(C++) Detecting Virtual Environment Artefacts by Thomas Roccia (fr0gger)
Created the Wednesday 02 September 2020. Updated 4 days, 4 hours ago.
Description:
This is a snippet to detect most common registry keys created by virtual machines.
Code
#include <iostream>
#include<Windows.h>
#include<stdio.h>
using namespace std;
int reg_value_exist(HKEY hKey, char * regkey_s, char * value_s, char * lookup) {
HKEY regkey;
LONG ret;
DWORD size;
char value[1024];
if (RegOpenKeyEx(hKey, regkey_s, 0, KEY_READ, ®key))
{
if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))
{
cout << " [-] Reg value doesn't exist: " << (regkey) << endl;
}
else
{
cout << " [*] Reg value exist: " << (value) << endl;
}
}
else
{
if (RegQueryValueEx(regkey, value_s, NULL, NULL, (BYTE*)value, &size))
{
cout << " [-] Reg value doesn't exist: " << (regkey) << endl;
}
else
{
cout << " [*] Reg value exist: " << (value) << endl;
}
}
}
int RegistryArtifacts()
{
HKEY hKey;
// list of registry key related virutal machines
LPCTSTR RegValuePath[] = { "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"SOFTWARE\\VMware, Inc.\\VMware Tools",
"HARDWARE\\Description\\System",
"SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
"HARDWARE\\ACPI\\DSDT\\VBOX__",
"HARDWARE\\ACPI\\FADT\\VBOX__",
"HARDWARE\\ACPI\\RSDT\\VBOX__",
"SYSTEM\\ControlSet001\\Services\\VBoxGuest",
"SYSTEM\\ControlSet001\\Services\\VBoxMouse",
"SYSTEM\\ControlSet001\\Services\\VBoxService",
"SYSTEM\\ControlSet001\\Services\\VBoxSF",
"SYSTEM\\ControlSet001\\Services\\VBoxVideo",
};
for (int i = 0; i < (sizeof(RegValuePath) / sizeof(LPCWSTR)); i++)
{
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, RegValuePath[i], 0, KEY_READ, &hKey))
{
cout << " [-] Reg key doesn't exist: " << (RegValuePath[i]) << endl;
}
else
{
cout << " [*] Reg key exist: " << (RegValuePath[i]) << endl;
}
}
// Check for registry Value
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMware");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VBOX");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "VideoBiosVersion", "VIRTUALBOX");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", "06/23/99");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "QEMU");
reg_value_exist(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "QEMU");
}
int main()
{
RegistryArtifacts();
return 0;
}