpp

@@ -2174,4 +2174,35 @@ BOOL hosting_check()
 	if (sock != INVALID_SOCKET) closesocket(sock);
 	WSACleanup();
 	return retVal;
-}
+}
+
+/*
+Check for looking-glass-host & VDD processes list.exe
+https://looking-glass.io (Used in Hypervisor Phantom)
+https://github.com/Scrut1ny/Hypervisor-Phantom
+
+Looking-glass requires at least one of them:
+1. Physical monitor (undetectable)
+2. HDMI emulator stub (undetectable?)
+3. VirtualDisplayDriver (https://github.com/VirtualDrivers/Virtual-Display-Driver)
+*/
+VOID looking_glass_vdd_processes()
+{
+	const TCHAR *szProcesses[] = {
+		_T("looking-glass-host.exe"), 	// Looking-Glass.io
+		_T("VDDSysTray.exe"),			// VirtualDisplayDriver, used in conjunction
+	};
+
+	WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
+
+	for (int i = 0; i < iLength; i++)
+	{
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking processes %s "), szProcesses[i]);
+
+		if (GetProcessIdFromName(szProcesses[i]))
+			print_results(TRUE, msg);
+		else
+			print_results(FALSE, msg);
+	}
+}

al-khaser/AntiVM/Generic.h

@@ -51,4 +51,5 @@ BOOL registry_services_disk_enum();
 BOOL registry_disk_enum();
 BOOL number_SMBIOS_tables();
 BOOL firmware_ACPI_WAET();
-BOOL hosting_check();
+BOOL hosting_check();
+VOID looking_glass_vdd_processes();

al-khaser/AntiVM/KVM.cpp

@@ -15,6 +15,7 @@ VOID kvm_reg_keys()
 		_T("SYSTEM\\ControlSet001\\Services\\BALLOON"),
 		_T("SYSTEM\\ControlSet001\\Services\\BalloonService"),
 		_T("SYSTEM\\ControlSet001\\Services\\netkvm"),
+		_T("SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AF4*"),
 	};
 
 	WORD dwlength = sizeof(szKeys) / sizeof(szKeys[0]);

al-khaser/AntiVM/Parallels.cpp

@@ -2,6 +2,31 @@
 
 #include "Parallels.h"
 
+/*
+Check against Parallels registry keys
+*/
+VOID parallels_reg_keys()
+{
+	/* Array of strings of blacklisted registry keys */
+	const TCHAR* szKeys[] = {
+		_T("SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1AB8*"),
+	};
+
+	WORD dwlength = sizeof(szKeys) / sizeof(szKeys[0]);
+
+	/* Check one by one */
+	for (int i = 0; i < dwlength; i++)
+	{
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking reg key %s "), szKeys[i]);
+
+		if (Is_RegKeyExists(HKEY_LOCAL_MACHINE, szKeys[i]))
+			print_results(TRUE, msg);
+		else
+			print_results(FALSE, msg);
+	}
+}
+
 /*
 Check for process list
 */

al-khaser/AntiVM/Parallels.h

@@ -1,4 +1,5 @@
 #pragma once
 
+VOID parallels_reg_keys();
 VOID parallels_process();
 BOOL parallels_check_mac();

al-khaser/AntiVM/Qemu.cpp

@@ -28,6 +28,30 @@ VOID qemu_reg_key_value()
 }
 
 
+/*
+Check against QEMU registry keys
+*/
+VOID qemu_reg_keys()
+{
+	/* Array of strings of blacklisted registry keys */
+	const TCHAR* szKeys[] = {
+		_T("SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_1B36*"),
+	};
+
+	WORD dwlength = sizeof(szKeys) / sizeof(szKeys[0]);
+
+	/* Check one by one */
+	for (int i = 0; i < dwlength; i++)
+	{
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking reg key %s "), szKeys[i]);
+
+		if (Is_RegKeyExists(HKEY_LOCAL_MACHINE, szKeys[i]))
+			print_results(TRUE, msg);
+		else
+			print_results(FALSE, msg);
+	}
+}
 
 /*
 Check for process list

al-khaser/AntiVM/Qemu.h

@@ -1,6 +1,7 @@
 #pragma once
 
 VOID qemu_reg_key_value();
+VOID qemu_reg_keys();
 VOID qemu_processes();
 VOID qemu_dir();
 BOOL qemu_firmware_ACPI();

al-khaser/AntiVM/VMWare.cpp

@@ -39,6 +39,7 @@ VOID vmware_reg_keys()
 	/* Array of strings of blacklisted registry keys */
 	const TCHAR* szKeys[] = {
 		_T("SOFTWARE\\VMware, Inc.\\VMware Tools"),
+		_T("SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD*"),
 	};
 
 	WORD dwlength = sizeof(szKeys) / sizeof(szKeys[0]);