### Check VMware Installation Directory Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks for the VMware installation directory at '%PROGRAMFILES%\VMWare\'. Returns TRUE if found, FALSE otherwise. ```cpp #include BOOL vmware_dir(VOID); ``` -------------------------------- ### Al-Khaser Command Line Usage Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/README.md Displays the available command-line options and examples for running Al-Khaser. Use --check to enable specific detection types and --sleep to set delay durations. ```bash ./al-khaser.exe -h ``` ```bash al-khaser.exe --check DEBUG --check TIMING_ATTACKS --sleep 30 ``` ```bash al-khaser.exe --check VMWARE --check QEMU ``` ```bash al-khaser.exe --sleep 30 ``` -------------------------------- ### Get Operating System Display String Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves a human-readable string representing the current Windows OS version. The provided buffer must be large enough to hold the string. ```cpp BOOL GetOSDisplayString(LPTSTR pszOS) ``` -------------------------------- ### Check VirtualBox System Files Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Scans the Windows System32 directory for VirtualBox-specific driver and support files. This helps in detecting VirtualBox installations by their file artifacts. ```cpp VOID vbox_files(VOID) ``` -------------------------------- ### SetWindowsHooksEx_Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using `SetWindowsHooksEx()`. This technique installs a hook callback that gets executed when a specific Windows event occurs. ```APIDOC ## SetWindowsHooksEx_Injection ### Description Demonstrates code injection using `SetWindowsHooksEx()`. This technique installs a hook callback that gets executed when a specific Windows event occurs. ### Signature ```cpp BOOL SetWindowsHooksEx_Injection(VOID) ``` ### Parameters None ### Return Value - `TRUE` - Hook injection succeeded - `FALSE` - Hook injection failed ### Technique Details 1. Loads a DLL containing the hook callback 2. Sets a Windows hook with `SetWindowsHooksEx()` 3. Triggers the hook event (e.g., mouse movement) 4. Hook callback executes in the target process context ### Supported Hook Types - WH_MOUSE - Mouse events - WH_KEYBOARD - Keyboard events - WH_CALLWNDPROC - Window procedure calls ``` -------------------------------- ### Check VirtualBox MAC Address Prefix Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Enumerates network adapters and checks for MAC addresses starting with the VirtualBox prefix '08:00:27'. Returns TRUE if detected, FALSE otherwise. ```cpp BOOL vbox_check_mac(VOID) ``` -------------------------------- ### vbox_check_mac Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Enumerates network adapters and checks for MAC addresses that start with the VirtualBox prefix "08:00:27". ```APIDOC ## vbox_check_mac ### Description Enumerates network adapters and checks for MAC addresses starting with "08:00:27", which is the VirtualBox MAC address prefix. ### Parameters None ### Return Value - `TRUE` - VirtualBox MAC address detected - `FALSE` - No VirtualBox MAC found ``` -------------------------------- ### SetWindowsHooksEx Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using SetWindowsHooksEx. This technique installs a hook callback that executes when a specific Windows event occurs, such as mouse movement or keyboard input. ```cpp BOOL SetWindowsHooksEx_Injection(VOID) ``` -------------------------------- ### Check for Pirated Windows Installation Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Uses the SLIsGenuineLocal() function to determine if the Windows installation is genuine. Returns TRUE if not genuine, FALSE if genuine. ```cpp BOOL pirated_windows(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### Check VirtualBox Registry Keys Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks for the presence of specific VirtualBox registry keys under various system and software paths. This is useful for identifying VirtualBox installations. ```cpp VOID vbox_reg_keys(VOID) ``` -------------------------------- ### Main Loop Timing Attack Execution Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/timing-attacks-api.md Example of how to integrate various timing-based checks into a main loop. This snippet shows the conditional execution of checks based on an ENABLE_TIMING_ATTACKS flag and the use of a helper function 'exec_check'. ```cpp // In main loop: if (ENABLE_TIMING_ATTACKS) { UINT delayInMillis = delayInSeconds * 1000; // Execute multiple timing-based checks exec_check(timing_NtDelayexecution, delayInMillis, "Testing NtDelayExecution"); exec_check(timing_sleep_loop, delayInMillis, "Testing Sleep Loop"); exec_check(timing_SetTimer, delayInMillis, "Testing SetTimer"); // ... etc // Execute RDTSC checks exec_check(&rdtsc_diff_locky, "Testing RDTSC Locky trick"); exec_check(&rddtsc_diff_vmexit, "Testing RDTSC VM Exit"); } ``` -------------------------------- ### Enumerate Disk Drive Information via SetupAPI Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Utilizes SetupAPI to list disk drive details and identify potential virtual machine identifiers. Returns TRUE if a VM disk is detected, FALSE otherwise. ```cpp BOOL setupdi_diskdrive(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### Search for Known VM Filenames Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Searches for known sandbox or VM filenames like 'sample.exe' or 'sandbox.exe'. Results are printed to the console. ```cpp #include VOID known_file_names(VOID); ``` -------------------------------- ### Display Help Information Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/configuration.md Displays the help message for Al-Khaser, listing all available command-line options and their descriptions. ```bash al-khaser.exe --help ``` -------------------------------- ### InitWMI Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Initializes COM and establishes a connection to the Windows Management Instrumentation (WMI) service, preparing for WMI queries. ```APIDOC ## InitWMI ### Description Initializes COM and connects to WMI. ### Signature ```cpp BOOL InitWMI( IWbemServices **pSvc, IWbemLocator **pLoc, const TCHAR* szNetworkResource) ``` ### Parameters #### Path Parameters - **pSvc** (IWbemServices**) - Required - Receives WMI services interface - **pLoc** (IWbemLocator**) - Required - Receives WMI locator interface - **szNetworkResource** (const TCHAR*) - Required - Network resource (usually "root\cimv2") ### Return Value - `TRUE` - WMI initialized successfully - `FALSE` - Initialization failed ### Request Example ```cpp IWbemServices *pSvc = NULL; IWbemLocator *pLoc = NULL; if (InitWMI(&pSvc, &pLoc, _T("root\cimv2"))) { // Use pSvc for WMI queries // Clean up COM interfaces when done } ``` ``` -------------------------------- ### Initialize WMI Connection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Initializes COM and connects to the WMI service. Use the returned interfaces for WMI queries and ensure COM interfaces are cleaned up. ```cpp IWbemServices *pSvc = NULL; IWbemLocator *pLoc = NULL; if (InitWMI(&pSvc, &pLoc, _T("root\cimv2"))) { // Use pSvc for WMI queries // Clean up COM interfaces when done } ``` -------------------------------- ### Get Global Descriptor Table (GDT) Base Address Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves the base address of the Global Descriptor Table. ```cpp ULONG get_gdt_base(VOID) ``` -------------------------------- ### Get Local Descriptor Table (LDT) Base Address Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves the base address of the Local Descriptor Table. ```cpp ULONG get_ldt_base(VOID) ``` -------------------------------- ### Check Known Hostnames Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Compares the computer hostname against a list of known sandbox hostnames. Results are printed to the console. ```cpp VOID known_hostnames(VOID) ``` -------------------------------- ### Get Interrupt Descriptor Table (IDT) Base Address Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves the base address of the Interrupt Descriptor Table. ```cpp ULONG get_idt_base(VOID) ``` -------------------------------- ### Enumerate System Firmware Tables Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Enumerates system firmware tables for a given provider signature. The buffer should be sized appropriately to receive the table list. ```cpp UINT enum_system_firmware_tables( _In_ DWORD FirmwareTableProviderSignature, _Out_ PVOID pFirmwareTableBuffer, _In_ DWORD BufferSize) ``` -------------------------------- ### GetProccessIDByName Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Gets the process ID by its executable name. Note: This function has a typo in its name ('Proccess' instead of 'Process'). ```APIDOC ## GetProccessIDByName ### Description Gets process ID by executable name. ### Signature ```cpp DWORD GetProccessIDByName(TCHAR* szProcessNameTarget) ``` ### Parameters #### Path Parameters - **szProcessNameTarget** (TCHAR*) - Required - Process executable name ### Return Value Process ID, or 0 if not found ``` -------------------------------- ### Memory Allocation in Target Process Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates allocating memory within a target process using VirtualAllocEx. This is a common first step in many code injection techniques. ```cpp // In target process: PVOID remoteBuffer = VirtualAllocEx( hProcess, NULL, payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); ``` -------------------------------- ### Display Help Message Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/configuration.md Use -h or --help to display the help message and exit the program. This provides usage information. ```bash al-khaser.exe -h ``` ```bash al-khaser.exe --help ``` -------------------------------- ### Al-Khaser Command-Line Usage Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/overview.md The application is invoked from the command line with optional flags to control specific checks. Use the --help flag for a full list of options. ```bash al-khaser.exe [--check ] [--sleep ] [--help] ``` -------------------------------- ### Enumerate Loaded DLLs for VM Tools Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Enumerates loaded DLLs and checks for known analysis/security tool DLLs such as AVG, Avast, Sandboxie, and Virtual PC. Results are printed to the console. ```cpp #include VOID loaded_dlls(VOID); ``` -------------------------------- ### Get Process ID by Name Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves the Process ID (PID) given the executable name. Returns 0 if the process is not found. Note the typo in the original function name 'GetProccessIDByName'. ```cpp GetProccessIDByName(szProcessNameTarget); ``` ```cpp GetProcessIdFromName(ProcessName); ``` -------------------------------- ### Check Disk Size with GetDiskFreeSpaceEx Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Employs `GetDiskFreeSpaceEx()` to ascertain the total available disk space. Returns TRUE if a suspicious size is detected, FALSE otherwise. ```cpp BOOL disk_size_getdiskfreespace(VOID) ``` -------------------------------- ### Check VirtualBox Guest Additions Directory Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks for the presence of the VirtualBox Guest Additions directory in the default Program Files location. Returns TRUE if found, FALSE otherwise. ```cpp BOOL vbox_dir(VOID) ``` -------------------------------- ### Check System Power Capabilities for VM Settings Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Examines system power capabilities for settings that are specific to virtual machines. Returns TRUE if suspicious power settings are detected, FALSE otherwise. ```cpp BOOL power_capabilities(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### Open VMware Device Objects Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Attempts to open VMware-specific device objects. Results are printed to the console. ```cpp #include VOID vmware_devices(VOID); ``` -------------------------------- ### Detect VMware Firmware (SMBIOS) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Reads SMBIOS firmware tables to find VMware-specific strings. Returns TRUE if found, FALSE otherwise. ```cpp #include BOOL vmware_firmware_SMBIOS(VOID); ``` -------------------------------- ### Detect VirtualBox Firmware (ACPI) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Reads ACPI firmware tables to find VirtualBox-specific structures and strings. Returns TRUE if found, FALSE otherwise. ```cpp #include BOOL vbox_firmware_ACPI(VOID); ``` -------------------------------- ### Detect VMware Firmware (ACPI) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Reads ACPI firmware tables to find VMware-specific ACPI structures. Returns TRUE if found, FALSE otherwise. ```cpp #include BOOL vmware_firmware_ACPI(VOID); ``` -------------------------------- ### ScanForModules_ToolHelp32 Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/misc-api.md Enumerates modules using the ToolHelp32 API (CreateToolhelp32Snapshot and Module32First/Next). This serves as an alternative enumeration method. ```cpp BOOL ScanForModules_ToolHelp32(VOID) ``` -------------------------------- ### Check for Cloud Hosting Indicators Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Detects indicators associated with cloud hosting environments. Returns TRUE if cloud hosting is detected, FALSE otherwise. ```cpp BOOL hosting_check(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### Detect VirtualBox Baseboard (WMI) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries WMI for VirtualBox-specific baseboard information. Returns TRUE if detected, FALSE otherwise. ```cpp #include BOOL vbox_baseboard_wmi(VOID); ``` -------------------------------- ### Detect VirtualBox Firmware (SMBIOS) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Reads SMBIOS firmware tables to find VirtualBox-specific strings. Returns TRUE if found, FALSE otherwise. ```cpp #include BOOL vbox_firmware_SMBIOS(VOID); ``` -------------------------------- ### vbox_dir Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks for the presence of the VirtualBox Guest Additions directory, typically located at `%PROGRAMFILES%\oracle\virtualbox guest additions\`. ```APIDOC ## vbox_dir ### Description Checks for the presence of the VirtualBox Guest Additions directory at `%PROGRAMFILES%\oracle\virtualbox guest additions\` ### Parameters None ### Return Value - `TRUE` - VirtualBox directory found - `FALSE` - Directory not found ``` -------------------------------- ### vbox_files Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Scans the Windows System32 directory for VirtualBox-specific driver and support files, including various .sys and .dll files, as well as executable files like vboxservice.exe. ```APIDOC ## vbox_files ### Description Scans the Windows System32 directory for VirtualBox-specific driver and support files: - Driver files: VBoxMouse.sys, VBoxGuest.sys, VBoxSF.sys, VBoxVideo.sys - DLL files: vboxdisp.dll, vboxhook.dll, vboxmrxnp.dll, vboxogl.dll, etc. - Executable files: vboxservice.exe, vboxtray.exe, VBoxControl.exe ### Parameters None ### Return Value Void - results printed to console ``` -------------------------------- ### Check for Known VM Usernames Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks if the current user matches known sandbox usernames. Results are printed to the console. ```cpp #include VOID known_usernames(VOID); ``` -------------------------------- ### PEB64 Structure Definition for WoW64 Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/types.md Defines the 64-bit Process Environment Block structure used when running a 32-bit application on a 64-bit Windows system. Allows reading the native 64-bit PEB. ```cpp typedef struct _PEB64 { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID64 Reserved3[2]; PVOID64 Ldr; PVOID64 ProcessParameters; BYTE Reserved4[104]; PVOID64 Reserved5[52]; PVOID64 PostProcessInitRoutine; BYTE Reserved6[128]; PVOID64 Reserved7[1]; ULONG SessionId; } PEB64, *PPEB64; ``` -------------------------------- ### Check VirtualBox Window Classes Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Searches for window classes created by VirtualBox, such as 'VBoxTrayToolWndClass' and 'VBoxTrayToolWnd'. Returns TRUE if found, FALSE otherwise. ```cpp BOOL vbox_window_class(VOID) ``` -------------------------------- ### GetPeb64 Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves the native 64-bit Process Environment Block (PEB) when the process is running under WoW64. This function is essential for accessing 64-bit process information from a 32-bit context. ```APIDOC ## GetPeb64 ### Description Retrieves the native 64-bit Process Environment Block when running under WoW64. ### Signature ```cpp PVOID64 GetPeb64(VOID) ``` ### Return Value Pointer to 64-bit PEB, or NULL if not in WoW64 ``` -------------------------------- ### Query Disk Size via DeviceIoControl Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Utilizes `DeviceIoControl()` with `IOCTL_DISK_GET_LENGTH_INFO` to obtain the disk size. Returns TRUE if a suspicious size is detected, FALSE otherwise. ```cpp BOOL dizk_size_deviceiocontrol(VOID) ``` -------------------------------- ### RunPE (Process Replacement) Pseudocode Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Simplified pseudocode illustrating the RunPE technique flow, which involves process creation, memory allocation, payload writing, thread context modification, and thread resumption. ```cpp // Simplified RunPE flow: // 1. CreateProcessW(..., CREATE_SUSPENDED, ...) // 2. Allocate memory in suspended process // 3. Write payload to allocated memory // 4. GetThreadContext(thread, &context) // 5. context.Rip = payloadAddress // Redirect execution // 6. SetThreadContext(thread, &context) // 7. ResumeThread(thread) ``` -------------------------------- ### Scan for VMware Files Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Scans the System32 directory for VMware-specific files such as drivers and tools. Results are printed to the console. ```cpp #include VOID vmware_files(VOID); ``` -------------------------------- ### vbox_devices Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Attempts to open VirtualBox-specific device objects, including various VBoxMiniRdrDN, VBoxGuest, and VBoxTrayIPC related devices and pipes. ```APIDOC ## vbox_devices ### Description Attempts to open VirtualBox-specific device objects: - `\\.\VBoxMiniRdrDN` - `\\.\VBoxGuest` - `\\.\pipe\VBoxMiniRdDN` - `\\.\VBoxTrayIPC` - `\\.\pipe\VBoxTrayIPC` ### Parameters None ### Return Value Void - results printed to console ``` -------------------------------- ### Query WMI for VirtualBox Controller Hardware Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries the WMI `Win32_PnPEntity` class checking device names for VirtualBox controller hardware. Returns TRUE if found, FALSE otherwise. ```cpp BOOL vbox_pnpentity_controllers_wmi(VOID) ``` -------------------------------- ### Check for Virtual PC Specific Registry Keys Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Verifies the existence of registry keys that are characteristic of a Virtual PC environment. ```cpp VOID virtual_pc_reg_keys(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### Check VirtualBox Running Processes Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Enumerates running processes and checks for the presence of VirtualBox-related processes like 'vboxservice.exe' and 'vboxtray.exe'. ```cpp VOID vbox_processes(VOID) ``` -------------------------------- ### Check Registry Key Value for String Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Checks if a registry key value exists and contains a specific string. Use this to verify specific configurations or version information within the registry. ```cpp Is_RegKeyValueExists( HKEY_LOCAL_MACHINE, _T("HARDWARE\\Description\\System"), _T("SystemBiosVersion"), _T("VBOX")); ``` -------------------------------- ### ExecWMIQuery Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Executes a WMI query using WQL (WMI Query Language) against the WMI service, returning an enumerator for the results. ```APIDOC ## ExecWMIQuery ### Description Executes a WMI query using WQL (WMI Query Language). ### Signature ```cpp BOOL ExecWMIQuery( IWbemServices **pSvc, IWbemLocator **pLoc, IEnumWbemClassObject **pEnumerator, const TCHAR* szQuery) ``` ### Parameters #### Path Parameters - **pSvc** (IWbemServices**) - Required - WMI services interface from InitWMI - **pLoc** (IWbemLocator**) - Required - WMI locator interface from InitWMI - **pEnumerator** (IEnumWbemClassObject**) - Required - Receives enumeration results - **szQuery** (const TCHAR*) - Required - WQL query string ### Return Value - `TRUE` - Query executed successfully - `FALSE` - Query failed ### Request Example ```cpp // Get BIOS information _T("SELECT * FROM Win32_BIOS") // Get processor information _T("SELECT * FROM Win32_Processor") // Get network adapter configuration _T("SELECT * FROM Win32_NetworkAdapterConfiguration") ``` ``` -------------------------------- ### Calling an External API in Al-Khaser Source: https://github.com/ayoubfaouzi/al-khaser/wiki/Developer-Guidelines This snippet demonstrates how to check for the availability of an external API and retrieve its function pointer for use. Ensure the API identifier is defined in `APIs.h` and its details are in `APIs.cpp`. ```cpp if (API::IsAvailable(API_IDENTIFIER::API_SomeFunction)) { auto SomeFunction = static_cast(API::GetAPI(API_IDENTIFIER::API_SomeFunction)); // do something with SomeFunction() } ``` -------------------------------- ### Execute a Check Function with Description Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/misc-api.md A common pattern to execute a check function and log its results. This template function handles printing the description, calling the check, and reporting detection status. ```cpp exec_check(&FunctionName, TEXT("Description of what is being checked")); ``` -------------------------------- ### GetSetThreadContext Injection (RunPE) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md This section is incomplete in the source text and does not provide specific API details for direct user invocation. -------------------------------- ### Analyze Running Processes for Debugging Tools Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/misc-api.md Enumerates running processes and checks for known analysis and debugging tools. Results are printed directly to the console. ```cpp VOID analysis_tools_process(VOID) ``` ```cpp // Enumerate running processes // For each process: // if (processName.toLowerCase() matches known tool) // print_results(TRUE, "Tool detected") ``` -------------------------------- ### Check VirtualBox Registry Key Values Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Enumerates and checks registry key values for VirtualBox-specific strings. This includes BIOS version strings, Video BIOS, and a specific BIOS date. ```cpp VOID vbox_reg_key_value(VOID) ``` -------------------------------- ### NtCreateThreadEx_Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using the Native API `NtCreateThreadEx()`, which is the low-level equivalent to `CreateRemoteThread()`. ```APIDOC ## NtCreateThreadEx_Injection ### Description Demonstrates code injection using the Native API `NtCreateThreadEx()`, which is the low-level equivalent to `CreateRemoteThread()`. ### Signature ```cpp BOOL NtCreateThreadEx_Injection(VOID) ``` ### Parameters None ### Return Value - `TRUE` - Injection succeeded - `FALSE` - Injection failed ### Advantages over CreateRemoteThread - Available on earlier Windows versions - More flexible parameter control - Can bypass some API hooks ### Technique Details 1. Similar to CreateRemoteThread but uses Native API 2. Requires loading Ntdll.dll manually 3. More evasive as it's lower-level than documented APIs ``` -------------------------------- ### IsWoW64 Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Determines if the current process is running under WoW64 (32-bit process on 64-bit Windows). This is useful for modules that need to access 64-bit PEB when running in a 32-bit environment. ```APIDOC ## IsWoW64 ### Description Determines if the current process is running under WoW64 (32-bit process on 64-bit Windows). ### Signature ```cpp BOOL IsWoW64(VOID) ``` ### Return Value - `TRUE` - Running under WoW64 - `FALSE` - Native architecture or not WoW64 ``` -------------------------------- ### Read ACPI Firmware Tables for VM Indicators Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Reads ACPI firmware tables to identify generic indicators of a virtual machine. Returns TRUE if VM indicators are found, FALSE otherwise. ```cpp BOOL firmware_ACPI(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### Custom Execution Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/INDEX.md Executes specific check categories (DEBUG, VBOX) with a custom delay of 30 seconds. ```bash al-khaser.exe --check DEBUG --check VBOX --sleep 30 ``` -------------------------------- ### enum_system_firmware_tables Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Enumerates system firmware tables, allowing discovery of tables like ACPI and SMBIOS. It requires a provider signature and a buffer to store the results. ```APIDOC ## enum_system_firmware_tables ### Description Enumerates system firmware tables. ### Signature ```cpp UINT enum_system_firmware_tables( _In_ DWORD FirmwareTableProviderSignature, _Out_ PVOID pFirmwareTableBuffer, _In_ DWORD BufferSize) ``` ### Parameters #### Path Parameters - **FirmwareTableProviderSignature** (DWORD) - Provider signature (ACPI, SMBIOS, etc.) - **pFirmwareTableBuffer** (PVOID) - Buffer to receive table list - **BufferSize** (DWORD) - Size of buffer ### Return Value Number of tables, or 0 if failed ### Provider Signatures - `'RSMB'` (0x42534D52) - SMBIOS tables - `'ACPI'` (0x49434341) - ACPI tables ``` -------------------------------- ### CreateRemoteThread Injection Flow Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Illustrates the pseudocode flow for injecting code using CreateRemoteThread. This involves allocating memory, writing shellcode, and creating a remote thread in the target process. ```cpp // Pseudocode of the injection flow: // 1. Get target process handle // 2. VirtualAllocEx() - allocate memory in target // 3. WriteProcessMemory() - write payload // 4. CreateRemoteThread() - execute in target process // 5. WaitForSingleObject() - wait for completion ``` -------------------------------- ### Attempt to Read Memory in WoW64 Context Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Reads 64-bit memory from a WoW64 context. Ensure the buffer is large enough to hold the requested data. ```cpp bool attempt_to_read_memory_wow64( PVOID buffer, DWORD size, PVOID64 address) ``` -------------------------------- ### Check if File Exists Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Verifies the existence of a file at a given path. Useful for pre-flight checks before attempting to read or write to a file. ```cpp is_FileExists(szPath); ``` -------------------------------- ### Check VMware Registry Keys Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks for specific VMware registry keys, including 'SOFTWARE\VMware, Inc.\VMware Tools' and entries under ControlSet001. Results are printed to the console. ```cpp #include VOID vmware_reg_keys(VOID); ``` -------------------------------- ### ScanForModules_EnumProcessModulesEx_All Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/misc-api.md Enumerates all modules (32-bit and 64-bit) using EnumProcessModulesEx with the LIST_MODULES_ALL flag. ```cpp BOOL ScanForModules_EnumProcessModulesEx_All(VOID) ``` -------------------------------- ### Check Registry for VM Disk Enum Entries Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Scans registry paths Services\Disk\Enum and Enum\IDE/Enum\SCSI for strings indicative of a virtual machine. Returns TRUE if VM strings are found, FALSE otherwise. ```cpp BOOL registry_services_disk_enum(VOID) { // Implementation details omitted for brevity } BOOL registry_disk_enum(VOID) { // Implementation details omitted for brevity } ``` -------------------------------- ### vbox_processes Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Enumerates running processes and checks for the presence of VirtualBox-related processes such as vboxservice.exe and vboxtray.exe. ```APIDOC ## vbox_processes ### Description Enumerates running processes and checks for VirtualBox-related processes: - vboxservice.exe - vboxtray.exe ### Parameters None ### Return Value Void - results printed to console ``` -------------------------------- ### Check VMware Registry Key Values Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks registry key values for VMware-specific strings in SCSI controller identifiers and BIOS information. Results are printed to the console. ```cpp #include VOID vmware_reg_key_value(VOID); ``` -------------------------------- ### Query WMI for VirtualBox Bus Information Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries the WMI `Win32_Bus` class for VirtualBox-related bus information. Returns TRUE if detected, FALSE otherwise. ```cpp BOOL vbox_bus_wmi(VOID) ``` -------------------------------- ### vbox_window_class Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Searches for window classes created by VirtualBox, specifically "VBoxTrayToolWndClass" and "VBoxTrayToolWnd". ```APIDOC ## vbox_window_class ### Description Searches for window classes created by VirtualBox: - "VBoxTrayToolWndClass" - "VBoxTrayToolWnd" ### Parameters None ### Return Value - `TRUE` - VirtualBox window class found - `FALSE` - No VirtualBox window class detected ``` -------------------------------- ### Execute WMI Query Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Executes a WMI query using WQL. The function returns an enumerator for the query results. ```cpp _T("SELECT * FROM Win32_BIOS") ``` ```cpp _T("SELECT * FROM Win32_Processor") ``` ```cpp _T("SELECT * FROM Win32_NetworkAdapterConfiguration") ``` -------------------------------- ### Detect Hypervisor via CPUID Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Executes the CPUID instruction with EAX=0x1 and inspects the hypervisor bit in the ECX register. Returns TRUE if a hypervisor is detected, FALSE otherwise. ```cpp BOOL cpuid_is_hypervisor(VOID) ``` -------------------------------- ### vbox_bus_wmi Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries the WMI `Win32_Bus` class for VirtualBox-related bus information. ```APIDOC ## vbox_bus_wmi ### Description Queries WMI `Win32_Bus` class for VirtualBox-related bus information. ### Parameters None ### Return Value - `TRUE` - VirtualBox bus detected - `FALSE` - Not detected ``` -------------------------------- ### Query Disk Size via WMI Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries the WMI `Win32_LogicalDisk` class to check the hard disk size. Returns TRUE if a suspicious disk size is detected, FALSE otherwise. ```cpp BOOL disk_size_wmi(VOID) ``` -------------------------------- ### Query License Value for VM Detection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Calls `NtQueryLicenseValue()` with the specific license value 'Kernel-VMDetection-Private'. Returns TRUE if the license value is found, indicating VM detection, FALSE otherwise. ```cpp BOOL query_license_value(VOID) ``` -------------------------------- ### Detect Hypervisor Vendor via CPUID Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Executes the CPUID instruction with EAX=0x40000000 to retrieve hypervisor vendor strings. Returns TRUE if a known hypervisor vendor string is found, FALSE otherwise. ```cpp BOOL cpuid_hypervisor_vendor(VOID) ``` -------------------------------- ### IsWindowsVista, IsWindows7, IsWindows8or8PointOne Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Provides specific functions to detect the running Windows OS version. These functions return true if the system is running the specified OS version. ```APIDOC ## IsWindowsVista, IsWindows7, IsWindows8or8PointOne ### Description Specific OS version detection functions. ### Signatures ```cpp BOOL IsWindowsVista(VOID) BOOL IsWindows7(VOID) BOOL IsWindows8or8PointOne(VOID) ``` ### Return Value - `TRUE` - Running on specified OS version - `FALSE` - Not running on specified OS ``` -------------------------------- ### Default Execution Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/INDEX.md Executes all 18 check categories with a default delay of 600 seconds. ```bash al-khaser.exe ``` -------------------------------- ### Main Function Argument Parsing Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/configuration.md Parses command-line arguments for Al-Khaser, handling help flags, sleep/delay values, and specific check types. If no checks are explicitly enabled, default checks are activated. ```cpp int main(int argc, char* argv[]) { UINT delayInSeconds = 600U; // Default delay int enabled_checks = 0; // Count of enabled check types // Parse arguments if (argc > 1) { for (int i = 1; i < argc; ++i) { // Help flag if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0) { print_help(PROGRAM_NAME); return 0; } // Sleep/Delay flag else if ((strcmp(argv[i], "--sleep") == 0 || strcmp(argv[i], "--delay") == 0) && i + 1 < argc) { // Parse delay value char* endptr; errno = 0; long val = strtol(argv[i + 1], &endptr, 10); if (errno == ERANGE || val > UINT_MAX || val <= 0) { printf("[!] Invalid delay value: %s\n", argv[i + 1]); } else if (endptr == argv[i + 1] || *endptr != '\0') { printf("[!] Non-numeric delay value: %s\n", argv[i + 1]); } else { delayInSeconds = (UINT)val; } i++; // Skip the value } // Check flag else if (strcmp(argv[i], "--check") == 0 && i + 1 < argc) { EnableChecks(argv[i + 1]); enabled_checks++; i++; // Skip the value } } } // If no checks enabled, enable all if (!enabled_checks) { EnableDefaultChecks(); } // ... execute checks based on enabled flags } ``` -------------------------------- ### Query WMI for VirtualBox Device Names Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries the WMI `Win32_PnPEntity` class searching for device names containing 'VBOX'. Returns TRUE if found, FALSE otherwise. ```cpp BOOL vbox_pnpentity_vboxname_wmi(VOID) ``` -------------------------------- ### enumerate_memory_wow64 Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Enumerates 64-bit memory regions specifically for processes running under the WoW64 (Windows 32-bit on Windows 64-bit) subsystem. ```APIDOC ## enumerate_memory_wow64 ### Description Enumerates 64-bit memory regions when running under WoW64. ### Signature ```cpp std::vector* enumerate_memory_wow64(VOID) ``` ### Return Value Vector of 64-bit memory information structures (caller must free) ``` -------------------------------- ### Check VMware MAC Addresses Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks network adapters for common VMware MAC address prefixes. Results are printed to the console. ```cpp #include VOID vmware_mac(VOID); ``` -------------------------------- ### Perform Miscellaneous Sandbox Checks Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Executes a variety of miscellaneous checks to detect sandbox environments. Results are printed to the console. ```cpp VOID other_known_sandbox_environment_checks(VOID) ``` -------------------------------- ### Open VirtualBox Device Objects Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Attempts to open VirtualBox-specific device objects and named pipes. This function is used to detect the presence of VirtualBox services. ```cpp VOID vbox_devices(VOID) ``` -------------------------------- ### QueueUserAPC Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using Asynchronous Procedure Calls (APC). APCs are queued to target threads and executed when the thread enters an alertable wait state, offering stealth by not creating visible new threads. ```cpp BOOL QueueUserAPC_Injection(VOID) ``` -------------------------------- ### NtCreateThreadEx Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using the Native API NtCreateThreadEx, the low-level equivalent of CreateRemoteThread. It offers more flexibility and can bypass some API hooks. ```cpp BOOL NtCreateThreadEx_Injection(VOID) ``` -------------------------------- ### GetOSDisplayString Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves a human-readable string representing the Windows operating system version. This is useful for displaying OS information to the user. ```APIDOC ## GetOSDisplayString ### Description Gets human-readable Windows OS version string. ### Signature ```cpp BOOL GetOSDisplayString(LPTSTR pszOS) ``` ### Parameters #### Path Parameters - **pszOS** (LPTSTR) - Buffer to receive OS string ### Return Value - `TRUE` - OS string retrieved - `FALSE` - Failed to determine OS ### Example Output "Windows 10 64-bit" ``` -------------------------------- ### Check VMware Adapter Name Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks network adapter names for VMware-specific identifiers. Returns TRUE if a VMware adapter is found, FALSE otherwise. ```cpp #include BOOL vmware_adapter_name(VOID); ``` -------------------------------- ### CreateRemoteThread Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using CreateRemoteThread. This is a common technique where a new thread is created in a target process to execute injected code. ```cpp BOOL CreateRemoteThread_Injection(VOID) ``` -------------------------------- ### Check Network Adapter Name Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Verifies if any network adapter name contains a specific substring. Helpful for identifying network interfaces by common naming conventions. ```cpp check_adapter_name(szName); ``` -------------------------------- ### get_system_firmware Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Retrieves data for a specific system firmware table. This function requires the provider signature and table ID to fetch the desired data. ```APIDOC ## get_system_firmware ### Description Retrieves a specific firmware table data. ### Signature ```cpp PBYTE get_system_firmware( _In_ DWORD signature, _In_ DWORD table, _Out_ PDWORD pBufferSize) ``` ### Parameters #### Path Parameters - **signature** (DWORD) - Provider signature - **table** (DWORD) - Table ID - **pBufferSize** (PDWORD) - Receives size of returned data ### Return Value Pointer to firmware table data (caller must free), or NULL if failed ``` -------------------------------- ### Detect Lack of User Input Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Checks for any keyboard or mouse input activity. Returns TRUE if no user input is detected (indicating a potential sandbox), FALSE otherwise. ```cpp BOOL lack_user_input(VOID) ``` -------------------------------- ### vbox_pnpentity_controllers_wmi Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries the WMI `Win32_PnPEntity` class, checking device names for VirtualBox controller hardware. ```APIDOC ## vbox_pnpentity_controllers_wmi ### Description Queries WMI `Win32_PnPEntity` class checking device names for VirtualBox controller hardware. ### Parameters None ### Return Value - `TRUE` - VirtualBox controller found - `FALSE` - Not detected ``` -------------------------------- ### ScanForModules_EnumProcessModulesEx_32bit Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/misc-api.md Enumerates 32-bit modules using EnumProcessModulesEx with the LIST_MODULES_32BIT flag. Useful for showing 32-bit modules on a 64-bit system. ```cpp BOOL ScanForModules_EnumProcessModulesEx_32bit(VOID) ``` -------------------------------- ### Detect VirtualBox Event Log (WMI) Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Queries WMI for VirtualBox-related entries in the event log. Returns TRUE if found, FALSE otherwise. ```cpp #include BOOL vbox_eventlogfile_wmi(VOID); ``` -------------------------------- ### QueueUserAPC_Injection Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/code-injection-api.md Demonstrates code injection using Asynchronous Procedure Calls (APC). APCs are queued to target threads and executed when the thread enters an alertable wait state. ```APIDOC ## QueueUserAPC_Injection ### Description Demonstrates code injection using Asynchronous Procedure Calls (APC). APCs are queued to target threads and executed when the thread enters an alertable wait state. ### Signature ```cpp BOOL QueueUserAPC_Injection(VOID) ``` ### Parameters None ### Return Value - `TRUE` - APC injection succeeded - `FALSE` - APC injection failed ### Technique Details 1. Enumerates target process threads 2. Allocates memory in target process 3. Writes APC callback to memory 4. Queues APC with `QueueUserAPC()` 5. APC executes when thread waits (e.g., `WaitForSingleObject()`, `Sleep()`) ### Advantages - Does not create visible new threads - Executes in existing thread context - More stealthy than CreateRemoteThread ``` -------------------------------- ### Memory Allocation and Deallocation Macros Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/utilities-api.md Defines macros for heap memory allocation and deallocation, and environment detection for 32-bit or 64-bit compilation. ```cpp #define MALLOC(x) HeapAlloc(GetProcessHeap(), 0, x) #define FREE(x) HeapFree(GetProcessHeap(), 0, x) #if _WIN32 || _WIN64 #if _WIN64 #define ENV64BIT #else #define ENV32BIT #endif #endif ``` -------------------------------- ### C++ timing_CreateWaitableTimer using CreateWaitableTimer Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/timing-attacks-api.md Creates a waitable timer kernel object and waits on it. The timer is set to fire after the specified duration. ```cpp BOOL timing_CreateWaitableTimer(UINT delayInMillis) ``` ```cpp // Pseudocode: HANDLE hTimer = CreateWaitableTimer(NULL, FALSE, NULL); // Set timer to fire after delayInMillis // WaitForSingleObject(hTimer, INFINITE) // CloseHandle(hTimer) ``` -------------------------------- ### Check Physical Memory Space Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/anti-vm-api.md Uses `GlobalMemoryStatusEx()` to evaluate the total physical memory available. Returns TRUE if a suspicious memory size is detected, FALSE otherwise. ```cpp BOOL memory_space(VOID) ``` -------------------------------- ### Create Timer Queue Timer Callback Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/timing-attacks-api.md Callback function executed when a timer queue timer fires. This is part of the timing_CreateTimerQueueTimer functionality. ```cpp VOID CALLBACK CallbackCTQT(PVOID lParam, BOOLEAN TimerOrWaitFired) { // Called when timer fires } ``` -------------------------------- ### Run Timing Attacks with 2-Minute Delay Source: https://github.com/ayoubfaouzi/al-khaser/blob/master/_autodocs/configuration.md Executes the timing attack detection with a custom delay. This allows for more thorough analysis by increasing the wait time. ```bash al-khaser.exe --check TIMING_ATTACKS --sleep 120 ```