· 6 years ago · Oct 13, 2019, 05:35 PM
1[al-khaser version 0.77]
2-------------------------[Initialisation]-------------------------
3
4[*] You are running: Microsoft Windows 10 (build 18362) 64-bit
5[*] Warning: API ntdll.dll!NtWow64QueryVirtualMemory64 was expected to exist but was not found.
6
7-------------------------[TLS Callbacks]-------------------------
8[*] TLS process attach callback [ GOOD ]
9[*] TLS thread attach callback [ GOOD ]
10
11-------------------------[Debugger Detection]-------------------------
12[*] Checking IsDebuggerPresent API [ GOOD ]
13[*] Checking PEB.BeingDebugged [ GOOD ]
14[*] Checking CheckRemoteDebuggerPresent API [ GOOD ]
15[*] Checking PEB.NtGlobalFlag [ GOOD ]
16[*] Checking ProcessHeap.Flags [ GOOD ]
17[*] Checking ProcessHeap.ForceFlags [ GOOD ]
18[*] Checking NtQueryInformationProcess with ProcessDebugPort [ GOOD ]
19[*] Checking NtQueryInformationProcess with ProcessDebugFlags [ GOOD ]
20[*] Checking NtQueryInformationProcess with ProcessDebugObject [ GOOD ]
21[*] Checking WudfIsAnyDebuggerPresent API [ GOOD ]
22[*] Checking WudfIsKernelDebuggerPresent API [ GOOD ]
23[*] Checking WudfIsUserDebuggerPresent API [ GOOD ]
24[*] Checking NtSetInformationThread with ThreadHideFromDebugger [ GOOD ]
25[*] Checking CloseHandle with an invalide handle [ GOOD ]
26[*] Checking UnhandledExcepFilterTest [ GOOD ]
27[*] Checking OutputDebugString [ GOOD ]
28[*] Checking Hardware Breakpoints [ GOOD ]
29[*] Checking Software Breakpoints [ GOOD ]
30[*] Checking Interupt 0x2d [ GOOD ]
31[*] Checking Interupt 1 [ GOOD ]
32[*] Checking Memory Breakpoints PAGE GUARD [ GOOD ]
33[*] Checking If Parent Process is explorer.exe [ BAD ]
34[*] Checking SeDebugPrivilege [ GOOD ]
35[*] Checking NtQueryObject with ObjectTypeInformation [ GOOD ]
36[*] Checking NtQueryObject with ObjectAllTypesInformation [ GOOD ]
37[*] Checking NtYieldExecution [ GOOD ]
38[*] Checking CloseHandle protected handle trick [ GOOD ]
39[*] Checking NtQuerySystemInformation with SystemKernelDebuggerInformation [ GOOD ]
40[*] Checking SharedUserData->KdDebuggerEnabled [ GOOD ]
41[*] Checking if process is in a job [ GOOD ]
42[*] Checking VirtualAlloc write watch (buffer only) [ GOOD ]
43[*] Checking VirtualAlloc write watch (API calls) [ GOOD ]
44[*] Checking VirtualAlloc write watch (IsDebuggerPresent) [ GOOD ]
45[*] Checking VirtualAlloc write watch (code write) [ GOOD ]
46[*] Checking for page exception breakpoints [ GOOD ]
47[*] Checking for API hooks outside module bounds [ BAD ]
48
49-------------------------[DLL Injection Detection]-------------------------
50[*] Enumerating modules with EnumProcessModulesEx [32-bit] [ GOOD ]
51[*] Enumerating modules with EnumProcessModulesEx [64-bit] [ GOOD ]
52[*] Enumerating modules with EnumProcessModulesEx [ALL] [ GOOD ]
53[*] Enumerating modules with ToolHelp32 [ GOOD ]
54[*] Enumerating the process LDR via LdrEnumerateLoadedModules [ GOOD ]
55[*] Enumerating the process LDR directly [ GOOD ]
56[*] Walking process memory with GetModuleInformation [ GOOD ]
57[*] Walking process memory for hidden modules
58
59 [!] Running on WoW64, there will be false positives due to wow64 DLLs.
60 [!] Executable at 77C70000
61 [!] Executable at 77C70000
62[ BAD ]
63
64-------------------------[Generic Sandboxe/VM Detection]-------------------------
65[*] Checking if process loaded modules contains: avghookx.dll [ GOOD ]
66[*] Checking if process loaded modules contains: avghooka.dll [ GOOD ]
67[*] Checking if process loaded modules contains: snxhk.dll [ GOOD ]
68[*] Checking if process loaded modules contains: sbiedll.dll [ GOOD ]
69[*] Checking if process loaded modules contains: dbghelp.dll [ GOOD ]
70[*] Checking if process loaded modules contains: api_log.dll [ GOOD ]
71[*] Checking if process loaded modules contains: dir_watch.dll [ GOOD ]
72[*] Checking if process loaded modules contains: pstorec.dll [ GOOD ]
73[*] Checking if process loaded modules contains: vmcheck.dll [ GOOD ]
74[*] Checking if process loaded modules contains: wpespy.dll [ GOOD ]
75[*] Checking if process loaded modules contains: cmdvrt64.dll [ GOOD ]
76[*] Checking if process loaded modules contains: cmdvrt32.dll [ GOOD ]
77[*] Checking Number of processors in machine [ GOOD ]
78[*] Checking Interupt Descriptor Table location [ GOOD ]
79[*] Checking Local Descriptor Table location [ GOOD ]
80[*] Checking Global Descriptor Table location [ GOOD ]
81[*] Checking Store Task Register [ GOOD ]
82[*] Checking Number of cores in machine using WMI [ GOOD ]
83[*] Checking hard disk size using WMI [ GOOD ]
84[*] Checking hard disk size using DeviceIoControl [ GOOD ]
85[*] Checking SetupDi_diskdrive [ GOOD ]
86[*] Checking mouse movement [ GOOD ]
87[*] Checking memory space using GlobalMemoryStatusEx [ GOOD ]
88[*] Checking disk size using GetDiskFreeSpaceEx [ GOOD ]
89[*] Checking if CPU hypervisor field is set using cpuid(0x1) [ GOOD ]
90[*] Checking hypervisor vendor using cpuid(0x40000000) [ GOOD ]
91[*] Check if time has been accelerated [ GOOD ]
92[*] VM Driver Services [ GOOD ]
93[*] Checking SerialNumber from BIOS using WMI [ GOOD ]
94[*] Checking Model from ComputerSystem using WMI [ GOOD ]
95[*] Checking Manufacturer from ComputerSystem using WMI [ GOOD ]
96[*] Checking Current Temperature using WMI [ GOOD ]
97[*] Checking ProcessId using WMI [ GOOD ]
98[*] Checking power capabilities [ GOOD ]
99[*] Checking CPU fan using WMI [ GOOD ]
100[*] Checking NtQueryLicenseValue with Kernel-VMDetection-Private [ GOOD ]
101[*] Checking Win32_CacheMemory with WMI [ GOOD ]
102[*] Checking Win32_PhysicalMemory with WMI [ GOOD ]
103[*] Checking Win32_MemoryDevice with WMI [ GOOD ]
104[*] Checking Win32_MemoryArray with WMI [ GOOD ]
105[*] Checking Win32_VoltageProbe with WMI [ GOOD ]
106[*] Checking Win32_PortConnector with WMI [ GOOD ]
107[*] Checking Win32_SMBIOSMemory with WMI [ GOOD ]
108[*] Checking ThermalZoneInfo performance counters with WMI [ GOOD ]
109[*] Checking CIM_Memory with WMI [ GOOD ]
110[*] Checking CIM_Sensor with WMI [ GOOD ]
111[*] Checking CIM_NumericSensor with WMI [ GOOD ]
112[*] Checking CIM_TemperatureSensor with WMI [ GOOD ]
113[*] Checking CIM_VoltageSensor with WMI [ GOOD ]
114[*] Checking CIM_PhysicalConnector with WMI [ GOOD ]
115[*] Checking CIM_Slot with WMI [ GOOD ]
116
117-------------------------[VirtualBox Detection]-------------------------
118[*] Checking reg key HARDWARE\Description\System - Identifier is set to VBOX [ GOOD ]
119[*] Checking reg key HARDWARE\Description\System - SystemBiosVersion is set to VBOX [ GOOD ]
120[*] Checking reg key HARDWARE\Description\System - VideoBiosVersion is set to VIRTUALBOX [ GOOD ]
121[*] Checking reg key HARDWARE\Description\System - SystemBiosDate is set to 06/23/99 [ GOOD ]
122[*] Checking VirtualBox Guest Additions directory [ GOOD ]
123[*] Checking file C:\WINDOWS\system32\drivers\VBoxMouse.sys [ GOOD ]
124[*] Checking file C:\WINDOWS\system32\drivers\VBoxGuest.sys [ GOOD ]
125[*] Checking file C:\WINDOWS\system32\drivers\VBoxSF.sys [ GOOD ]
126[*] Checking file C:\WINDOWS\system32\drivers\VBoxVideo.sys [ GOOD ]
127[*] Checking file C:\WINDOWS\system32\vboxdisp.dll [ GOOD ]
128[*] Checking file C:\WINDOWS\system32\vboxhook.dll [ GOOD ]
129[*] Checking file C:\WINDOWS\system32\vboxmrxnp.dll [ GOOD ]
130[*] Checking file C:\WINDOWS\system32\vboxogl.dll [ GOOD ]
131[*] Checking file C:\WINDOWS\system32\vboxoglarrayspu.dll [ GOOD ]
132[*] Checking file C:\WINDOWS\system32\vboxoglcrutil.dll [ GOOD ]
133[*] Checking file C:\WINDOWS\system32\vboxoglerrorspu.dll [ GOOD ]
134[*] Checking file C:\WINDOWS\system32\vboxoglfeedbackspu.dll [ GOOD ]
135[*] Checking file C:\WINDOWS\system32\vboxoglpackspu.dll [ GOOD ]
136[*] Checking file C:\WINDOWS\system32\vboxoglpassthroughspu.dll [ GOOD ]
137[*] Checking file C:\WINDOWS\system32\vboxservice.exe [ GOOD ]
138[*] Checking file C:\WINDOWS\system32\vboxtray.exe [ GOOD ]
139[*] Checking file C:\WINDOWS\system32\VBoxControl.exe [ GOOD ]
140[*] Checking reg key HARDWARE\ACPI\DSDT\VBOX__ [ GOOD ]
141[*] Checking reg key HARDWARE\ACPI\FADT\VBOX__ [ GOOD ]
142[*] Checking reg key HARDWARE\ACPI\RSDT\VBOX__ [ GOOD ]
143[*] Checking reg key SOFTWARE\Oracle\VirtualBox Guest Additions [ GOOD ]
144[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxGuest [ GOOD ]
145[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxMouse [ GOOD ]
146[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxService [ GOOD ]
147[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxSF [ GOOD ]
148[*] Checking reg key SYSTEM\ControlSet001\Services\VBoxVideo [ GOOD ]
149[*] Checking Mac Address start with 08:00:27 [ GOOD ]
150[*] Checking MAC address (Hybrid Analysis) [ GOOD ]
151[*] Checking device \\.\VBoxMiniRdrDN [ GOOD ]
152[*] Checking device \\.\VBoxGuest [ GOOD ]
153[*] Checking device \\.\pipe\VBoxMiniRdDN [ GOOD ]
154[*] Checking device \\.\VBoxTrayIPC [ GOOD ]
155[*] Checking device \\.\pipe\VBoxTrayIPC [ GOOD ]
156[*] Checking VBoxTrayToolWndClass / VBoxTrayToolWnd [ GOOD ]
157[*] Checking VirtualBox Shared Folders network provider [ GOOD ]
158[*] Checking VirtualBox process vboxservice.exe [ GOOD ]
159[*] Checking VirtualBox process vboxtray.exe [ GOOD ]
160[*] Checking Win32_PnPDevice DeviceId from WMI for VBox PCI device [ GOOD ]
161[*] Checking Win32_PnPDevice Name from WMI for VBox controller hardware [ GOOD ]
162[*] Checking Win32_PnPDevice Name from WMI for VBOX names [ GOOD ]
163[*] Checking Win32_Bus from WMI [ GOOD ]
164[*] Checking Win32_BaseBoard from WMI [ GOOD ]
165[*] Checking MAC address from WMI [ GOOD ]
166[*] Checking NTEventLog from WMI [ GOOD ]
167[*] Checking SMBIOS firmware [ GOOD ]
168[*] Checking ACPI tables [ GOOD ]
169
170-------------------------[VMWare Detection]-------------------------
171[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
172[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
173[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
174[*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation [ GOOD ]
175[*] Checking reg key SYSTEM\ControlSet001\Control\SystemInformation [ GOOD ]
176[*] Checking reg key SOFTWARE\VMware, Inc.\VMware Tools [ GOOD ]
177[*] Checking file C:\WINDOWS\system32\drivers\vmmouse.sys [ GOOD ]
178[*] Checking file C:\WINDOWS\system32\drivers\vmhgfs.sys [ GOOD ]
179[*] Checking file C:\WINDOWS\system32\drivers\vm3dmp.sys [ GOOD ]
180[*] Checking file C:\WINDOWS\system32\drivers\vmci.sys [ GOOD ]
181[*] Checking file C:\WINDOWS\system32\drivers\vmhgfs.sys [ GOOD ]
182[*] Checking file C:\WINDOWS\system32\drivers\vmmemctl.sys [ GOOD ]
183[*] Checking file C:\WINDOWS\system32\drivers\vmmouse.sys [ GOOD ]
184[*] Checking file C:\WINDOWS\system32\drivers\vmrawdsk.sys [ GOOD ]
185[*] Checking file C:\WINDOWS\system32\drivers\vmusbmouse.sys [ GOOD ]
186[*] Checking MAC starting with 00:05:69 [ GOOD ]
187[*] Checking MAC starting with 00:0c:29 [ GOOD ]
188[*] Checking MAC starting with 00:1C:14 [ GOOD ]
189[*] Checking MAC starting with 00:50:56 [ GOOD ]
190[*] Checking VMWare network adapter name [ GOOD ]
191[*] Checking device \\.\HGFS [ GOOD ]
192[*] Checking device \\.\vmci [ GOOD ]
193[*] Checking VMWare directory [ GOOD ]
194[*] Checking SMBIOS firmware [ GOOD ]
195[*] Checking ACPI tables [ GOOD ]
196
197-------------------------[Virtual PC Detection]-------------------------
198[*] Checking Virtual PC processes VMSrvc.exe [ GOOD ]
199[*] Checking Virtual PC processes VMUSrvc.exe [ GOOD ]
200[*] Checking reg key SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters [ GOOD ]
201
202-------------------------[QEMU Detection]-------------------------
203[*] Checking reg key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 [ GOOD ]
204[*] Checking reg key HARDWARE\Description\System [ GOOD ]
205[*] Checking qemu processes qemu-ga.exe [ GOOD ]
206[*] Checking SMBIOS firmware [ GOOD ]
207[*] Checking ACPI tables [ GOOD ]
208
209-------------------------[Xen Detection]-------------------------
210[*] Checking Citrix Xen process xenservice.exe [ GOOD ]
211[*] Checking Mac Address start with 08:16:3E [ GOOD ]
212
213-------------------------[Wine Detection]-------------------------
214[*] Checking Wine via dll exports [ GOOD ]
215[*] Checking reg key SOFTWARE\Wine [ GOOD ]
216
217-------------------------[Paralles Detection]-------------------------
218[*] Checking Parallels processes: prl_cc.exe [ GOOD ]
219[*] Checking Parallels processes: prl_tools.exe [ GOOD ]
220[*] Checking Mac Address start with 08:1C:42 [ GOOD ]
221
222-------------------------[Timing-attacks]-------------------------
223
224[*] Delay value is set to 10 minutes ...
225[*] Performing a sleep using NtDelayExecution ...