Los desarrolladores de malware saben que sus artefactos va a ser irremediablemente analizados por
threat hunters, forenses y demás "azulones" que intentarán destriparlos para obtener el detalle de su funcionamiento y obtener los IoCs correspondientes para contenerlos. También saben que la mayoría serán analizados en sandboxes con máquinas virtuales que pueden proporcionar un entorno aislado para que el malware se active, para que sus acciones puedan ser controladas e interceptadas.
Por ello los programas maliciosos de esta era detectan que se están ejecutando en una máquina virtual y actúan en consecuencia:
se abstienen de inyectar código dentro de las aplicaciones,
mantienen cifrado o encodeado el código malicioso,
no conectan con los servidores de C&C, etc. y buena parte de sus esfuerzos se centran en utilizar técnicas más avanzadas para la detección. Por ejemplo, las últimas versiones del ransomware Locky añadían un nuevo "truco" anti-VM bastante curioso: realizaba dos llamadas a la API de Windows, GetProcessHeap () y CloseHandle () y dependiendo del tiempo de respuesta determinaba si estaba o no en una VM.
Pero veamos las técnicas más genéricas utilizadas por el malware de hoy en día para detectar el entorno virtualizado:
TÉCNICAS PARA DETECTAR ENTORNOS VIRTUALIZADOSARTEFACTOS DE UN ENTORNO VIRTUALIZADO- Comprobación del registro: cada vez que generamos una nueva máquina virtual en el sistema operativo invitado hay muchas entradas en el registro relacionadas con el producto de virtualización utilizado y, como no podía ser de otra manera, el malware consulta la presencia de estas entradas. Por ejemplo en VMWare:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDescVMware SCSI ControllerHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderNameVMware, Inc.- Verificación de memoria: la ubicación de varias estructuras de memoria, especialmente la IDT (Interrupt Descriptor Table), varía en la máquina virtual en comparación con una máquina física.
El malware verifica el uso de varias estructuras de memoria como:
. Almacenar tabla de descriptor de interrupciones (SIDT): en una máquina virtual, normalmente se encuentra en
0xffXXXXXX, mientras que, en una máquina física, se ubica algo más bajo que la típica alrededor de
0x80ffffff.
. Otras estructuras que a menudo son controladas por malware son:
Store Local Descriptor Table (SLDT)
Store Global Descriptor Table (SGDT)
Store Task Register (STR)
- Verificación de procesos y archivos/directorios: por ejemplo, en todas las máquinas virtuales creadas con VMWare hay varios procesos que se siguen ejecutando en segundo plano, como VMwareService.exe, VMwareTray.exe, etc. Además, a veces VMware también instala algunas herramientas en la máquina virtual creada. También hay algunos drivers del sistema específicos para software de virtualización, que se pueden ubicar en la ruta: %windir%\system32\drivers\ con algunos nombres como: vmci.sys, vmhgfs.sys, vmmouse.sys, vmscsi.sys, vmusbmouse.sys, vmx_svga.sys, vmxnet.sys, VBoxMouse.sys. El software malicioso vigila todos los procesos y archivos para detectar el entorno VM.
- Comprobación del canal de comunicación: normalmente el malware comprueba también cualquier comunicación con el host. Para ello ejecuta la instrucción IN. La instrucción IN es una instrucción privilegiada y solo se puede ejecutar desde el Ring 0, pero si se ejecuta desde el Ring 3, se generará una excepción. Sin embargo, cuando esta instrucción se desencadena desde el malware dentro de la máquina virtual, no hay tal excepción y la VM genera una conexión con el hos. Si el número mágico ‘VMxh’ se devuelve al registro EBX, el malware tendrá la certeza que actualmente se está ejecutando en una VM.
- Comprobación de MAC: el malware también comprueba la dirección MAC de la máquina subyacente. Por ejemplo, la dirección MAC que comienza con
00-05-69, 00-0c-29, 00-1c-14 o
00-50-56 pertenece a VMware. También se revisa el número de serie de la BIOS. Por lo general, las máquinas virtuales creadas con VMWare tienen una cadena 'VMware' adjunta a su número de serie de BIOS.
- Otras comprobaciones de hardware: hay varios parámetros de hardware que son específicos de productor de virtualización en comparación con el sistema físico. El malware consulta varios atributos como SerialNo, SocketDesignation, Caption para verificar los valores de la placa base, el procesador y el controlador SCSI respectivamente.
Por ejemplo, en sistemas Linux podemos consultar /proc/cpuinfo y buscar la palabra "hypervisor" en la flag section. Echa un vistazo a los siguientes ejemplos:
En una máquina física:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch epb invpcid_single intel_pt kaiser tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_eppEn una máquina virtual de vmware:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 popcnt aes xsave avx hypervisor lahf_lm ida arat xsaveopt pln pts dtsDIFERENCIAS ENTORNOSe comprueba la presencia de un mouse, conexión a Internet, tarjeta de sonido,...
DIFERENCIAS DE EJECUCIÓN- Detección de la traducción de bloques (crear otro hilo y aplicar estadísticas en el IP), diferentes valores de registros del sistema (
https://code.google.com/p/corkami/source/browse/trunk/src/CoST/CoST.asm?r=1593#1363), ...
- Falta de interacción del usuario (específica para el entorno automatizado): sin movimiento del mouse, sin operaciones de archivo, ...
DIFERENCIAS DE ENTORNO ESPECÍFICASVmWare backdoor, VirtualPC exception bug, ...
CONTRAMEDIDASEl malware generalmente realiza llamadas a la API para obtener información del sistema y toma una decisión al respecto. Por lo tanto, la monitorización de estas llamadas a la API sería muy importante para contrarrestar el sistema de decisión de malware
- Contrarrestar la verificación del registro: supervisar la acción del malware interceptando las llamadas a la API y agregar una la salida personalizada para ocultar al malware la presencia del host subyacente. Se pueden monitorizar la llamadas de registro:
RegEnumKey ()RegEnumValue ()RegOpenKey ()RegQueryInfoKeyValue ()RegQueryMultipleValues ()RegQueryValue ()- Contrarrestar la comprobación de hardware: monitorizar el hardware siguiendo las API:
SetupDiEnumDeviceInfo ()SetupDiGetDeviceInstanceId ()SetupDiGetDeviceRegistryProperty ()API de WMIUn punto importante a tener en cuenta en la verificación de hardware es la recuperación de información mediante la dirección MAC. Los analistas deben cambiar la dirección MAC en la máquina virtual a otra que no sea el rango de VMware o el producto de virtualización utilizado.
- Contrarrestar la comprobación de memoria: Para contrarrestar la comprobación de memoria, hay que supervisar las instrucciones como SIDT, SLDT, SGDT y STR. Además, como el malware lee los valores de las instrucciones de los registros, sería una buena idea cambiar los valores de registro afectados.
- Contrarrestar el canal de comunicación de la máquina virtual: Como se indicó anteriormente, esto generalmente se lleva a cabo con instrucciones IN. Para contrarrestar el canal de comunicación de la VM, supervisar la instrucción IN y cambiar el valor del valor mágico (VMXh).
- Contrarrestar la verificación de archivos y procesos: Como ya habréis adivinado, la verificación de archivos y procesos se puede contrarrestar mediante la supervisión de las API para carpetas, archivos, procesos, etc. En este caso, si el malware realiza una solicitud para consultar archivos y carpetas, entonces esa llamada a la API debe ser interceptada, y un mensaje personalizado debe ser enviado como salida al malware para impedir que reconozca cualquier archivo de VMware o el producto utilizado.
HERRAMIENTASSCOOPY- Scoopy ejecuta SIDT, SGDT y SLDT
- Las verificaciones para ver el IDT se encuentran en una dirección que comienza con 0xc0 (Linux) y 0x80 (Windows). Si lo encuentra, Scoopy muestra un mensaje que indica que se está ejecutando en una máquina host. De lo contrario, se imprime que está en un sistema operativo invitado.
- Klein usa una lógica idéntica para comparar la ubicación del GDT con 0xc0XXXXXX para obtener una "segunda opinión"
- Y luego, mira el LDT (solo 2 bytes). • IfLDTislocatedat0x0000, itisarealmachine, elseVMware
¡Son tres pruebas por el precio de una!
VMDETECTVMDetect usa tres técnicas distintas para detectar VirtualPC y VMware: Writtenbylallous, Highlyeffective, Hardtododge
AL-KHASERUna colección de técnicas anti-sandbox/vm/debugger implementadas en un programa de código abierto que nos dará una idea clara de cómo detectar virtualización.
ANTIVMDETECTIONEs un script que ayuda a crear plantillas que puede usar con VirtualBox para hacer que la detección de máquinas virtuales sea más difícil.
MÉTODOS Y "TRUCOS" PARA LA DETECCIÓN DE VMsVirtualBox-
http://pastebin.com/RU6A2UuB (9 métodos distintos, registro, VBOX dlls, pipe names etc)
//http://waleedassar.blogspot.com - (@waleedassar)
#include "stdafx.h"
#include "windows.h"
void ToLower(unsigned char* Pstr)
{
char* P=(char*)Pstr;
unsigned long length=strlen(P);
for(unsigned long i=0;i<length;i++) P[i]=tolower(P[i]);
return;
}
int main(int argc, char* argv[])
{
//method 1
HKEY HK=0;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"HARDWARE\\ACPI\\DSDT\\VBOX__",0,KEY_READ,&HK)==ERROR_SUCCESS)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(1);
}
//method 2 -- requires Guest Additions to be installed.
HANDLE hF1=CreateFile("\\\\.\\VBoxMiniRdrDN",GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,OPEN_EXISTING,0,0);
if(hF1!=INVALID_HANDLE_VALUE)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(2);
}
//method 3 -- requires Guest Additions to be installed
HMODULE hM1=LoadLibrary("VBoxHook.dll");
if(hM1)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(3);
}
//method 4 -- requires Guest Additions to be installed
HK=0;
if( (ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Oracle\\VirtualBox Guest Additions",0,KEY_READ,&HK)) && HK)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
RegCloseKey(HK);
ExitProcess(4);
}
//method 5
HK=0;
char* subkey="SYSTEM\\CurrentControlSet\\Enum\\IDE";
if( (ERROR_SUCCESS==RegOpenKeyEx(HKEY_LOCAL_MACHINE,subkey,0,KEY_READ,&HK)) && HK )
{
unsigned long n_subkeys=0;
unsigned long max_subkey_length=0;
if(ERROR_SUCCESS==RegQueryInfoKey(HK,0,0,0,&n_subkeys,&max_subkey_length,0,0,0,0,0,0))
{
if(n_subkeys) //Usually n_subkeys are 2
{
char* pNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,max_subkey_length+1);
for(unsigned long i=0;i<n_subkeys;i++) //Usually n_subkeys are 2
{
memset(pNewKey,0,max_subkey_length+1);
HKEY HKK=0;
if(ERROR_SUCCESS==RegEnumKey(HK,i,pNewKey,max_subkey_length+1))
{
if((RegOpenKeyEx(HK,pNewKey,0,KEY_READ,&HKK)==ERROR_SUCCESS) && HKK)
{
unsigned long nn=0;
unsigned long maxlen=0;
RegQueryInfoKey(HKK,0,0,0,&nn,&maxlen,0,0,0,0,0,0);
char* pNewNewKey=(char*)LocalAlloc(LMEM_ZEROINIT,maxlen+1);
if(RegEnumKey(HKK,0,pNewNewKey,maxlen+1)==ERROR_SUCCESS)
{
HKEY HKKK=0;
if(RegOpenKeyEx(HKK,pNewNewKey,0,KEY_READ,&HKKK)==ERROR_SUCCESS)
{
unsigned long size=0xFFF;
unsigned char ValName[0x1000]={0};
if(RegQueryValueEx(HKKK,"FriendlyName",0,0,ValName,&size)==ERROR_SUCCESS)
{
ToLower(ValName);
if(strstr((char*)ValName,"vbox"))
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(5);
}
}
RegCloseKey(HKKK);
}
}
LocalFree(pNewNewKey);
RegCloseKey(HKK);
}
}
}
LocalFree(pNewKey);
}
}
RegCloseKey(HK);
}
//method 6
HK=0;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"HARDWARE\\DESCRIPTION\\System",0,KEY_READ,&HK)==ERROR_SUCCESS)
{
unsigned long type=0;
unsigned long size=0x100;
char* systembiosversion=(char*)LocalAlloc(LMEM_ZEROINIT,size+10);
if(ERROR_SUCCESS==RegQueryValueEx(HK,"SystemBiosVersion",0,&type,(unsigned char*)systembiosversion,&size))
{
ToLower((unsigned char*)systembiosversion);
if(type==REG_SZ||type==REG_MULTI_SZ)
{
if(strstr(systembiosversion,"vbox"))
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(6);
}
}
}
LocalFree(systembiosversion);
type=0;
size=0x200;
char* videobiosversion=(char*)LocalAlloc(LMEM_ZEROINIT,size+10);
if(ERROR_SUCCESS==RegQueryValueEx(HK,"VideoBiosVersion",0,&type,(unsigned char*)videobiosversion,&size))
{
if(type==REG_MULTI_SZ)
{
char* video=videobiosversion;
while(*(unsigned char*)video)
{
ToLower((unsigned char*)video);
if(strstr(video,"oracle")||strstr(video,"virtualbox") )
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(6);
}
video=&video[strlen(video)+1];
}
}
}
LocalFree(videobiosversion);
RegCloseKey(HK);
}
//method 7 - requires guest additions to be installed.
HANDLE hxx=CreateFile("\\\\.\\pipe\\VBoxTrayIPC",GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
if(hxx!=INVALID_HANDLE_VALUE)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
CloseHandle(hxx);
ExitProcess(7);
}
//method 8 - requires guest additions installed
HWND hY1=FindWindow("VBoxTrayToolWndClass",0);
HWND hY2=FindWindow(0,"VBoxTrayToolWnd");
if(hY1 || hY2)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(8);
}
//method 9
unsigned long pnsize=0x1000;
char* provider=(char*)LocalAlloc(LMEM_ZEROINIT,pnsize);
int retv=WNetGetProviderName(WNNC_NET_RDR2SAMPLE,provider,&pnsize);
if(retv==NO_ERROR)
{
if(lstrcmpi(provider,"VirtualBox Shared Folders")==0)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(9);
}
}
return 0;
}
http://pastebin.com/xhFABpPL (proveedor de nombre de máquina)
//http://waleedassar.blogspot.com/ (@waleedassar)
//Using the "WNetGetProviderName" function to detect VirtualBox.
//Thanks @deesse_k for the idea
#include "stdafx.h"
#include "windows.h"
#include "Winnetwk.h"
#pragma comment(lib,"MPR")
int main(void)
{
//method 9
unsigned long pnsize=0x1000;
char* provider=(char*)LocalAlloc(LMEM_ZEROINIT,pnsize);
int retv=WNetGetProviderName(WNNC_NET_RDR2SAMPLE,provider,&pnsize);
if(retv==NO_ERROR)
{
if(lstrcmpi(provider,"VirtualBox Shared Folders")==0)
{
MessageBox(0,"VirtualBox detected","waliedassar",0);
ExitProcess(9);
}
}
return 0;
}
http://pastebin.com/v8LnMiZs (truco Innotek)
//http://waleedassar.blogspot.com (@waleedassar)
//MS VC++ 2005 + DirectX SDK
#include "stdafx.h"
#include "dxdiag.h"
#include "stdio.h"
int main(int argc, _TCHAR* argv[])
{
HRESULT hr=CoInitialize(0);
if(!SUCCEEDED(hr)) return 0;
IDxDiagProvider* pProvider = NULL;
hr=CoCreateInstance(CLSID_DxDiagProvider,0,CLSCTX_INPROC_SERVER,IID_IDxDiagProvider,(void**)&pProvider );
if(!SUCCEEDED(hr))
{
CoUninitialize();
return 0;
}
DXDIAG_INIT_PARAMS InitParams={0};
InitParams.dwSize=sizeof(DXDIAG_INIT_PARAMS);
InitParams.dwDxDiagHeaderVersion=DXDIAG_DX9_SDK_VERSION;
InitParams.bAllowWHQLChecks=false;
hr=pProvider->Initialize(&InitParams);
if(SUCCEEDED(hr))
{
IDxDiagContainer* pDxDiagRoot=0;
IDxDiagContainer* pDxDiagSystemInfo=0;
hr=pProvider->GetRootContainer(&pDxDiagRoot );
if(SUCCEEDED(hr))
{
hr=pDxDiagRoot->GetChildContainer( L"DxDiag_SystemInfo", &pDxDiagSystemInfo );
if(SUCCEEDED(hr) )
{
VARIANT varX;
hr=pDxDiagSystemInfo->GetProp( L"szSystemManufacturerEnglish",&varX);
if( SUCCEEDED(hr)&&varX.vt==VT_BSTR && SysStringLen(varX.bstrVal)!=0)
{
wchar_t* pMan=varX.bstrVal;
wprintf(L"System Manufacturer is %s\r\n",pMan);
if(!_wcsicmp(pMan,L"innotek GmbH"))
{
printf("VirtualBox detected\r\n");
}
}
VariantClear(&varX);
hr=pDxDiagSystemInfo->GetProp( L"szSystemModelEnglish",&varX);
if( SUCCEEDED(hr)&&varX.vt==VT_BSTR && SysStringLen(varX.bstrVal)!=0)
{
wchar_t* pMan=varX.bstrVal;
wprintf(L"System Model is %s\r\n",pMan);
if(!_wcsicmp(pMan,L"VirtualBox"))
{
printf("VirtualBox detected\r\n");
}
}
VariantClear(&varX);
pDxDiagSystemInfo->Release();
}
pDxDiagRoot->Release();
}
//pProvider->Release();
}
CoUninitialize();
return 0;
}
http://pastebin.com/fPY4MiYq (Marca y versión de la Bios)
//http://waleedassar.blogspot.com (@waleedassar)
//Reading "SMBiosData" to extract Bios Brand and Bios Version strings from registry.
//If the Bios Brand string is "innotek GmbH" or Bios Version is "VirtualBox", then it is a sign that we are running in VirtualBox.
//You can also use WMI to extract the same info.
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
void AllToUpper(char* str,unsigned long len)
{
for(unsigned long c=0;c<len;c++)
{
if(str[c]>='a'&& str[c]<='z')
{
str[c]-=32;
}
}
}
unsigned char* ScanDataForString(unsigned char* data,unsigned long data_length,unsigned char* string2)
{
unsigned long string_length=strlen((char*)string2);
for(unsigned long i=0;i<=(data_length-string_length);i++)
{
if(strncmp((char*)(&data[i]),(char*)string2,string_length)==0) return &data[i];
}
return 0;
}
int main(int argc, char* argv[])
{
HKEY hk=0;
int ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\mssmbios\\data",0,KEY_ALL_ACCESS,&hk);
if(ret==ERROR_SUCCESS)
{
unsigned long type=0;
unsigned long length=0;
ret=RegQueryValueEx(hk,"SMBiosData",0,&type,0,&length);
if(ret==ERROR_SUCCESS)
{
if(length)
{
char* p=(char*)LocalAlloc(LMEM_ZEROINIT,length);
if(p)
{
ret=RegQueryValueEx(hk,"SMBiosData",0,&type,(unsigned char*)p,&length);
if(ret==ERROR_SUCCESS)
{
AllToUpper(p,length);
unsigned char* x1=ScanDataForString((unsigned char*)p,length,(unsigned char*)"INNOTEK GMBH");
unsigned char* x2=ScanDataForString((unsigned char*)p,length,(unsigned char*)"VIRTUALBOX");
unsigned char* x3=ScanDataForString((unsigned char*)p,length,(unsigned char*)"SUN MICROSYSTEMS");
unsigned char* x4=ScanDataForString((unsigned char*)p,length,(unsigned char*)"VIRTUAL MACHINE");
unsigned char* x5=ScanDataForString((unsigned char*)p,length,(unsigned char*)"VBOXVER");
if(x1 || x2 || x3 || x4 || x5)
{
printf("VirtualBox detected\r\n");
printf("Some Strings found:\r\n");
if(x1) printf("%s\r\n",x1);
if(x2) printf("%s\r\n",x2);
if(x3) printf("%s\r\n",x3);
if(x4) printf("%s\r\n",x4);
if(x5) printf("%s\r\n",x5);
}
}
LocalFree(p);
}
}
}
RegCloseKey(hk);
}
return 0;
}
http://pastebin.com/Geggzp4G (Marca y versión de la Bios)
//http://waleedassar.blogspot.com (@waleedassar)
//Reading "SMBiosData" to extract Bios Brand and Bios Version strings via WMI COM access. If the Bios Brand string is //"innotek GmbH" or Bios Version is "VirtualBox", then it is a sign that we are running in VirtualBox.
#include "stdafx.h"
#include <comdef.h>
#include <Wbemidl.h>
#include "stdio.h"
#pragma comment(lib, "wbemuuid.lib")
void AllToUpper(unsigned char* str,unsigned long len)
{
for(unsigned long c=0;c<len;c++)
{
if(str[c]>='a'&& str[c]<='z')
{
str[c]-=32;
}
}
}
unsigned char* ScanDataForString(unsigned char* data,unsigned long data_length,unsigned char* string2)
{
unsigned long string_length=(unsigned long)strlen((char*)string2);
for(unsigned long i=0;i<=(data_length-string_length);i++)
{
if(strncmp((char*)(&data[i]),(char*)string2,string_length)==0) return &data[i];
}
return 0;
}
int main(int argc, _TCHAR* argv[])
{
BSTR rootwmi=SysAllocString(L"root\\wmi");
BSTR tables=SysAllocString(L"MSSmBios_RawSMBiosTables");
BSTR biosdata=SysAllocString(L"SMBiosData");
HRESULT hr=CoInitializeEx(0, COINIT_MULTITHREADED);
if(!SUCCEEDED(hr)) return 0;
IWbemLocator* pLoc=0;
hr=CoCreateInstance(CLSID_WbemLocator,0,CLSCTX_INPROC_SERVER,IID_IWbemLocator,(void**)&pLoc);
if(!SUCCEEDED(hr))
{
CoUninitialize();
return 0;
}
IWbemServices* pSvc=0;
hr=pLoc->ConnectServer(rootwmi,0 ,0 ,0 ,0,0,0,&pSvc);
if(!SUCCEEDED(hr))
{
pLoc->Release();
CoUninitialize();
return 0;
}
hr=CoSetProxyBlanket(pSvc,RPC_C_AUTHN_WINNT,RPC_C_AUTHZ_NONE,0,RPC_C_AUTHN_LEVEL_CALL,RPC_C_IMP_LEVEL_IMPERSONATE,0,EOAC_NONE);
if(!SUCCEEDED(hr))
{
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IEnumWbemClassObject* pEnum=0;
hr=pSvc->CreateInstanceEnum(tables,0,0, &pEnum);
if(!SUCCEEDED(hr))
{
pSvc->Release();
pLoc->Release();
CoUninitialize();
return 0;
}
IWbemClassObject* pInstance=0;
unsigned long Count=0;
hr=pEnum->Next(WBEM_INFINITE,1,&pInstance,&Count);
if(SUCCEEDED(hr))
{
VARIANT BiosData;
VariantInit(&BiosData);
CIMTYPE type;
hr=pInstance->Get(biosdata,0,&BiosData,&type,NULL);
if(SUCCEEDED(hr))
{
SAFEARRAY* p_array = NULL;
p_array = V_ARRAY(&BiosData);
unsigned char* p_data=(unsigned char *)p_array->pvData;
unsigned long length=p_array->rgsabound[0].cElements;
AllToUpper(p_data,length);
unsigned char* x1=ScanDataForString((unsigned char*)p_data,length,(unsigned char*)"INNOTEK GMBH");
unsigned char* x2=ScanDataForString((unsigned char*)p_data,length,(unsigned char*)"VIRTUALBOX");
unsigned char* x3=ScanDataForString((unsigned char*)p_data,length,(unsigned char*)"SUN MICROSYSTEMS");
unsigned char* x4=ScanDataForString((unsigned char*)p_data,length,(unsigned char*)"VIRTUAL MACHINE");
unsigned char* x5=ScanDataForString((unsigned char*)p_data,length,(unsigned char*)"VBOXVER");
if(x1 || x2 || x3 || x4 || x5)
{
printf("VirtualBox detected\r\n");
printf("Some Strings found:\r\n");
if(x1) printf("%s\r\n",x1);
if(x2) printf("%s\r\n",x2);
if(x3) printf("%s\r\n",x3);
if(x4) printf("%s\r\n",x4);
if(x5) printf("%s\r\n",x5);
}
}
VariantClear(&BiosData);
pInstance->Release();
}
pSvc->Release();
pLoc->Release();
CoUninitialize();
ExitProcess(0);
return 0;
}
http://pastebin.com/T0s5gVGW (parser SMBiosData buscando nuevos types)
//http://waleedassar.blogspot.com (@waleedassar)
//The following code parses the SMBiosData retrieved from the Windows registry and searches for any structures of TYPE TYPE_INACTIVE (126, 0x7E). This is a sign of VirtualBox existence.
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
#define TYPE_BIOS 0x0 //e.g. Bios Brand and Version
#define TYPE_SYSTEM 0x1 //System Manufacturer and Model
#define TYPE_BASEBOARD 0x2
#define TYPE_SYSTEM_ENCLOSURE 0x3
#define TYPE_PROCESSOR 0x4
#define TYPE_CACHE_INFO 0x7
#define TYPE_SYSTEM_SLOTS 0x9
#define TYPE_OEM_STRINGS 0xB
#define TYPE_PHYSICAL_MEM_ARRAY 0x10
#define TYPE_MEMORY_DEVICE 0x11
#define TYPE_MEMORY_ARRAY_MAPPED_ADDRESS 0x13
#define TYPE_SYSTEM_BOOT_INFORMATION 0x20
#define TYPE_INACTIVE 0x7E //???? this one
#define TYPE_END_OF_STRUCTURE 0x7F
//----This structure is only need for parsing SMBiosData retrieved from Registry.
//Not needed for parsing SMBiosData retrieved Via WMI
struct BIOS_DATA_HEAD
{
unsigned char a1;
unsigned char a2;
unsigned char a3;
unsigned char a4;
unsigned long length;
};
struct HeadER
{
unsigned char Type; //0 for bios, 1 for system, and so on.
unsigned char section_length;
unsigned short handles;
};
void AllToUpper(char* str,unsigned long len)
{
for(unsigned long c=0;c<len;c++)
{
if(str[c]>='a'&& str[c]<='z')
{
str[c]-=32;
}
}
}
void PrintType(unsigned char type)
{
printf("----------------------------------------\r\n");
if(type==TYPE_BIOS) printf("Type: BIOS\r\n");
else if(type==TYPE_SYSTEM) printf("Type: SYSTEM INFO\r\n");
else if(type==TYPE_BASEBOARD) printf("Type: BASEBOARD\r\n");
else if(type==TYPE_SYSTEM_ENCLOSURE) printf("Type: BIOS\r\n");
else if(type==TYPE_PROCESSOR) printf("Type: PROCESSOR\r\n");
else if(type==TYPE_CACHE_INFO) printf("Type: CACHE INFO\r\n");
else if(type==TYPE_SYSTEM_SLOTS) printf("Type: SYSTEM SLOTS\r\n");
else if(type==TYPE_OEM_STRINGS) printf("Type: OEM STRINGS\r\n");
else if(type==TYPE_PHYSICAL_MEM_ARRAY) printf("Type: PHYSICAL MEMORY ARRAY\r\n");
else if(type==TYPE_MEMORY_DEVICE) printf("Type: MEMORY DEVICE\r\n");
else if(type==TYPE_MEMORY_ARRAY_MAPPED_ADDRESS) printf("Type: MEMORY ARRAY MAPPED ADDRESS\r\n");
else if(type==TYPE_SYSTEM_BOOT_INFORMATION) printf("Type: SYSTEM BOOT INFORMATION\r\n");
else if(type==TYPE_END_OF_STRUCTURE) printf("Type: END OF STRUCTURE\r\n");
else printf("Type: %X\r\n",type);
}
//index 1 represents the first string
char* PrintString(char* pString,unsigned long index)
{
index--;
while(index)
{
unsigned long length=strlen(pString);
pString+=(length+1);
if(*pString==0)
{
printf("String is: Error retrieving string\r\n");
return 0;
}
index--;
}
printf("String is: %s\r\n",pString);
return pString;
}
unsigned char* ScanDataForString(unsigned char* data,unsigned long data_length,unsigned char* string2)
{
unsigned long string_length=strlen((char*)string2);
for(unsigned long i=0;i<=(data_length-string_length);i++)
{
if(strncmp((char*)(&data[i]),(char*)string2,string_length)==0) return &data[i];
}
return 0;
}
int main(int argc, char* argv[])
{
HKEY hk=0;
int ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\mssmbios\\data",0,KEY_ALL_ACCESS,&hk);
if(ret==ERROR_SUCCESS)
{
unsigned long type=0;
unsigned long length=0;
ret=RegQueryValueEx(hk,"SMBiosData",0,&type,0,&length);
if(ret==ERROR_SUCCESS)
{
if(length)
{
char* p=(char*)LocalAlloc(LMEM_ZEROINIT,length);
if(p)
{
ret=RegQueryValueEx(hk,"SMBiosData",0,&type,(unsigned char*)p,&length);
if(ret==ERROR_SUCCESS)
{
//--------------------------Only when parsing SMBiosData retrieved from Registry------------------
unsigned long new_length=((BIOS_DATA_HEAD*)p)->length; //length-8
p+=0x8;
printf("Length is: %X\r\n",new_length);
//------------------------------------------------------------------------------------------------
unsigned long i=0;
while(i<new_length)
{
unsigned char type=((HeadER*)(p+i))->Type;
PrintType(type);
unsigned char section_size=((HeadER*)(p+i))->section_length;
printf("Section length is: %X\r\n",section_size);
unsigned short handles=((HeadER*)(p+i))->handles;
printf("Handle is: %X\r\n",handles);
if(type==0x7F) break; //End-Of-Table
if(type==TYPE_INACTIVE) //0x7E
{
PrintString(p+i+section_size,*(p+i+4)); //print Brand
PrintString(p+i+section_size,*(p+i+5)); //print Version
MessageBox(0,"VirtualBox detected","waliedassar",0);
}
//---Get End of Structure--------------
unsigned char* pxp=(unsigned char*)p+i+section_size;
while(*(unsigned short*)pxp!=0) pxp++;
pxp++;
pxp++;
//-------------------------------------
i=(pxp-((unsigned char*)p));
}
}
LocalFree(p);
}
}
}
RegCloseKey(hk);
}
return 0;
}
http://pastebin.com/AjHWApes (truco dirección MAC de Cadmus)
//http://waleedassar.blogspot.com (@waleedassar)
//VirtualBox Adapters (Host and Guests) always have their MAC addresses in the form of 08-00-27-??-??-??. This range was originally assigned to Cadmus Computer Systems.
//This might show false positive results, but has not been witnessed so far.
#include "stdafx.h"
#include "winsock2.h"
#include "iphlpapi.h"
#include "ws2tcpip.h"
#include "windows.h"
#include "stdio.h"
int main(int argc, char* argv[])
{
WSADATA WSD;
if(!WSAStartup(MAKEWORD(2,2),&WSD))
{
unsigned long tot_size=0;
int ret=GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&tot_size);
if(ret==ERROR_BUFFER_OVERFLOW)
{
IP_ADAPTER_ADDRESSES* px=(IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,tot_size);
if(px)
{
ret=GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,px,&tot_size);
IP_ADAPTER_ADDRESSES* pxx=px;
//Traverse a singly-linked list
for(pxx;pxx;pxx=pxx->Next)
{
if(pxx->PhysicalAddressLength==0x6)
{
if(wcsicmp(pxx->FriendlyName,L"VirtualBox Host-Only Network")) //We don't want to detect the HOST OS
{
char xx[0x6]={0};
memcpy(xx,pxx->PhysicalAddress,0x6);
if(xx[0]==0x08&& xx[1]==0x00 && xx[2]==0x27) //Cadmus Computer Systems Mac address
{
MessageBox(0,L"VirtualBox detected",L"waliedassar",0);
}
}
}
}
LocalFree(px);
}
}
WSACleanup();
}
ExitProcess(0);
return 0;
}
http://pastebin.com/wh4NAP26 (truco VBoxSharedFolderFS)
//http://waleedassar.blogspot.com (@waleedassar)
//If you happen to have a mapped shared folder inside VirtualBox, then it always has the File system named "VBoxSharedFolderFS".
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
int main(int argc, char* argv[])
{
for(unsigned char x='A';x<='Z';x++)
{
char drv[0x4]={0};
drv[0]=x;
drv[1]=':';
drv[2]='\\';
if(DRIVE_REMOTE==GetDriveType(drv))
{
char FSName[0x110]={0};
if(GetVolumeInformation(drv,0,0,0,0,0,FSName,0x100))
{
if(strcmpi("VBoxSharedFolderFS",FSName)==0)
{
MessageBox(0,"VirtualBox detected","walied",0);
}
else
{
printf("%s %s\r\n",drv,FSName);
}
}
}
}
return 0;
}
http://pastebin.com/Nsv5B1yk (truco Resume Flag)
//http://waleedassar.blogspot.com
//http://www.twitter.com/waleedassar
//Use this code to detect if Windows XP is running inside Virtual PC 2007
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
#define CONTEXT_ALL 0x1003F
int dummy(int);
unsigned long gf=0;
int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
{
if(pRec->ExceptionCode==0xC0000096) //Privileged instruction
{
//---------------------Installing the trick--------------------------------------
*(unsigned long*)(pContext)=CONTEXT_ALL;/*CONTEXT_DEBUG_REGISTERS|CONTEXT_FULL*/
*(unsigned long*)(pContext+0x4)=(unsigned long)(&dummy);
*(unsigned long*)(pContext+0x8)=(unsigned long)(&dummy);
*(unsigned long*)(pContext+0xC)=(unsigned long)(&dummy);
*(unsigned long*)(pContext+0x10)=(unsigned long)(&dummy);
*(unsigned long*)(pContext+0x14)=0;
*(unsigned long*)(pContext+0x18)=0x155; //Enable the four DRx On-Execute
//---------------------------------------------------------------------------------
(*(unsigned long*)(pContext+0xB8))++;
return ExceptionContinueExecution;
}
else if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
{
if(gf==1)
{
MessageBox(0,"Expected behavior (XP)","waliedassar",0);
ExitProcess(0);
}
gf++;
(*(unsigned long*)(pContext+0xC0))|=0x00010000; //Set the RF (Resume Flag)
return ExceptionContinueExecution;
}
return ExceptionContinueSearch;
}
int dummy(int x)
{
x+=0x100;
return x;
}
int main(int shitArg)
{
unsigned long ver_=GetVersion();
unsigned long major=ver_&0xFF;
unsigned long minor=(ver_>>0x8)&0xFF;
if(major==0x05 & minor==0x01) //Windows XP
{
unsigned long x=0;
__asm
{
push offset Handler
push dword ptr fs:[0x0]
mov dword ptr fs:[0x0],esp
STI; Triggers an exception(privileged instruction)
}
dummy(0xFF);
__asm
{
pop dword ptr fs:[0x0]
pop ebx
}
MessageBox(0,"Virtual PC 2007 detected (XP)","waliedassar",0);
}
return 0;
}
VirtualPchttp://pastebin.com/wuqcUaiE //http://waleedassar.blogspot.com (@waleedassar)
//If running inside VirtualPC, the Illegal Instruction exception will be swallowed and no exception is raised.
// In this code "\x0f\x3F\x07\x0B" is used, other "\x0F\x3F\xXX\xXX" are also working.
//For more: http://pastebin.com/VDDRcmdL
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
bool x=false;
int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
{
x=true;
(*(unsigned long*)(pContext+0xB8))+=4;
return ExceptionContinueExecution;
}
int main(int argc, char* argv[])
{
__asm
{
push offset Handler
push dword ptr fs:[0x0]
mov dword ptr fs:[0x0],esp
__emit 0Fh
__emit 3Fh
__emit 07h
__emit 0Bh
}
if(x==false)
{
MessageBox(0,"VirtualPC detected","waliedassar",0);
ExitProcess(0);
}
__asm
{
pop dword ptr fs:[0x0]
pop eax
}
return 0;
}
http://pastebin.com/VDDRcmdL //http://waleedassar.blogspot.com (@waleedassar)
//Each of the following can be used to detect VirtualPC
//For more info: http://pastebin.com/wuqcUaiE
\xF\x3F\x1\x0
\xF\x3F\x5\x0
\xF\x3F\x7\x0
\xF\x3F\xD\x0
\xF\x3F\x10\x0
\xF\x3F\x1\x1
\xF\x3F\x5\x1
\xF\x3F\x7\x1
\xF\x3F\xD\x1
\xF\x3F\x10\x1
\xF\x3F\x1\x2
\xF\x3F\x5\x2
\xF\x3F\x7\x2
\xF\x3F\xD\x2
\xF\x3F\x10\x2
\xF\x3F\x1\x3
\xF\x3F\x5\x3
\xF\x3F\x7\x3
\xF\x3F\xD\x3
\xF\x3F\x10\x3
\xF\x3F\x1\x4
\xF\x3F\x5\x4
\xF\x3F\x7\x4
\xF\x3F\xD\x4
\xF\x3F\x10\x4
\xF\x3F\x1\x5
\xF\x3F\x5\x5
\xF\x3F\x7\x5
\xF\x3F\xD\x5
\xF\x3F\x10\x5
\xF\x3F\x1\x6
\xF\x3F\x5\x6
\xF\x3F\x7\x6
\xF\x3F\xD\x6
\xF\x3F\x10\x6
\xF\x3F\x1\x7
\xF\x3F\x5\x7
\xF\x3F\x7\x7
\xF\x3F\xD\x7
\xF\x3F\x10\x7
\xF\x3F\x1\x8
\xF\x3F\x5\x8
\xF\x3F\x7\x8
\xF\x3F\xD\x8
\xF\x3F\x10\x8
\xF\x3F\x1\x9
\xF\x3F\x5\x9
\xF\x3F\x7\x9
\xF\x3F\xD\x9
\xF\x3F\x10\x9
\xF\x3F\x1\xA
\xF\x3F\x5\xA
\xF\x3F\x7\xA
\xF\x3F\xD\xA
\xF\x3F\x10\xA
\xF\x3F\x1\xB
\xF\x3F\x5\xB
\xF\x3F\x7\xB
\xF\x3F\xD\xB
\xF\x3F\x10\xB
\xF\x3F\x1\xC
\xF\x3F\x5\xC
\xF\x3F\x7\xC
\xF\x3F\xD\xC
\xF\x3F\x10\xC
\xF\x3F\x1\xD
\xF\x3F\x5\xD
\xF\x3F\x7\xD
\xF\x3F\xD\xD
\xF\x3F\x10\xD
\xF\x3F\x1\xE
\xF\x3F\x5\xE
\xF\x3F\x7\xE
\xF\x3F\xD\xE
\xF\x3F\x10\xE
\xF\x3F\x1\xF
\xF\x3F\x5\xF
\xF\x3F\x7\xF
\xF\x3F\xD\xF
\xF\x3F\x10\xF
\xF\x3F\x1\x10
\xF\x3F\x5\x10
\xF\x3F\x7\x10
\xF\x3F\xD\x10
\xF\x3F\x10\x10
\xF\x3F\x1\x11
\xF\x3F\x5\x11
\xF\x3F\x7\x11
\xF\x3F\xD\x11
\xF\x3F\x10\x11
\xF\x3F\x1\x12
\xF\x3F\x5\x12
\xF\x3F\x7\x12
\xF\x3F\xD\x12
\xF\x3F\x10\x12
\xF\x3F\x1\x13
\xF\x3F\x5\x13
\xF\x3F\x7\x13
\xF\x3F\xD\x13
\xF\x3F\x10\x13
\xF\x3F\x1\x14
\xF\x3F\x5\x14
\xF\x3F\x7\x14
\xF\x3F\xD\x14
\xF\x3F\x10\x14
\xF\x3F\x1\x15
\xF\x3F\x5\x15
\xF\x3F\x7\x15
\xF\x3F\xD\x15
\xF\x3F\x10\x15
\xF\x3F\x1\x16
\xF\x3F\x5\x16
\xF\x3F\x7\x16
\xF\x3F\xD\x16
\xF\x3F\x10\x16
\xF\x3F\x1\x17
\xF\x3F\x5\x17
\xF\x3F\x7\x17
\xF\x3F\xD\x17
\xF\x3F\x10\x17
\xF\x3F\x1\x18
\xF\x3F\x5\x18
\xF\x3F\x7\x18
\xF\x3F\xD\x18
\xF\x3F\x10\x18
\xF\x3F\x1\x19
\xF\x3F\x5\x19
\xF\x3F\x7\x19
\xF\x3F\xD\x19
\xF\x3F\x10\x19
\xF\x3F\x1\x1A
\xF\x3F\x5\x1A
\xF\x3F\x7\x1A
\xF\x3F\xD\x1A
\xF\x3F\x10\x1A
\xF\x3F\x1\x1B
\xF\x3F\x5\x1B
\xF\x3F\x7\x1B
\xF\x3F\xD\x1B
\xF\x3F\x10\x1B
\xF\x3F\x1\x1C
\xF\x3F\x5\x1C
\xF\x3F\x7\x1C
\xF\x3F\xD\x1C
\xF\x3F\x10\x1C
\xF\x3F\x1\x1D
\xF\x3F\x5\x1D
\xF\x3F\x7\x1D
\xF\x3F\xD\x1D
\xF\x3F\x10\x1D
\xF\x3F\x1\x1E
\xF\x3F\x5\x1E
\xF\x3F\x7\x1E
\xF\x3F\xD\x1E
\xF\x3F\x10\x1E
\xF\x3F\x1\x1F
\xF\x3F\x5\x1F
\xF\x3F\x7\x1F
\xF\x3F\xD\x1F
\xF\x3F\x10\x1F
\xF\x3F\x1\x20
\xF\x3F\x5\x20
\xF\x3F\x7\x20
\xF\x3F\xD\x20
\xF\x3F\x10\x20
\xF\x3F\x1\x21
\xF\x3F\x5\x21
\xF\x3F\x7\x21
\xF\x3F\xD\x21
\xF\x3F\x10\x21
\xF\x3F\x1\x22
\xF\x3F\x5\x22
\xF\x3F\x7\x22
\xF\x3F\xD\x22
\xF\x3F\x10\x22
\xF\x3F\x1\x23
\xF\x3F\x5\x23
\xF\x3F\x7\x23
\xF\x3F\xD\x23
\xF\x3F\x10\x23
\xF\x3F\x1\x24
\xF\x3F\x5\x24
\xF\x3F\x7\x24
\xF\x3F\xD\x24
\xF\x3F\x10\x24
\xF\x3F\x1\x25
\xF\x3F\x5\x25
\xF\x3F\x7\x25
\xF\x3F\xD\x25
\xF\x3F\x10\x25
\xF\x3F\x1\x26
\xF\x3F\x5\x26
\xF\x3F\x7\x26
\xF\x3F\xD\x26
\xF\x3F\x10\x26
\xF\x3F\x1\x27
\xF\x3F\x5\x27
\xF\x3F\x7\x27
\xF\x3F\xD\x27
\xF\x3F\x10\x27
\xF\x3F\x1\x28
\xF\x3F\x5\x28
\xF\x3F\x7\x28
\xF\x3F\xD\x28
\xF\x3F\x10\x28
\xF\x3F\x1\x29
\xF\x3F\x5\x29
\xF\x3F\x7\x29
\xF\x3F\xD\x29
\xF\x3F\x10\x29
\xF\x3F\x1\x2A
\xF\x3F\x5\x2A
\xF\x3F\x7\x2A
\xF\x3F\xD\x2A
\xF\x3F\x10\x2A
\xF\x3F\x1\x2B
\xF\x3F\x5\x2B
\xF\x3F\x7\x2B
\xF\x3F\xD\x2B
\xF\x3F\x10\x2B
\xF\x3F\x1\x2C
\xF\x3F\x5\x2C
\xF\x3F\x7\x2C
\xF\x3F\xD\x2C
\xF\x3F\x10\x2C
\xF\x3F\x1\x2D
\xF\x3F\x5\x2D
\xF\x3F\x7\x2D
\xF\x3F\xD\x2D
\xF\x3F\x10\x2D
\xF\x3F\x1\x2E
\xF\x3F\x5\x2E
\xF\x3F\x7\x2E
\xF\x3F\xD\x2E
\xF\x3F\x10\x2E
\xF\x3F\x1\x2F
\xF\x3F\x5\x2F
\xF\x3F\x7\x2F
\xF\x3F\xD\x2F
\xF\x3F\x10\x2F
\xF\x3F\x1\x30
\xF\x3F\x5\x30
\xF\x3F\x7\x30
\xF\x3F\xD\x30
\xF\x3F\x10\x30
\xF\x3F\x1\x31
\xF\x3F\x5\x31
\xF\x3F\x7\x31
\xF\x3F\xD\x31
\xF\x3F\x10\x31
\xF\x3F\x1\x32
\xF\x3F\x5\x32
\xF\x3F\x7\x32
\xF\x3F\xD\x32
\xF\x3F\x10\x32
\xF\x3F\x1\x33
\xF\x3F\x5\x33
\xF\x3F\x7\x33
\xF\x3F\xD\x33
\xF\x3F\x10\x33
\xF\x3F\x1\x34
\xF\x3F\x5\x34
\xF\x3F\x7\x34
\xF\x3F\xD\x34
\xF\x3F\x10\x34
\xF\x3F\x1\x35
\xF\x3F\x5\x35
\xF\x3F\x7\x35
\xF\x3F\xD\x35
\xF\x3F\x10\x35
\xF\x3F\x1\x36
\xF\x3F\x5\x36
\xF\x3F\x7\x36
\xF\x3F\xD\x36
\xF\x3F\x10\x36
\xF\x3F\x1\x37
\xF\x3F\x5\x37
\xF\x3F\x7\x37
\xF\x3F\xD\x37
\xF\x3F\x10\x37
\xF\x3F\x1\x38
\xF\x3F\x5\x38
\xF\x3F\x7\x38
\xF\x3F\xD\x38
\xF\x3F\x10\x38
\xF\x3F\x1\x39
\xF\x3F\x5\x39
\xF\x3F\x7\x39
\xF\x3F\xD\x39
\xF\x3F\x10\x39
\xF\x3F\x1\x3A
\xF\x3F\x5\x3A
\xF\x3F\x7\x3A
\xF\x3F\xD\x3A
\xF\x3F\x10\x3A
\xF\x3F\x1\x3B
\xF\x3F\x5\x3B
\xF\x3F\x7\x3B
\xF\x3F\xD\x3B
\xF\x3F\x10\x3B
\xF\x3F\x1\x3C
\xF\x3F\x5\x3C
\xF\x3F\x7\x3C
\xF\x3F\xD\x3C
\xF\x3F\x10\x3C
\xF\x3F\x1\x3D
\xF\x3F\x5\x3D
\xF\x3F\x7\x3D
\xF\x3F\xD\x3D
\xF\x3F\x10\x3D
\xF\x3F\x1\x3E
\xF\x3F\x5\x3E
\xF\x3F\x7\x3E
\xF\x3F\xD\x3E
\xF\x3F\x10\x3E
\xF\x3F\x1\x3F
\xF\x3F\x5\x3F
\xF\x3F\x7\x3F
\xF\x3F\xD\x3F
\xF\x3F\x10\x3F
\xF\x3F\x1\x40
\xF\x3F\x5\x40
\xF\x3F\x7\x40
\xF\x3F\xD\x40
\xF\x3F\x10\x40
\xF\x3F\x1\x41
\xF\x3F\x5\x41
\xF\x3F\x7\x41
\xF\x3F\xD\x41
\xF\x3F\x10\x41
\xF\x3F\x1\x42
\xF\x3F\x5\x42
\xF\x3F\x7\x42
\xF\x3F\xD\x42
\xF\x3F\x10\x42
\xF\x3F\x1\x43
\xF\x3F\x5\x43
\xF\x3F\x7\x43
\xF\x3F\xD\x43
\xF\x3F\x10\x43
\xF\x3F\x1\x44
\xF\x3F\x5\x44
\xF\x3F\x7\x44
\xF\x3F\xD\x44
\xF\x3F\x10\x44
\xF\x3F\x1\x45
\xF\x3F\x5\x45
\xF\x3F\x7\x45
\xF\x3F\xD\x45
\xF\x3F\x10\x45
\xF\x3F\x1\x46
\xF\x3F\x5\x46
\xF\x3F\x7\x46
\xF\x3F\xD\x46
\xF\x3F\x10\x46
\xF\x3F\x1\x47
\xF\x3F\x5\x47
\xF\x3F\x7\x47
\xF\x3F\xD\x47
\xF\x3F\x10\x47
\xF\x3F\x1\x48
\xF\x3F\x5\x48
\xF\x3F\x7\x48
\xF\x3F\xD\x48
\xF\x3F\x10\x48
\xF\x3F\x1\x49
\xF\x3F\x5\x49
\xF\x3F\x7\x49
\xF\x3F\xD\x49
\xF\x3F\x10\x49
\xF\x3F\x1\x4A
\xF\x3F\x5\x4A
\xF\x3F\x7\x4A
\xF\x3F\xD\x4A
\xF\x3F\x10\x4A
\xF\x3F\x1\x4B
\xF\x3F\x5\x4B
\xF\x3F\x7\x4B
\xF\x3F\xD\x4B
\xF\x3F\x10\x4B
\xF\x3F\x1\x4C
\xF\x3F\x5\x4C
\xF\x3F\x7\x4C
\xF\x3F\xD\x4C
\xF\x3F\x10\x4C
\xF\x3F\x1\x4D
\xF\x3F\x5\x4D
\xF\x3F\x7\x4D
\xF\x3F\xD\x4D
\xF\x3F\x10\x4D
\xF\x3F\x1\x4E
\xF\x3F\x5\x4E
\xF\x3F\x7\x4E
\xF\x3F\xD\x4E
\xF\x3F\x10\x4E
\xF\x3F\x1\x4F
\xF\x3F\x5\x4F
\xF\x3F\x7\x4F
\xF\x3F\xD\x4F
\xF\x3F\x10\x4F
\xF\x3F\x1\x50
\xF\x3F\x5\x50
\xF\x3F\x7\x50
\xF\x3F\xD\x50
\xF\x3F\x10\x50
\xF\x3F\x1\x51
\xF\x3F\x5\x51
\xF\x3F\x7\x51
\xF\x3F\xD\x51
\xF\x3F\x10\x51
\xF\x3F\x1\x52
\xF\x3F\x5\x52
\xF\x3F\x7\x52
\xF\x3F\xD\x52
\xF\x3F\x10\x52
\xF\x3F\x1\x53
\xF\x3F\x5\x53
\xF\x3F\x7\x53
\xF\x3F\xD\x53
\xF\x3F\x10\x53
\xF\x3F\x1\x54
\xF\x3F\x5\x54
\xF\x3F\x7\x54
\xF\x3F\xD\x54
\xF\x3F\x10\x54
\xF\x3F\x1\x55
\xF\x3F\x5\x55
\xF\x3F\x7\x55
\xF\x3F\xD\x55
\xF\x3F\x10\x55
\xF\x3F\x1\x56
\xF\x3F\x5\x56
\xF\x3F\x7\x56
\xF\x3F\xD\x56
\xF\x3F\x10\x56
\xF\x3F\x1\x57
\xF\x3F\x5\x57
\xF\x3F\x7\x57
\xF\x3F\xD\x57
\xF\x3F\x10\x57
\xF\x3F\x1\x58
\xF\x3F\x5\x58
\xF\x3F\x7\x58
\xF\x3F\xD\x58
\xF\x3F\x10\x58
\xF\x3F\x1\x59
\xF\x3F\x5\x59
\xF\x3F\x7\x59
\xF\x3F\xD\x59
\xF\x3F\x10\x59
\xF\x3F\x1\x5A
\xF\x3F\x5\x5A
\xF\x3F\x7\x5A
\xF\x3F\xD\x5A
\xF\x3F\x10\x5A
\xF\x3F\x1\x5B
\xF\x3F\x5\x5B
\xF\x3F\x7\x5B
\xF\x3F\xD\x5B
\xF\x3F\x10\x5B
\xF\x3F\x1\x5C
\xF\x3F\x5\x5C
\xF\x3F\x7\x5C
\xF\x3F\xD\x5C
\xF\x3F\x10\x5C
\xF\x3F\x1\x5D
\xF\x3F\x5\x5D
\xF\x3F\x7\x5D
\xF\x3F\xD\x5D
\xF\x3F\x10\x5D
\xF\x3F\x1\x5E
\xF\x3F\x5\x5E
\xF\x3F\x7\x5E
\xF\x3F\xD\x5E
\xF\x3F\x10\x5E
\xF\x3F\x1\x5F
\xF\x3F\x5\x5F
\xF\x3F\x7\x5F
\xF\x3F\xD\x5F
\xF\x3F\x10\x5F
\xF\x3F\x1\x60
\xF\x3F\x5\x60
\xF\x3F\x7\x60
\xF\x3F\xD\x60
\xF\x3F\x10\x60
\xF\x3F\x1\x61
\xF\x3F\x5\x61
\xF\x3F\x7\x61
\xF\x3F\xD\x61
\xF\x3F\x10\x61
\xF\x3F\x1\x62
\xF\x3F\x5\x62
\xF\x3F\x7\x62
\xF\x3F\xD\x62
\xF\x3F\x10\x62
\xF\x3F\x1\x63
\xF\x3F\x5\x63
\xF\x3F\x7\x63
\xF\x3F\xD\x63
\xF\x3F\x10\x63
\xF\x3F\x1\x64
\xF\x3F\x5\x64
\xF\x3F\x7\x64
\xF\x3F\xD\x64
\xF\x3F\x10\x64
\xF\x3F\x1\x65
\xF\x3F\x5\x65
\xF\x3F\x7\x65
\xF\x3F\xD\x65
\xF\x3F\x10\x65
\xF\x3F\x1\x66
\xF\x3F\x5\x66
\xF\x3F\x7\x66
\xF\x3F\xD\x66
\xF\x3F\x10\x66
\xF\x3F\x1\x67
\xF\x3F\x5\x67
\xF\x3F\x7\x67
\xF\x3F\xD\x67
\xF\x3F\x10\x67
\xF\x3F\x1\x68
\xF\x3F\x5\x68
\xF\x3F\x7\x68
\xF\x3F\xD\x68
\xF\x3F\x10\x68
\xF\x3F\x1\x69
\xF\x3F\x5\x69
\xF\x3F\x7\x69
\xF\x3F\xD\x69
\xF\x3F\x10\x69
\xF\x3F\x1\x6A
\xF\x3F\x5\x6A
\xF\x3F\x7\x6A
\xF\x3F\xD\x6A
\xF\x3F\x10\x6A
\xF\x3F\x1\x6B
\xF\x3F\x5\x6B
\xF\x3F\x7\x6B
\xF\x3F\xD\x6B
\xF\x3F\x10\x6B
\xF\x3F\x1\x6C
\xF\x3F\x5\x6C
\xF\x3F\x7\x6C
\xF\x3F\xD\x6C
\xF\x3F\x10\x6C
\xF\x3F\x1\x6D
\xF\x3F\x5\x6D
\xF\x3F\x7\x6D
\xF\x3F\xD\x6D
\xF\x3F\x10\x6D
\xF\x3F\x1\x6E
\xF\x3F\x5\x6E
\xF\x3F\x7\x6E
\xF\x3F\xD\x6E
\xF\x3F\x10\x6E
\xF\x3F\x1\x6F
\xF\x3F\x5\x6F
\xF\x3F\x7\x6F
\xF\x3F\xD\x6F
\xF\x3F\x10\x6F
\xF\x3F\x1\x70
\xF\x3F\x5\x70
\xF\x3F\x7\x70
\xF\x3F\xD\x70
\xF\x3F\x10\x70
\xF\x3F\x1\x71
\xF\x3F\x5\x71
\xF\x3F\x7\x71
\xF\x3F\xD\x71
\xF\x3F\x10\x71
\xF\x3F\x1\x72
\xF\x3F\x5\x72
\xF\x3F\x7\x72
\xF\x3F\xD\x72
\xF\x3F\x10\x72
\xF\x3F\x1\x73
\xF\x3F\x5\x73
\xF\x3F\x7\x73
\xF\x3F\xD\x73
\xF\x3F\x10\x73
\xF\x3F\x1\x74
\xF\x3F\x5\x74
\xF\x3F\x7\x74
\xF\x3F\xD\x74
\xF\x3F\x10\x74
\xF\x3F\x1\x75
\xF\x3F\x5\x75
\xF\x3F\x7\x75
\xF\x3F\xD\x75
\xF\x3F\x10\x75
\xF\x3F\x1\x76
\xF\x3F\x5\x76
\xF\x3F\x7\x76
\xF\x3F\xD\x76
\xF\x3F\x10\x76
\xF\x3F\x1\x77
\xF\x3F\x5\x77
\xF\x3F\x7\x77
\xF\x3F\xD\x77
\xF\x3F\x10\x77
\xF\x3F\x1\x78
\xF\x3F\x5\x78
\xF\x3F\x7\x78
\xF\x3F\xD\x78
\xF\x3F\x10\x78
\xF\x3F\x1\x79
\xF\x3F\x5\x79
\xF\x3F\x7\x79
\xF\x3F\xD\x79
\xF\x3F\x10\x79
\xF\x3F\x1\x7A
\xF\x3F\x5\x7A
\xF\x3F\x7\x7A
\xF\x3F\xD\x7A
\xF\x3F\x10\x7A
\xF\x3F\x1\x7B
\xF\x3F\x5\x7B
\xF\x3F\x7\x7B
\xF\x3F\xD\x7B
\xF\x3F\x10\x7B
\xF\x3F\x1\x7C
\xF\x3F\x5\x7C
\xF\x3F\x7\x7C
\xF\x3F\xD\x7C
\xF\x3F\x10\x7C
\xF\x3F\x1\x7D
\xF\x3F\x5\x7D
\xF\x3F\x7\x7D
\xF\x3F\xD\x7D
\xF\x3F\x10\x7D
\xF\x3F\x1\x7E
\xF\x3F\x5\x7E
\xF\x3F\x7\x7E
\xF\x3F\xD\x7E
\xF\x3F\x10\x7E
\xF\x3F\x1\x7F
\xF\x3F\x5\x7F
\xF\x3F\x7\x7F
\xF\x3F\xD\x7F
\xF\x3F\x10\x7F
\xF\x3F\x1\x80
\xF\x3F\x5\x80
\xF\x3F\x7\x80
\xF\x3F\xD\x80
\xF\x3F\x10\x80
\xF\x3F\x1\x81
\xF\x3F\x5\x81
\xF\x3F\x7\x81
\xF\x3F\xD\x81
\xF\x3F\x10\x81
\xF\x3F\x1\x82
\xF\x3F\x5\x82
\xF\x3F\x7\x82
\xF\x3F\xD\x82
\xF\x3F\x10\x82
\xF\x3F\x1\x83
\xF\x3F\x5\x83
\xF\x3F\x7\x83
\xF\x3F\xD\x83
\xF\x3F\x10\x83
\xF\x3F\x1\x84
\xF\x3F\x5\x84
\xF\x3F\x7\x84
\xF\x3F\xD\x84
\xF\x3F\x10\x84
\xF\x3F\x1\x85
\xF\x3F\x5\x85
\xF\x3F\x7\x85
\xF\x3F\xD\x85
\xF\x3F\x10\x85
\xF\x3F\x1\x86
\xF\x3F\x5\x86
\xF\x3F\x7\x86
\xF\x3F\xD\x86
\xF\x3F\x10\x86
\xF\x3F\x1\x87
\xF\x3F\x5\x87
\xF\x3F\x7\x87
\xF\x3F\xD\x87
\xF\x3F\x10\x87
\xF\x3F\x1\x88
\xF\x3F\x5\x88
\xF\x3F\x7\x88
\xF\x3F\xD\x88
\xF\x3F\x10\x88
\xF\x3F\x1\x89
\xF\x3F\x5\x89
\xF\x3F\x7\x89
\xF\x3F\xD\x89
\xF\x3F\x10\x89
\xF\x3F\x1\x8A
\xF\x3F\x5\x8A
\xF\x3F\x7\x8A
\xF\x3F\xD\x8A
\xF\x3F\x10\x8A
\xF\x3F\x1\x8B
\xF\x3F\x5\x8B
\xF\x3F\x7\x8B
\xF\x3F\xD\x8B
\xF\x3F\x10\x8B
\xF\x3F\x1\x8C
\xF\x3F\x5\x8C
\xF\x3F\x7\x8C
\xF\x3F\xD\x8C
\xF\x3F\x10\x8C
\xF\x3F\x1\x8D
\xF\x3F\x5\x8D
\xF\x3F\x7\x8D
\xF\x3F\xD\x8D
\xF\x3F\x10\x8D
\xF\x3F\x1\x8E
\xF\x3F\x5\x8E
\xF\x3F\x7\x8E
\xF\x3F\xD\x8E
\xF\x3F\x10\x8E
\xF\x3F\x1\x8F
\xF\x3F\x5\x8F
\xF\x3F\x7\x8F
\xF\x3F\xD\x8F
\xF\x3F\x10\x8F
\xF\x3F\x1\x90
\xF\x3F\x5\x90
\xF\x3F\x7\x90
\xF\x3F\xD\x90
\xF\x3F\x10\x90
\xF\x3F\x1\x91
\xF\x3F\x5\x91
\xF\x3F\x7\x91
\xF\x3F\xD\x91
\xF\x3F\x10\x91
\xF\x3F\x1\x92
\xF\x3F\x5\x92
\xF\x3F\x7\x92
\xF\x3F\xD\x92
\xF\x3F\x10\x92
\xF\x3F\x1\x93
\xF\x3F\x5\x93
\xF\x3F\x7\x93
\xF\x3F\xD\x93
\xF\x3F\x10\x93
\xF\x3F\x1\x94
\xF\x3F\x5\x94
\xF\x3F\x7\x94
\xF\x3F\xD\x94
\xF\x3F\x10\x94
\xF\x3F\x1\x95
\xF\x3F\x5\x95
\xF\x3F\x7\x95
\xF\x3F\xD\x95
\xF\x3F\x10\x95
\xF\x3F\x1\x96
\xF\x3F\x5\x96
\xF\x3F\x7\x96
\xF\x3F\xD\x96
\xF\x3F\x10\x96
\xF\x3F\x1\x97
\xF\x3F\x5\x97
\xF\x3F\x7\x97
\xF\x3F\xD\x97
\xF\x3F\x10\x97
\xF\x3F\x1\x98
\xF\x3F\x5\x98
\xF\x3F\x7\x98
\xF\x3F\xD\x98
\xF\x3F\x10\x98
\xF\x3F\x1\x99
\xF\x3F\x5\x99
\xF\x3F\x7\x99
\xF\x3F\xD\x99
\xF\x3F\x10\x99
\xF\x3F\x1\x9A
\xF\x3F\x5\x9A
\xF\x3F\x7\x9A
\xF\x3F\xD\x9A
\xF\x3F\x10\x9A
\xF\x3F\x1\x9B
\xF\x3F\x5\x9B
\xF\x3F\x7\x9B
\xF\x3F\xD\x9B
\xF\x3F\x10\x9B
\xF\x3F\x1\x9C
\xF\x3F\x5\x9C
\xF\x3F\x7\x9C
\xF\x3F\xD\x9C
\xF\x3F\x10\x9C
\xF\x3F\x1\x9D
\xF\x3F\x5\x9D
\xF\x3F\x7\x9D
\xF\x3F\xD\x9D
\xF\x3F\x10\x9D
\xF\x3F\x1\x9E
\xF\x3F\x5\x9E
\xF\x3F\x7\x9E
\xF\x3F\xD\x9E
\xF\x3F\x10\x9E
\xF\x3F\x1\x9F
\xF\x3F\x5\x9F
\xF\x3F\x7\x9F
\xF\x3F\xD\x9F
\xF\x3F\x10\x9F
\xF\x3F\x1\xA0
\xF\x3F\x5\xA0
\xF\x3F\x7\xA0
\xF\x3F\xD\xA0
\xF\x3F\x10\xA0
\xF\x3F\x1\xA1
\xF\x3F\x5\xA1
\xF\x3F\x7\xA1
\xF\x3F\xD\xA1
\xF\x3F\x10\xA1
\xF\x3F\x1\xA2
\xF\x3F\x5\xA2
\xF\x3F\x7\xA2
\xF\x3F\xD\xA2
\xF\x3F\x10\xA2
\xF\x3F\x1\xA3
\xF\x3F\x5\xA3
\xF\x3F\x7\xA3
\xF\x3F\xD\xA3
\xF\x3F\x10\xA3
\xF\x3F\x1\xA4
\xF\x3F\x5\xA4
\xF\x3F\x7\xA4
\xF\x3F\xD\xA4
\xF\x3F\x10\xA4
\xF\x3F\x1\xA5
\xF\x3F\x5\xA5
\xF\x3F\x7\xA5
\xF\x3F\xD\xA5
\xF\x3F\x10\xA5
\xF\x3F\x1\xA6
\xF\x3F\x5\xA6
\xF\x3F\x7\xA6
\xF\x3F\xD\xA6
\xF\x3F\x10\xA6
\xF\x3F\x1\xA7
\xF\x3F\x5\xA7
\xF\x3F\x7\xA7
\xF\x3F\xD\xA7
\xF\x3F\x10\xA7
\xF\x3F\x1\xA8
\xF\x3F\x5\xA8
\xF\x3F\x7\xA8
\xF\x3F\xD\xA8
\xF\x3F\x10\xA8
\xF\x3F\x1\xA9
\xF\x3F\x5\xA9
\xF\x3F\x7\xA9
\xF\x3F\xD\xA9
\xF\x3F\x10\xA9
\xF\x3F\x1\xAA
\xF\x3F\x5\xAA
\xF\x3F\x7\xAA
\xF\x3F\xD\xAA
\xF\x3F\x10\xAA
\xF\x3F\x1\xAB
\xF\x3F\x5\xAB
\xF\x3F\x7\xAB
\xF\x3F\xD\xAB
\xF\x3F\x10\xAB
\xF\x3F\x1\xAC
\xF\x3F\x5\xAC
\xF\x3F\x7\xAC
\xF\x3F\xD\xAC
\xF\x3F\x10\xAC
\xF\x3F\x1\xAD
\xF\x3F\x5\xAD
\xF\x3F\x7\xAD
\xF\x3F\xD\xAD
\xF\x3F\x10\xAD
\xF\x3F\x1\xAE
\xF\x3F\x5\xAE
\xF\x3F\x7\xAE
\xF\x3F\xD\xAE
\xF\x3F\x10\xAE
\xF\x3F\x1\xAF
\xF\x3F\x5\xAF
\xF\x3F\x7\xAF
\xF\x3F\xD\xAF
\xF\x3F\x10\xAF
\xF\x3F\x1\xB0
\xF\x3F\x5\xB0
\xF\x3F\x7\xB0
\xF\x3F\xD\xB0
\xF\x3F\x10\xB0
\xF\x3F\x1\xB1
\xF\x3F\x5\xB1
\xF\x3F\x7\xB1
\xF\x3F\xD\xB1
\xF\x3F\x10\xB1
\xF\x3F\x1\xB2
\xF\x3F\x5\xB2
\xF\x3F\x7\xB2
\xF\x3F\xD\xB2
\xF\x3F\x10\xB2
\xF\x3F\x1\xB3
\xF\x3F\x5\xB3
\xF\x3F\x7\xB3
\xF\x3F\xD\xB3
\xF\x3F\x10\xB3
\xF\x3F\x1\xB4
\xF\x3F\x5\xB4
\xF\x3F\x7\xB4
\xF\x3F\xD\xB4
\xF\x3F\x10\xB4
\xF\x3F\x1\xB5
\xF\x3F\x5\xB5
\xF\x3F\x7\xB5
\xF\x3F\xD\xB5
\xF\x3F\x10\xB5
\xF\x3F\x1\xB6
\xF\x3F\x5\xB6
\xF\x3F\x7\xB6
\xF\x3F\xD\xB6
\xF\x3F\x10\xB6
\xF\x3F\x1\xB7
\xF\x3F\x5\xB7
\xF\x3F\x7\xB7
\xF\x3F\xD\xB7
\xF\x3F\x10\xB7
\xF\x3F\x1\xB8
\xF\x3F\x5\xB8
\xF\x3F\x7\xB8
\xF\x3F\xD\xB8
\xF\x3F\x10\xB8
\xF\x3F\x1\xB9
\xF\x3F\x5\xB9
\xF\x3F\x7\xB9
\xF\x3F\xD\xB9
\xF\x3F\x10\xB9
\xF\x3F\x1\xBA
\xF\x3F\x5\xBA
\xF\x3F\x7\xBA
\xF\x3F\xD\xBA
\xF\x3F\x10\xBA
\xF\x3F\x1\xBB
\xF\x3F\x5\xBB
\xF\x3F\x7\xBB
\xF\x3F\xD\xBB
\xF\x3F\x10\xBB
\xF\x3F\x1\xBC
\xF\x3F\x5\xBC
\xF\x3F\x7\xBC
\xF\x3F\xD\xBC
\xF\x3F\x10\xBC
\xF\x3F\x1\xBD
\xF\x3F\x5\xBD
\xF\x3F\x7\xBD
\xF\x3F\xD\xBD
\xF\x3F\x10\xBD
\xF\x3F\x1\xBE
\xF\x3F\x5\xBE
\xF\x3F\x7\xBE
\xF\x3F\xD\xBE
\xF\x3F\x10\xBE
\xF\x3F\x1\xBF
\xF\x3F\x5\xBF
\xF\x3F\x7\xBF
\xF\x3F\xD\xBF
\xF\x3F\x10\xBF
\xF\x3F\x1\xC0
\xF\x3F\x5\xC0
\xF\x3F\x7\xC0
\xF\x3F\xD\xC0
\xF\x3F\x10\xC0
\xF\x3F\x1\xC1
\xF\x3F\x5\xC1
\xF\x3F\x7\xC1
\xF\x3F\xD\xC1
\xF\x3F\x10\xC1
\xF\x3F\x1\xC2
\xF\x3F\x5\xC2
\xF\x3F\x7\xC2
\xF\x3F\xD\xC2
\xF\x3F\x10\xC2
\xF\x3F\x1\xC3
\xF\x3F\x5\xC3
\xF\x3F\x7\xC3
\xF\x3F\xD\xC3
\xF\x3F\x10\xC3
\xF\x3F\x1\xC4
\xF\x3F\x5\xC4
\xF\x3F\x7\xC4
\xF\x3F\xD\xC4
\xF\x3F\x10\xC4
\xF\x3F\x1\xC5
\xF\x3F\x5\xC5
\xF\x3F\x7\xC5
\xF\x3F\xD\xC5
\xF\x3F\x10\xC5
\xF\x3F\x1\xC6
\xF\x3F\x5\xC6
\xF\x3F\x7\xC6
\xF\x3F\xD\xC6
\xF\x3F\x10\xC6
\xF\x3F\x1\xC7
\xF\x3F\x5\xC7
\xF\x3F\x7\xC7
\xF\x3F\xD\xC7
\xF\x3F\x10\xC7
\xF\x3F\x1\xC8
\xF\x3F\x5\xC8
\xF\x3F\x7\xC8
\xF\x3F\xD\xC8
\xF\x3F\x10\xC8
\xF\x3F\x1\xC9
\xF\x3F\x5\xC9
\xF\x3F\x7\xC9
\xF\x3F\xD\xC9
\xF\x3F\x10\xC9
\xF\x3F\x1\xCA
\xF\x3F\x5\xCA
\xF\x3F\x7\xCA
\xF\x3F\xD\xCA
\xF\x3F\x10\xCA
\xF\x3F\x1\xCB
\xF\x3F\x5\xCB
\xF\x3F\x7\xCB
\xF\x3F\xD\xCB
\xF\x3F\x10\xCB
\xF\x3F\x1\xCC
\xF\x3F\x5\xCC
\xF\x3F\x7\xCC
\xF\x3F\xD\xCC
\xF\x3F\x10\xCC
\xF\x3F\x1\xCD
\xF\x3F\x5\xCD
\xF\x3F\x7\xCD
\xF\x3F\xD\xCD
\xF\x3F\x10\xCD
\xF\x3F\x1\xCE
\xF\x3F\x5\xCE
\xF\x3F\x7\xCE
\xF\x3F\xD\xCE
\xF\x3F\x10\xCE
\xF\x3F\x1\xCF
\xF\x3F\x5\xCF
\xF\x3F\x7\xCF
\xF\x3F\xD\xCF
\xF\x3F\x10\xCF
\xF\x3F\x1\xD0
\xF\x3F\x5\xD0
\xF\x3F\x7\xD0
\xF\x3F\xD\xD0
\xF\x3F\x10\xD0
\xF\x3F\x1\xD1
\xF\x3F\x5\xD1
\xF\x3F\x7\xD1
\xF\x3F\xD\xD1
\xF\x3F\x10\xD1
\xF\x3F\x1\xD2
\xF\x3F\x5\xD2
\xF\x3F\x7\xD2
\xF\x3F\xD\xD2
\xF\x3F\x10\xD2
\xF\x3F\x1\xD3
\xF\x3F\x5\xD3
\xF\x3F\x7\xD3
\xF\x3F\xD\xD3
\xF\x3F\x10\xD3
\xF\x3F\x1\xD4
\xF\x3F\x5\xD4
\xF\x3F\x7\xD4
\xF\x3F\xD\xD4
\xF\x3F\x10\xD4
\xF\x3F\x1\xD5
\xF\x3F\x5\xD5
\xF\x3F\x7\xD5
\xF\x3F\xD\xD5
\xF\x3F\x10\xD5
\xF\x3F\x1\xD6
\xF\x3F\x5\xD6
\xF\x3F\x7\xD6
\xF\x3F\xD\xD6
\xF\x3F\x10\xD6
\xF\x3F\x1\xD7
\xF\x3F\x5\xD7
\xF\x3F\x7\xD7
\xF\x3F\xD\xD7
\xF\x3F\x10\xD7
\xF\x3F\x1\xD8
\xF\x3F\x5\xD8
\xF\x3F\x7\xD8
\xF\x3F\xD\xD8
\xF\x3F\x10\xD8
\xF\x3F\x1\xD9
\xF\x3F\x5\xD9
\xF\x3F\x7\xD9
\xF\x3F\xD\xD9
\xF\x3F\x10\xD9
\xF\x3F\x1\xDA
\xF\x3F\x5\xDA
\xF\x3F\x7\xDA
\xF\x3F\xD\xDA
\xF\x3F\x10\xDA
\xF\x3F\x1\xDB
\xF\x3F\x5\xDB
\xF\x3F\x7\xDB
\xF\x3F\xD\xDB
\xF\x3F\x10\xDB
\xF\x3F\x1\xDC
\xF\x3F\x5\xDC
\xF\x3F\x7\xDC
\xF\x3F\xD\xDC
\xF\x3F\x10\xDC
\xF\x3F\x1\xDD
\xF\x3F\x5\xDD
\xF\x3F\x7\xDD
\xF\x3F\xD\xDD
\xF\x3F\x10\xDD
\xF\x3F\x1\xDE
\xF\x3F\x5\xDE
\xF\x3F\x7\xDE
\xF\x3F\xD\xDE
\xF\x3F\x10\xDE
\xF\x3F\x1\xDF
\xF\x3F\x5\xDF
\xF\x3F\x7\xDF
\xF\x3F\xD\xDF
\xF\x3F\x10\xDF
\xF\x3F\x1\xE0
\xF\x3F\x5\xE0
\xF\x3F\x7\xE0
\xF\x3F\xD\xE0
\xF\x3F\x10\xE0
\xF\x3F\x1\xE1
\xF\x3F\x5\xE1
\xF\x3F\x7\xE1
\xF\x3F\xD\xE1
\xF\x3F\x10\xE1
\xF\x3F\x1\xE2
\xF\x3F\x5\xE2
\xF\x3F\x7\xE2
\xF\x3F\xD\xE2
\xF\x3F\x10\xE2
\xF\x3F\x1\xE3
\xF\x3F\x5\xE3
\xF\x3F\x7\xE3
\xF\x3F\xD\xE3
\xF\x3F\x10\xE3
\xF\x3F\x1\xE4
\xF\x3F\x5\xE4
\xF\x3F\x7\xE4
\xF\x3F\xD\xE4
\xF\x3F\x10\xE4
\xF\x3F\x1\xE5
\xF\x3F\x5\xE5
\xF\x3F\x7\xE5
\xF\x3F\xD\xE5
\xF\x3F\x10\xE5
\xF\x3F\x1\xE6
\xF\x3F\x5\xE6
\xF\x3F\x7\xE6
\xF\x3F\xD\xE6
\xF\x3F\x10\xE6
\xF\x3F\x1\xE7
\xF\x3F\x5\xE7
\xF\x3F\x7\xE7
\xF\x3F\xD\xE7
\xF\x3F\x10\xE7
\xF\x3F\x1\xE8
\xF\x3F\x5\xE8
\xF\x3F\x7\xE8
\xF\x3F\xD\xE8
\xF\x3F\x10\xE8
\xF\x3F\x1\xE9
\xF\x3F\x5\xE9
\xF\x3F\x7\xE9
\xF\x3F\xD\xE9
\xF\x3F\x10\xE9
\xF\x3F\x1\xEA
\xF\x3F\x5\xEA
\xF\x3F\x7\xEA
\xF\x3F\xD\xEA
\xF\x3F\x10\xEA
\xF\x3F\x1\xEB
\xF\x3F\x5\xEB
\xF\x3F\x7\xEB
\xF\x3F\xD\xEB
\xF\x3F\x10\xEB
\xF\x3F\x1\xEC
\xF\x3F\x5\xEC
\xF\x3F\x7\xEC
\xF\x3F\xD\xEC
\xF\x3F\x10\xEC
\xF\x3F\x1\xED
\xF\x3F\x5\xED
\xF\x3F\x7\xED
\xF\x3F\xD\xED
\xF\x3F\x10\xED
\xF\x3F\x1\xEE
\xF\x3F\x5\xEE
\xF\x3F\x7\xEE
\xF\x3F\xD\xEE
\xF\x3F\x10\xEE
\xF\x3F\x1\xEF
\xF\x3F\x5\xEF
\xF\x3F\x7\xEF
\xF\x3F\xD\xEF
\xF\x3F\x10\xEF
\xF\x3F\x1\xF0
\xF\x3F\x5\xF0
\xF\x3F\x7\xF0
\xF\x3F\xD\xF0
\xF\x3F\x10\xF0
\xF\x3F\x1\xF1
\xF\x3F\x5\xF1
\xF\x3F\x7\xF1
\xF\x3F\xD\xF1
\xF\x3F\x10\xF1
\xF\x3F\x1\xF2
\xF\x3F\x5\xF2
\xF\x3F\x7\xF2
\xF\x3F\xD\xF2
\xF\x3F\x10\xF2
\xF\x3F\x1\xF3
\xF\x3F\x5\xF3
\xF\x3F\x7\xF3
\xF\x3F\xD\xF3
\xF\x3F\x10\xF3
\xF\x3F\x1\xF4
\xF\x3F\x5\xF4
\xF\x3F\x7\xF4
\xF\x3F\xD\xF4
\xF\x3F\x10\xF4
\xF\x3F\x1\xF5
\xF\x3F\x5\xF5
\xF\x3F\x7\xF5
\xF\x3F\xD\xF5
\xF\x3F\x10\xF5
\xF\x3F\x1\xF6
\xF\x3F\x5\xF6
\xF\x3F\x7\xF6
\xF\x3F\xD\xF6
\xF\x3F\x10\xF6
\xF\x3F\x1\xF7
\xF\x3F\x5\xF7
\xF\x3F\x7\xF7
\xF\x3F\xD\xF7
\xF\x3F\x10\xF7
\xF\x3F\x1\xF8
\xF\x3F\x5\xF8
\xF\x3F\x7\xF8
\xF\x3F\xD\xF8
\xF\x3F\x10\xF8
\xF\x3F\x1\xF9
\xF\x3F\x5\xF9
\xF\x3F\x7\xF9
\xF\x3F\xD\xF9
\xF\x3F\x10\xF9
\xF\x3F\x1\xFA
\xF\x3F\x5\xFA
\xF\x3F\x7\xFA
\xF\x3F\xD\xFA
\xF\x3F\x10\xFA
\xF\x3F\x1\xFB
\xF\x3F\x5\xFB
\xF\x3F\x7\xFB
\xF\x3F\xD\xFB
\xF\x3F\x10\xFB
\xF\x3F\x1\xFC
\xF\x3F\x5\xFC
\xF\x3F\x7\xFC
\xF\x3F\xD\xFC
\xF\x3F\x10\xFC
\xF\x3F\x1\xFD
\xF\x3F\x5\xFD
\xF\x3F\x7\xFD
\xF\x3F\xD\xFD
\xF\x3F\x10\xFD
\xF\x3F\x1\xFE
\xF\x3F\x5\xFE
\xF\x3F\x7\xFE
\xF\x3F\xD\xFE
\xF\x3F\x10\xFE
\xF\x3F\x1\xFF
\xF\x3F\x5\xFF
\xF\x3F\x7\xFF
\xF\x3F\xD\xFF
\xF\x3F\x10\xFF
http://pastebin.com/exAK5XQx (truco Reset)
//http://waleedassar.blogspot.com (@waleedassar)
//Executing "\x0F\xC7\xC8\x05\x00" in VirtualPC 2007 triggers a reset error.
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
bool flag=false;
int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
{
if(pRec->ExceptionCode==0xC000001D || pRec->ExceptionCode==0xC000001E || pRec->ExceptionCode==0xC0000005)
{
flag=true;
(*(unsigned long*)(pContext+0xB8))+=5;
return ExceptionContinueExecution;
}
return ExceptionContinueSearch;
}
int main(int argc, char* argv[])
{
__asm
{
push offset Handler
push dword ptr fs:[0x0]
mov dword ptr fs:[0x0],esp
}
flag=false;
__asm
{
__emit 0x0F
__emit 0xC7
__emit 0xC8
__emit 0x05
__emit 0x00
}
if(flag==false)
{
MessageBox(0,"VirtualPC detected","waliedassar",0);
}
__asm
{
pop dword ptr fs:[0x0]
pop eax
}
return 0;
}
http://pastebin.com/HVActZMC (truco CPUID)
//http://waleedassar.blogspot.com (@waleedassar)
//A method to detect VirtualPC
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
int __cdecl Handler(EXCEPTION_RECORD* pRec,void* est,unsigned char* pContext,void* disp)
{
if(pRec->ExceptionCode==EXCEPTION_SINGLE_STEP)
{
return ExceptionContinueExecution;
}
return ExceptionContinueSearch;
}
int main(int argc, char* argv[])
{
unsigned long x=0;
__asm
{
push offset Handler
push dword ptr fs:[0x0]
mov dword ptr fs:[0x0],esp
pushad
xor eax,eax
xor ecx,ecx
xor edx,edx
xor ebx,ebx
pushfd
pop esi
or esi,0x100 ;Trap flag
push esi
popfd
CPUID
pushfd
pop eax
mov x,eax
popad
pop dword ptr fs:[0x0]
pop eax
}
if(x&0x100)
{
MessageBox(0,"Virtual Machine detected","waliedassar",0);
ExitProcess(3);
}
return 0;
}
Detección Hypervisor//http://waleedassar.blogspot.com (@waleedassar)
//Detect Hypervisors
#include "stdafx.h"
#include "windows.h"
#include "stdio.h"
int main(int argc, char* argv[])
{
bool x=0;
__asm
{
pushad
pushfd
pop eax
or eax,0x00200000
push eax
popfd
pushfd
pop eax
and eax,0x00200000
jz CPUID_NOT_SUPPORTED ;Are you still alive?
xor eax,eax
xor edx,edx
xor ecx,ecx
xor ebx,ebx
inc eax ;processor info and feature bits
cpuid
test ecx,0x80000000 ;Hypervisor present
jnz Hypervisor
mov x,0
jmp bye
Hypervisor:
mov x,1
jmp bye
CPUID_NOT_SUPPORTED:
mov x,2
bye:
popad
}
if(x==1)
{
MessageBox(0,"Hypervisor detected","waliedassar",0);
ExitProcess(3);
}
return 0;
}
Reglas Yara que implementa Cuckoo para detección de VMhttps://github.com/cuckoobox/cuckoo/blob/1884b5579ff8e053b3d4a8523a5da576eee43552/data/yara/binaries/vmdetect.yar// Copyright (C) 2010-2014 Cuckoo Foundation.
// This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
// See the file 'docs/LICENSE' for copying permission.
rule vmdetect
{
meta:
author = "nex"
description = "Possibly employs anti-virtualization techniques"
strings:
// Binary tricks
$vmware = {56 4D 58 68}
$virtualpc = {0F 3F 07 0B}
$ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF}
$vmcheckdll = {45 C7 00 01}
$redpill = {0F 01 0D 00 00 00 00 C3}
// Random strings
$vmware1 = "VMXh"
$vmware2 = "Ven_VMware_" nocase
$vmware3 = "Prod_VMware_Virtual_" nocase
$vmware4 = "hgfs.sys" nocase
$vmware5 = "mhgfs.sys" nocase
$vmware6 = "prleth.sys" nocase
$vmware7 = "prlfs.sys" nocase
$vmware8 = "prlmouse.sys" nocase
$vmware9 = "prlvideo.sys" nocase
$vmware10 = "prl_pv32.sys" nocase
$vmware11 = "vpc-s3.sys" nocase
$vmware12 = "vmsrvc.sys" nocase
$vmware13 = "vmx86.sys" nocase
$vmware14 = "vmnet.sys" nocase
$vmware15 = "vmicheartbeat" nocase
$vmware16 = "vmicvss" nocase
$vmware17 = "vmicshutdown" nocase
$vmware18 = "vmicexchange" nocase
$vmware19 = "vmdebug" nocase
$vmware20 = "vmmouse" nocase
$vmware21 = "vmtools" nocase
$vmware22 = "VMMEMCTL" nocase
$vmware23 = "vmx86" nocase
$vmware24 = "vmware" nocase
$virtualpc1 = "vpcbus" nocase
$virtualpc2 = "vpc-s3" nocase
$virtualpc3 = "vpcuhub" nocase
$virtualpc4 = "msvmmouf" nocase
$xen1 = "xenevtchn" nocase
$xen2 = "xennet" nocase
$xen3 = "xennet6" nocase
$xen4 = "xensvc" nocase
$xen5 = "xenvdb" nocase
$xen6 = "XenVMM" nocase
$virtualbox1 = "VBoxHook.dll" nocase
$virtualbox2 = "VBoxService" nocase
$virtualbox3 = "VBoxTray" nocase
$virtualbox4 = "VBoxMouse" nocase
$virtualbox5 = "VBoxGuest" nocase
$virtualbox6 = "VBoxSF" nocase
$virtualbox7 = "VBoxGuestAdditions" nocase
$virtualbox8 = "VBOX HARDDISK" nocase
// MAC addresses
$vmware_mac_1a = "00-05-69"
$vmware_mac_1b = "00:05:69"
$vmware_mac_1c = "000569"
$vmware_mac_2a = "00-50-56"
$vmware_mac_2b = "00:50:56"
$vmware_mac_2c = "005056"
$vmware_mac_3a = "00-0C-29" nocase
$vmware_mac_3b = "00:0C:29" nocase
$vmware_mac_3c = "000C29" nocase
$vmware_mac_4a = "00-1C-14" nocase
$vmware_mac_4b = "00:1C:14" nocase
$vmware_mac_4c = "001C14" nocase
$virtualbox_mac_1a = "08-00-27"
$virtualbox_mac_1b = "08:00:27"
$virtualbox_mac_1c = "080027"
condition:
any of them
}
Fuentes:
