Merge pull request #15 from chkp-alexeybu/ab_default_configs

Added flexible build configurations to enable running without command line. Fixed issues #12 and #14.
CheckPointSW · Apr 5, 2022 · c515e89 · c515e89
2 parents 9e0d2e6 + f6a9ebc
commit c515e89
Show file tree

Hide file tree

Showing 10 changed files with 218 additions and 62 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+April 5th, 2022:
+	[+] Added flexible build configurations to enable running without command line
+	[-] Removed configuration file for the HTML report template
+	[*] Scripts migrated to Python 3
+
 February 7th, 2022:
 	[+] Cuckoo: check for invalid hook of NtLoadKeyEx added
 	[+] Cuckoo: lack of argument checks in NtDelayExecution evasion added

diff --git a/README.md b/README.md
@@ -39,9 +39,26 @@ Features
 * Generic tool that covers a lot of different virtual environment detection techniques and proposes fixes for that.
 * Easily extendable; support for new virtual environments can be added quickly.
 * As Cuckoo Sandbox is the most prevalent tool used for automated malware analysis, we include the detections of it as well.
-*	Ability to introduce new detection techniques not through modifying the source code, but using the JSON configuration files, so the whole community can contribute towards the development of that tool.
+* Ability to introduce new detection techniques not through modifying the source code, but using the JSON configuration files, so the whole community can contribute towards the development of that tool.
 * User-friendly reports about the checked environment that can be shared within the organization among the purely technical guys as well as higher management.
 
+Configurations
+==============
+
+You can build InviZzzible with a built-in set of default configurations to make it work without command line arguments.
+We added two examples of build configurations for your convenience:
+* vmware
+* cuckoo vmware generic
+
+To build InviZzzible with your own custom set of configurations, open Project Properties -> Configuration Properties -> 
+Build Events -> Pre-Build Event, and change the list of evasion configuration names in the Command Line property after 
+`python gen_default_data.py`. Example:
+```shell
+python gen_default_data.py generic vmware misc
+```
+
+You can find the list of available configurations [here](config).
+
 Credits
 =======
 

diff --git a/SandboxEvasion.sln b/SandboxEvasion.sln
@@ -7,9 +7,15 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SandboxEvasion", "SandboxEv
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Release cuckoo vmware generic|x86 = Release cuckoo vmware generic|x86
+		Release vmware|x86 = Release vmware|x86
 		Release|x86 = Release|x86
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D1EFAF78-F05A-4030-A11A-3BAA67593EE2}.Release cuckoo vmware generic|x86.ActiveCfg = Release cuckoo vmware generic|Win32
+		{D1EFAF78-F05A-4030-A11A-3BAA67593EE2}.Release cuckoo vmware generic|x86.Build.0 = Release cuckoo vmware generic|Win32
+		{D1EFAF78-F05A-4030-A11A-3BAA67593EE2}.Release vmware|x86.ActiveCfg = Release vmware|Win32
+		{D1EFAF78-F05A-4030-A11A-3BAA67593EE2}.Release vmware|x86.Build.0 = Release vmware|Win32
 		{D1EFAF78-F05A-4030-A11A-3BAA67593EE2}.Release|x86.ActiveCfg = Release|Win32
 		{D1EFAF78-F05A-4030-A11A-3BAA67593EE2}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection

diff --git a/SandboxEvasion/SandboxEvasion.vcxproj b/SandboxEvasion/SandboxEvasion.vcxproj
@@ -1,6 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Release cuckoo vmware generic|Win32">
+      <Configuration>Release cuckoo vmware generic</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release vmware|Win32">
+      <Configuration>Release vmware</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
     <ProjectConfiguration Include="Release|Win32">
       <Configuration>Release</Configuration>
       <Platform>Win32</Platform>
@@ -19,6 +27,20 @@
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release cuckoo vmware generic|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140_xp</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release vmware|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140_xp</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
   </ImportGroup>
@@ -27,6 +49,12 @@
   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
   </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release cuckoo vmware generic|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release vmware|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
   <PropertyGroup Label="UserMacros" />
   <PropertyGroup />
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
@@ -57,7 +85,69 @@
       <Message>Build bundle that may be executed without arguments</Message>
     </PostBuildEvent>
     <PreBuildEvent>
-      <Command>python gen_default_data.py def_data.conf</Command>
+      <Command>python gen_default_data.py generic</Command>
+    </PreBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release cuckoo vmware generic|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>$(SolutionDir)\3rdparty\boost;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <ControlFlowGuard>false</ControlFlowGuard>
+      <PreprocessToFile>false</PreprocessToFile>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>
+      </AdditionalLibraryDirectories>
+      <SubSystem>Console</SubSystem>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Build bundle that may be executed without arguments</Message>
+    </PostBuildEvent>
+    <PreBuildEvent>
+      <Command>python gen_default_data.py cuckoo vmware generic</Command>
+    </PreBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release vmware|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>$(SolutionDir)\3rdparty\boost;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <ControlFlowGuard>false</ControlFlowGuard>
+      <PreprocessToFile>false</PreprocessToFile>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>
+      </AdditionalLibraryDirectories>
+      <SubSystem>Console</SubSystem>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Build bundle that may be executed without arguments</Message>
+    </PostBuildEvent>
+    <PreBuildEvent>
+      <Command>python gen_default_data.py vmware</Command>
     </PreBuildEvent>
   </ItemDefinitionGroup>
   <ItemGroup>

diff --git a/SandboxEvasion/SandboxEvasion.vcxproj.user b/SandboxEvasion/SandboxEvasion.vcxproj.user
@@ -5,4 +5,16 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
     <LocalDebuggerWorkingDirectory>$(SolutionDir)config</LocalDebuggerWorkingDirectory>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release cuckoo vmware generic|Win32'">
+    <LocalDebuggerCommandArguments>
+    </LocalDebuggerCommandArguments>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+    <LocalDebuggerWorkingDirectory>$(SolutionDir)config</LocalDebuggerWorkingDirectory>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release vmware|Win32'">
+    <LocalDebuggerCommandArguments>
+    </LocalDebuggerCommandArguments>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+    <LocalDebuggerWorkingDirectory>$(SolutionDir)config</LocalDebuggerWorkingDirectory>
+  </PropertyGroup>
 </Project>
diff --git a/SandboxEvasion/def_data.conf b/SandboxEvasion/def_data.conf
diff --git a/SandboxEvasion/gen_default_data.py b/SandboxEvasion/gen_default_data.py
@@ -1,97 +1,126 @@
 __author__ = 'arl'
 
-
+import os
 from json import load
 from sys import argv
+from os import path
+
 
+REPORT = "report.html"
+BOOTSTRAP = "bootstrap.css"
+CONFIG_PATH = "../config/"
 
-PATH_CONF_CUCKOO = 'cuckoo'
-PATH_REPORT = 'report'
-PATH_BOOTSTRAP = 'bootstrap'
+OUT_DEFAULT_CONFIG = "default_configs.h"
+OUT_DATA_REPORT = "data_report_html.h"
+OUT_DATA_BOOTSTRAP = "data_bootstrap_css.h"
 
 
 def make_hex_array(data):
-    return ','.join(['0x%02x' % ord(x) + ('\r\n' if (i + 1) % 16 == 0 else '') for i, x in enumerate(data)])
+    return ",".join(
+        [
+            "0x%02x" % ord(x) + ("\n" if (i + 1) % 16 == 0 else "")
+            for i, x in enumerate(data)
+        ]
+    )
 
 
 def escape_file_data(data):
     data = data.replace("\\", "\\\\")
-    data = data.replace("\"", "\\\"")
-    dv = data.split('\n')
-    data = ''
-    for ds in dv:
-        data += ds.rstrip() + '\\\r\n'
-
-    return data
+    data = data.replace('"', '\\"')
+    return "\\\n".join(map(str.rstrip, data.split("\n")))
 
 
 def read_data(fn):
     try:
-        return open(fn, 'rb').read()
+        with open(fn, "r") as f:
+            return f.read()
     except Exception as e:
-        print 'File Read Exception: %s' % e
+        print("File Read Exception: %s" % e)
         return
 
 
 def write_data(fn, data):
     try:
-        open(fn, 'wb').write(data)
+        with open(fn, "w") as f:
+            f.write(data)
     except Exception as e:
-        print 'File Write Exception: %s' % e
+        print("File Write Exception: %s" % e)
         return False
 
     return True
 
 
 def get_file_data(conf, option):
-    fn = conf.get(option, '')
+    fn = conf.get(option, "")
     if not fn:
-        print 'Configuration parameter: `%s\' is absent' % option
+        print("Configuration parameter: `%s' is absent" % option)
         return False
 
     return read_data(fn)
 
 
-def create_includes(conf):
-    cuckoo_d = get_file_data(conf, PATH_CONF_CUCKOO)
-    report_d = get_file_data(conf, PATH_REPORT)
-    bootstrap_d = get_file_data(conf, PATH_BOOTSTRAP)
+def create_includes(sandboxes):
+    report_d = read_data(REPORT)
+    bootstrap_d = read_data(BOOTSTRAP)
 
-    # escape characters
-    cuckoo_file = "static const char *cuckoo_conf = \"%s\";" % escape_file_data(cuckoo_d)
-    report_file = "static const char *report_data = \"%s\";" % escape_file_data(report_d)
-    bootstrap_file = "static const char bootstrap_data[] = {\r\n%s\r\n};" % make_hex_array(bootstrap_d)
+    sandbox_file = "std::list<std::pair<std::string, const char *>> default_configs;\n"
+    for sandbox in sandboxes:
+        sandbox_d = read_data(path.join(CONFIG_PATH, sandbox + ".conf"))
+        sandbox_file += f"""static const char {sandbox}_conf[] = %s;
+        \ndefault_configs.push_back(std::pair<std::string, const char *>(std::string("{sandbox}"), {sandbox}_conf));
+        """ % (
+            "{" + make_hex_array(sandbox_d) + "}"
+        )
 
-    if not write_data("code_cuckoo.conf", cuckoo_file):
+    report_file = 'static const char *report_data = "%s";' % escape_file_data(report_d)
+    bootstrap_file = "static const char bootstrap_data[] = {\n%s\n};" % make_hex_array(
+        bootstrap_d
+    )
+
+    if not write_data(OUT_DEFAULT_CONFIG, sandbox_file):
         return False
-    if not write_data("data_report.html", report_file):
+    if not write_data(OUT_DATA_REPORT, report_file):
         return False
-    if not write_data("data_bootstrap.css", bootstrap_file):
+    if not write_data(OUT_DATA_BOOTSTRAP, bootstrap_file):
         return False
 
     return True
 
 
 def read_conf(fn):
     try:
-        return load(open(fn, 'rb'))
+        with open(fn, "r") as f:
+            return load(f)
     except Exception as e:
-        print 'Configuration Read Exception: %s' % e
+        print("Configuration Read Exception: %s" % e)
         return
 
 
+def list_configs():
+    return [
+        x.split(".")[0]
+        for x in filter(lambda x: x.endswith(".conf"), os.listdir(CONFIG_PATH))
+    ]
+
+
 def main():
+    configs = list_configs()
     if len(argv) < 2:
-        print 'GenDefaultData usage: %s [config]' % argv[0]
+        print(
+            "GenDefaultData usage: %s [configuration_name1] [configuration_name2] [...]"
+            % argv[0]
+        )
+        print("List of detection sets:\n" + "\n".join(configs))
         exit(1)
 
-    conf = read_conf(argv[1])
-    if not conf:
-        exit(2)
+    for ds in argv[1:]:
+        if ds not in configs:
+            print(f"Invalid configuration name: {ds}")
+            exit(2)
 
-    if not create_includes(conf):
+    if not create_includes(argv[1:]):
         exit(3)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     main()
diff --git a/SandboxEvasion/helper.cpp b/SandboxEvasion/helper.cpp
@@ -2209,7 +2209,7 @@ bool get_drive_models(std::list<std::string> &drive_models) {
 	for (BYTE i = 0; i < MAX_IDE_DRIVES; ++i) {
 		memset(device_name, 0, _countof(device_name));
 
-		snprintf(device_name, _countof(device_name), fmt_device_name, i);
+		_snprintf_s(device_name, _countof(device_name), fmt_device_name, i);
 
 		if (get_drive_model(device_name, SMART_RCV_DRIVE_DATA, i, drive_model_names)) {
 			std::copy(drive_model_names.begin(), drive_model_names.end(), std::back_insert_iterator<std::list<std::string>>(drive_models));