From a7268ff2dd8a00c52014ea6b43539ce3bcde6ec4 Mon Sep 17 00:00:00 2001 From: CyberGreg05 <62875146+CyberGreg05@users.noreply.github.com> Date: Wed, 6 Mar 2024 16:47:31 +0300 Subject: [PATCH 1/5] Working with a mounted flash drive If a flash drive smaller than 80 GB is mounted, there will be a false positive. --- al-khaser/AntiVM/Generic.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp index 03c7702..34ea9bd 100755 --- a/al-khaser/AntiVM/Generic.cpp +++ b/al-khaser/AntiVM/Generic.cpp @@ -542,6 +542,7 @@ BOOL disk_size_wmi() // Iterate over our enumator while (pEnumerator) { + BOOL detectedRealDisk = FALSE; hRes = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); if (0 == uReturn) break; @@ -561,6 +562,9 @@ BOOL disk_size_wmi() if (diskSizeBytes < minHardDiskSize) { // Less than 80GB bFound = TRUE; } + else { // Detect real disk + detectedRealDisk = TRUE; + } } // release the current result object @@ -572,7 +576,7 @@ BOOL disk_size_wmi() pclsObj->Release(); // break from while - if (bFound) + if (bFound || detectedRealDisk) break; } @@ -2011,4 +2015,4 @@ BOOL number_SMBIOS_tables() free(smbios); } return result; -} \ No newline at end of file +} From 5889b39bf32e1f4ee2aad7b5aa6a5110d8a1e64b Mon Sep 17 00:00:00 2001 From: CyberGreg05 <62875146+CyberGreg05@users.noreply.github.com> Date: Wed, 6 Mar 2024 19:56:57 +0300 Subject: [PATCH 2/5] wiring of small devices USB Devices rarely have a capacity of more than 80 GB. A false positive occurs. --- al-khaser/AntiVM/Generic.cpp | 44 +++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp index 34ea9bd..da392a9 100755 --- a/al-khaser/AntiVM/Generic.cpp +++ b/al-khaser/AntiVM/Generic.cpp @@ -512,6 +512,33 @@ BOOL number_cores_wmi() return bFound; } +/* +Filter for removable disk, CD-ROM, network drive or RAM disk +*/ +BOOL checkDriveType(IWbemClassObject* pclsObj) +{ + if (!pclsObj) + return FALSE; + + BOOL res = FALSE; + VARIANT vtDriveType; + HRESULT hResDriveType; + + hResDriveType = pclsObj->Get(_T("DriveType"), 0, &vtDriveType, NULL, 0); + if (SUCCEEDED(hResDriveType) && V_VT(&vtDriveType) != VT_NULL) + { + if (vtDriveType.uintVal == 2 // removable disk (USB) + || vtDriveType.uintVal == 4 // network drive + || vtDriveType.uintVal == 5 // CD-ROM + || vtDriveType.uintVal == 6 // RAM disk + ) + { + res = TRUE; + } + VariantClear(&vtDriveType); + } + return res; +} /* Check hard disk size using WMI @@ -542,11 +569,16 @@ BOOL disk_size_wmi() // Iterate over our enumator while (pEnumerator) { - BOOL detectedRealDisk = FALSE; hRes = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); if (0 == uReturn) break; - + + // Don`t check removable disk, network drive CD-ROM and RAM disk + if (checkDriveType(pclsObj)) { + pclsObj->Release(); + continue; + } + // Get the value of the Name property hRes = pclsObj->Get(_T("Size"), 0, &vtProp, NULL, 0); if (SUCCEEDED(hRes)) { @@ -562,11 +594,7 @@ BOOL disk_size_wmi() if (diskSizeBytes < minHardDiskSize) { // Less than 80GB bFound = TRUE; } - else { // Detect real disk - detectedRealDisk = TRUE; - } - } - + // release the current result object VariantClear(&vtProp); } @@ -576,7 +604,7 @@ BOOL disk_size_wmi() pclsObj->Release(); // break from while - if (bFound || detectedRealDisk) + if (bFound) break; } From bf68dc275833bf8dc4e847fc2cdbeb6966708a91 Mon Sep 17 00:00:00 2001 From: CyberGreg05 Date: Thu, 7 Mar 2024 07:47:23 +0300 Subject: [PATCH 3/5] fix ; --- al-khaser/AntiVM/Generic.cpp | 40 ++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp index da392a9..01900b4 100755 --- a/al-khaser/AntiVM/Generic.cpp +++ b/al-khaser/AntiVM/Generic.cpp @@ -572,13 +572,13 @@ BOOL disk_size_wmi() hRes = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); if (0 == uReturn) break; - + // Don`t check removable disk, network drive CD-ROM and RAM disk if (checkDriveType(pclsObj)) { pclsObj->Release(); continue; } - + // Get the value of the Name property hRes = pclsObj->Get(_T("Size"), 0, &vtProp, NULL, 0); if (SUCCEEDED(hRes)) { @@ -594,32 +594,32 @@ BOOL disk_size_wmi() if (diskSizeBytes < minHardDiskSize) { // Less than 80GB bFound = TRUE; } - - // release the current result object - VariantClear(&vtProp); + + // release the current result object + VariantClear(&vtProp); + } } - } - // release class object - pclsObj->Release(); + // release class object + pclsObj->Release(); - // break from while - if (bFound) - break; - } + // break from while + if (bFound) + break; + } - // Cleanup - pEnumerator->Release(); - pSvc->Release(); - pLoc->Release(); - CoUninitialize(); + // Cleanup + pEnumerator->Release(); + pSvc->Release(); + pLoc->Release(); + CoUninitialize(); + } } - } - return bFound; + return bFound; + } } - /* DeviceIoControl works with disks directly rather than partitions (GetDiskFreeSpaceEx) We can send IOCTL_DISK_GET_LENGTH_INFO code to get the raw byte size of the physical disk From dfdee7f66f4a6217d05cdb6f4074d08f18d079d5 Mon Sep 17 00:00:00 2001 From: CyberGreg05 Date: Thu, 7 Mar 2024 07:51:58 +0300 Subject: [PATCH 4/5] Revert "fix ;" This reverts commit bf68dc275833bf8dc4e847fc2cdbeb6966708a91. --- al-khaser/AntiVM/Generic.cpp | 40 ++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp index 01900b4..da392a9 100755 --- a/al-khaser/AntiVM/Generic.cpp +++ b/al-khaser/AntiVM/Generic.cpp @@ -572,13 +572,13 @@ BOOL disk_size_wmi() hRes = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); if (0 == uReturn) break; - + // Don`t check removable disk, network drive CD-ROM and RAM disk if (checkDriveType(pclsObj)) { pclsObj->Release(); continue; } - + // Get the value of the Name property hRes = pclsObj->Get(_T("Size"), 0, &vtProp, NULL, 0); if (SUCCEEDED(hRes)) { @@ -594,32 +594,32 @@ BOOL disk_size_wmi() if (diskSizeBytes < minHardDiskSize) { // Less than 80GB bFound = TRUE; } - - // release the current result object - VariantClear(&vtProp); - } + + // release the current result object + VariantClear(&vtProp); } - - // release class object - pclsObj->Release(); - - // break from while - if (bFound) - break; } - // Cleanup - pEnumerator->Release(); - pSvc->Release(); - pLoc->Release(); - CoUninitialize(); + // release class object + pclsObj->Release(); + + // break from while + if (bFound) + break; } - } - return bFound; + // Cleanup + pEnumerator->Release(); + pSvc->Release(); + pLoc->Release(); + CoUninitialize(); + } } + + return bFound; } + /* DeviceIoControl works with disks directly rather than partitions (GetDiskFreeSpaceEx) We can send IOCTL_DISK_GET_LENGTH_INFO code to get the raw byte size of the physical disk From 2f96a4629479986635f67ee42034f5878b57e2aa Mon Sep 17 00:00:00 2001 From: CyberGreg05 <62875146+CyberGreg05@users.noreply.github.com> Date: Thu, 7 Mar 2024 10:58:13 +0300 Subject: [PATCH 5/5] fix deleted } --- al-khaser/AntiVM/Generic.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp index da392a9..8848908 100755 --- a/al-khaser/AntiVM/Generic.cpp +++ b/al-khaser/AntiVM/Generic.cpp @@ -594,7 +594,7 @@ BOOL disk_size_wmi() if (diskSizeBytes < minHardDiskSize) { // Less than 80GB bFound = TRUE; } - + } // release the current result object VariantClear(&vtProp); }