Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
License: GNU General Public License v3.0
I know this is probably out of the scope of this application but I think it would be a great edition to explain how to patch the detections on things like qemu/libvirt, on almost stock qemu/libvirt (a few xml modifications) the following detections were found:
Hi there, this issue is not 100% related to Pafish but I guess is something worth mentioning to see if more people have the same issue.
Scenario: Im running a W7 x64 VM in VBox, every update is disabled and reg keys have been changed, I have a 51/53 in Pafish (the rtsc ones are quite difficult for VBox, rest is fine).
So, when creating a snapshot of said machine, and coming back to check the snapshot in a week or so, and re running pafish again, I can see that the WMI has been activated again, plus the 3 reg keys regarding SystemBiosDate, VideoBiosVersion and ACPI\DSDT\VBOX___
If anyone has any idea Id be more than happy to hear, also, if this does not belong to here just feel free to close it:)
Thanks.
Diego.
EDIT** Update.
Found that this issue might be related to Win7 not being an original version, updated and by now it has not changed in a couple weeks.
HackingTeam is using WMI to detect VM's [1], if no one picks this one up I will implement them in Pafish.
[1] https://github.com/informationextraction/scout-win/blob/master/core-scout-win32/antivm.cpp
If I browse to this repository on Github it gets detected by Google Safe Browsing as a unsafe website.
EDIT: I have reported it to Google.
I was just curious as for the reason to implement the delays within these two virtualization detection loops:
https://github.com/a0rtega/pafish/blob/master/pafish/cpu.c#L89
https://github.com/a0rtega/pafish/blob/master/pafish/cpu.c#L100
I haven't seen this explained in literature related to time-based detections on virtualization, and I don't see how sleeping within these loops would yield different results.
Perhaps it relates to implementing this detection in usermode?
HKEY_LOCAL_MACHINE\HARDWARE\Description\System SystemBiosVersion
Find ignoring case string: BOCHS
Malware checks by an advance malware sample:
https://sentinelone.com/blogs/sfg-furtims-parent/
Hello and sorry for posting here. I am using Virtual box and i am trying to make Windows 10 as stealthier as possible. Solved all pafish detections except the two rdtsc ones. I would be thankful if anyone can help with these.
Checking the difference between CPU timestamp counters (rdtsc)
Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
close please
Hi, the < 1 Gb memory check detects my VM's with 1 Gb memory as "traced".
Is the number based on a bare metal memory amount ?
As an example for WinXP;
I'm using Vmware ESX set to 1 Gb, which allocates exactly 1048040 KB
I also checked my VirtualBox, 1 Gb. which also allocates exactly 1048040 KB
So does bare metal 1 Gb actually show 1048576 to the OS, or does it show 1048040 ?
Maybe somebody can verify virtual vs physical (KB).
This could also be used as a flag, if VM's round off 1Gb memory in a special way compared to physical. You could check 512, 1gb, 2gb etc (if there is a mismatch).
Thanks
In case that a virtual environment is detected make a DNS request to a fake domain. Like: hivirtualbox.com or hivmware,com etc..
Add this code: 1ff2756#commitcomment-2542772
Hi,
I've noticed that in "pafish_check_mac_vendor" function in utils.c there is a potential problem:
palist pointer is advanced (line 167: palist = palist->Next;) and freed using LocalFree (lines: 163, 169).
It caused the program to crash.
I recommend to keep a pointer to the start of the allocated buffer and free it before leaving the function.
Thanks for this great tool!
https://kc.mcafee.com/corporate/index?page=content&id=KB79333#Operations
<< ATD must not be deployed in the network using the range 192.168.50.0/24, 192.168.55.0/24, or 192.168.88.0/24. >>
Hi, error in VBOX.c compiling under linux. All other modules compile OK.
Maybe related to the asterisk (*) after IP_ADAPTER_ADDRESSES ? Sorry github seems to mess with the error output... i've included a pic.
Ubuntu 14.04 // gcc version 4.8.2 (GCC)
$ sudo make -B -i
i686-w64-mingw32-gcc -c main.c -o Objects/MingW/main.o -O1
i686-w64-mingw32-gcc -c common.c -o Objects/MingW/common.o -O1
i686-w64-mingw32-gcc -c utils.c -o Objects/MingW/utils.o -O1
i686-w64-mingw32-gcc -c debuggers.c -o Objects/MingW/debuggers.o -O1
i686-w64-mingw32-gcc -c sandboxie.c -o Objects/MingW/sandboxie.o -O1
i686-w64-mingw32-gcc -c vbox.c -o Objects/MingW/vbox.o -O1
vbox.c: In function ‘vbox_mac’:
vbox.c:236:44: error: ‘GAA_FLAG_INCLUDE_PREFIX’ undeclared (first use in this function)
int ret = GetAdaptersAddresses(AF_UNSPEC,GAA_FLAG_INCLUDE_PREFIX,0,0,&alist_size);
vbox.c:236:44: note: each undeclared identifier is reported only once for each function it appears in
vbox.c:238:4: error: unknown type name ‘IP_ADAPTER_ADDRESSES’
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
vbox.c:238:36: error: ‘IP_ADAPTER_ADDRESSES’ undeclared (first use in this function)
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
vbox.c:238:57: error: expected expression before ‘)’ token
IP_ADAPTER_ADDRESSES* palist = (IP_ADAPTER_ADDRESSES*)LocalAlloc(LMEM_ZEROINIT,alist_size);
vbox.c:241:27: error: ‘ppalist’ undeclared (first use in this function)
IP_ADAPTER_ADDRESSES* ppalist=palist;
make: [Objects/MingW/vbox.o] Error 1 (ignored)
i686-w64-mingw32-gcc -c gensandbox.c -o Objects/MingW/gensandbox.o -O1
i686-w64-mingw32-gcc -c wine.c -o Objects/MingW/wine.o -O1
i686-w64-mingw32-gcc -c vmware.c -o Objects/MingW/vmware.o -O1
i686-w64-mingw32-gcc -c qemu.c -o Objects/MingW/qemu.o -O1
i686-w64-mingw32-gcc -c hooks.c -o Objects/MingW/hooks.o -O1
i686-w64-mingw32-windres Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff
i686-w64-mingw32-gcc Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/pafish_private.res -o "Output/MingW/pafish.exe" -lwsock32 -liphlpapi -lsetupapi -lmpr -s
i686-w64-mingw32-gcc: error: Objects/MingW/vbox.o: No such file or directory
make: [Output/MingW/pafish.exe] Error 1 (ignored)
Add VMware detection trick related to its IO port.
Opening this issue to keep it pinned for future reference, as it is a recurring problem.
pafish is a security research tool and although it does not perform any malicious action on the system, some antivirus vendors detect it as malware / potentially unwanted application (PUP). There are many possible reasons for this, one of them being that actual malware took some of the code and adapted it for their malicious intent.
We can not do much about it, as we do not have control over the antivirus vendors decisions.
If your Internet browser detects the project website as malicious or phishing, it is almost certainly caused by Google Safe Browsing. In this case, you can report the project website as a false positive. Please do, we appreciate any help in this regard!
If you want to use pafish but the antivirus blocks it, you will have to temporarily disable the protection or add an exclusion to allow it to run.
Modify pafish for use the Windows API GetTickCount. GetTickCount returns the number of milliseconds that the system has been alive, up to a maximum of approximately 49 days. Programs can use this value to determine how long a system has been running and make decisions based on that value. The following image shows Upatre executing these instructions inside of a debugger:
The code calls GetTickCount and compares the returned value to 0xAFE74 (720,500 milliseconds, or ~12 minutes). If GetTickCount returns a value less than 0xAFE74, Upatre determines that the system has been running for less than 12 minutes and exits.
A sample (sha256: 09858ae19ce96499a78dd1f2a304a29caa7a1c220869cb6ec245b8fb91470c7e) has been using those not-yet-supported techniques to detect an analysis system/vm:
RegOpenKeyExA on
These here are anti-spyware detections
SubKey => SOFTWARE\SUPERAntiSpyware.com
SubKey => SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
SubKey => SOFTWARE\SUPERAntiSpyware.com
(generic ?) Sandbox detection
SubKey => Software\Classes*\shell\sandbox
SubKey => Software\Classes\Folder\shell\sandbox
Sandboxie
SubKey => SYSTEM\CurrentControlSet\Services\SbieDrv
SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
API Spy http://download.cnet.com/APIS32-API-Spy/3000-2247_4-9923.html
SubKey => SOFTWARE\APIS32
SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
Debugger
SubKey => Software\Syser Soft
Debugger
SubKey => SYSTEM\CurrentControlSet\Services\SDbgMsg
MS Debugging tools
SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
DotNet Stuff
SubKey => SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
Password sniffer
SubKey => Software\Win Sniffer
SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
IM Tool for companies ?
SubKey => Software\B Labs\Bopup Observer
SubKey => AppEvents\Schemes\Apps\Bopup Observer
SubKey => SOFTWARE\B Labs\Bopup Observer
Cygwin
SubKey => SOFTWARE\Cygwin
SubKey => SOFTWARE\Cygwin
Packet analyser
SubKey => SOFTWARE\ZxSniffer
Wireshark
SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
Network monitor
SubKey => Software\eEye Digital Security
SubKey => SYSTEM\CurrentControlSet\Services\IRIS5
SubKey => Software\CommView
Hi there. Have you considered writing a Linux version? I might be interested in helping you with that, then shipping it in EPEL. Has anyone else asked you about this before (couldn't find much on interwebs)?
There's a great summary by Secret Club about techniques used for VMM detection: https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html - these techniques are implemented by most anti-cheat software on the market. It may be worth adding them to pafish.
~/pafish/pafish$ make -f Makefile.linux
i686-w64-mingw32-gcc -c main.c -o Objects/MingW/main.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c common.c -o Objects/MingW/common.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c utils.c -o Objects/MingW/utils.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c debuggers.c -o Objects/MingW/debuggers.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c sandboxie.c -o Objects/MingW/sandboxie.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c vbox.c -o Objects/MingW/vbox.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c gensandbox.c -o Objects/MingW/gensandbox.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c wine.c -o Objects/MingW/wine.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c vmware.c -o Objects/MingW/vmware.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c qemu.c -o Objects/MingW/qemu.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c hooks.c -o Objects/MingW/hooks.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c cpu.c -o Objects/MingW/cpu.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c cuckoo.c -o Objects/MingW/cuckoo.o -Wall -Wextra -O0
i686-w64-mingw32-gcc -c bochs.c -o Objects/MingW/bochs.o -Wall -Wextra -O0
i686-w64-mingw32-windres Objects/MingW/pafish_private.rc --input-format=rc -o Objects/MingW/pafish_private.res -O coff
i686-w64-mingw32-gcc Objects/MingW/main.o Objects/MingW/common.o Objects/MingW/utils.o Objects/MingW/debuggers.o Objects/MingW/sandboxie.o Objects/MingW/vbox.o Objects/MingW/gensandbox.o Objects/MingW/wine.o Objects/MingW/vmware.o Objects/MingW/qemu.o Objects/MingW/hooks.o Objects/MingW/cpu.o Objects/MingW/cuckoo.o Objects/MingW/bochs.o Objects/MingW/pafish_private.res -o "Output/MingW/pafish.exe" -lwsock32 -liphlpapi -lsetupapi -lmpr -lole32 -lwbemuuid -loleaut32 -lws2_32 -s
Objects/MingW/utils.o:utils.c:(.text+0x6eb): undefined reference to `CLSID_WbemLocator'
collect2: error: ld returned 1 exit status
make: *** [Output/MingW/pafish.exe] Error 1
[-] Windows version: 6.2 build 9200
[-] Running in WoW64: False
[-] CPU: AuthenticAMD
Hypervisor: analseks
CPU brand: AMD Ryzen 5 2600X Six-Core Processor
[-] Debuggers detection
[] Using IsDebuggerPresent() ... OK
[] Using BeingDebugged via PEB access ... OK
[-] CPU information based detections
[] Checking the difference between CPU timestamp counters (rdtsc) ... OK
[] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... traced!
[] Checking hypervisor bit in cpuid feature bits ... traced!
[] Checking cpuid hypervisor vendor for known VM vendors ... OK
[-] Generic reverse turing tests
[] Checking mouse presence ... OK
[] Checking mouse movement ... traced!
[] Checking mouse speed ... traced!
[] Checking mouse click activity ... traced!
[] Checking mouse double click activity ... traced!
[] Checking dialog confirmation ... traced!
[*] Checking plausible dialog confirmation ... traced!
[-] Generic sandbox detection
[] Checking username ... OK
[] Checking file path ... OK
[] Checking common sample names in drives root ... OK
[] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
[] Checking if Sleep() is patched using GetTickCount() ... OK
[] Checking if NumberOfProcessors is < 2 via PEB access ... OK
[] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[] Checking if pysical memory is < 1Gb ... OK
[] Checking operating system uptime using GetTickCount() ... OK
[*] Checking if operating system IsNativeVhdBoot() ... OK
[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK
[-] Wine detection
[] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[] Reg key (HKCU\SOFTWARE\Wine) ... OK
[-] VirtualBox detection
[] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK
[] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[] Additional system files ... OK
[] Looking for a MAC address starting with 08:00:27 ... OK
[] Looking for pseudo devices ... OK
[] Looking for VBoxTray windows ... OK
[] Looking for VBox network share ... OK
[] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK
[-] VMware detection
[] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK
[] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... OK
[] Looking for network adapter name ... OK
[] Looking for pseudo devices ... OK
[] Looking for VMware serial number ... OK
[-] Qemu detection
[] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK
[-] Bochs detection
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK
[-] Pafish has finished analyzing the system, check the log file for more information
and visit the project's site:
https://github.com/a0rtega/pafish
Seen a malware sample using the new IsNativeVhdBoot function to detect if it was running in an OS booted from a VHD.
This function is only available in Windows 8 or later versions. The malware uses GetProcAddress to get the pointer to the function, and it's used if available.
Saw the following detections in Virtualbox guest OS:
[pafish] Hooks traced using ShellExecuteExW method 1
[pafish] Hooks traced using CreateProcessA method 1
Using pafish v056 compiled using gcc 64-bit. Tested on Windows 7 64-bit and Windows 8 64-bit.
I am not hooking those processes.
On Xen 4.6 the string based detection fails as the cpuid no longer returns the string XenVMMXenVMM as the processor string. See screenshot attached.
It seems there is a separate hypervisor leaf now, as you can see in the cpuid output attached from an HVM guest.
cpuid.txt
As does Dridex, check internet temporary files, last documents opened If don't exists activity maybe is a sandbox
Buenas, como tests se podrian añadir parte de mac address de vmware, aparte de solo vbox
Source: http://www.simonganiere.ch/2012/11/20/malware-anti-vm-technics/
Source: https://twitter.com/botherder/status/354882456622596096
Sample:
https://malwr.com/analysis/MWU1MDJiMWZlNzJlNGM4ZGFhM2Y2YWYwYjZjN2ZlYjE/
3cff996887324591ce6628c9dfbb9e42
Kins:
http://zairon.wordpress.com/2013/08/20/kins-malware-initialization-and-dna-paternity-test/
(down at "Copy&paste from more recent Zeus version")
I can not implement it, because I can not test all the cases. Maybe someone else has a vmware:
Tool detection:
File c:\popupkiller.exe
File c:\tools\execute.exe
Mutex Frz_State
File NPF_NdisWanIp
VMWare:
File HGFS
File vmci
Wine:
Registry key Software\WINE
Just submitting a screenshot of running it in a VM vs actual hardware.
Also note that the OS version is not determined correctly on Win10. Use RtlGetVersion to get that.
Hi,
I want to ask why pafish can't detect cuckoo.
It seems so due to apparent lack of commits...
Thanks!
There are some problems with the current version of Pafish. Current version PASS some test in VMWare and consider it as a physical system. The tests that Passed on a VMWARE setup are:
On a Physical system, it also falsely consider it as a Virtual Machine. Details:
Hey, I have problem with this check. How to change my VMware configuration to pass this check and make my virtual machine undetectable?
Implement the following anti-sandbox posted by Joe Security: https://twitter.com/joe4security/status/733289607949881344
I use this to check for people for Virtual Machine, but it shows as a virus and cannot be downloaded
I saw malware (Fynloski) using GetDiskFreeSpaceExA to identify VMs. 50 GB free should be enough
Hi Alberto,
I thing "vmware_reg_key1" function should be updated to include "Scsi Port 1" and "Scsi Port 2" as well. Some vmware machine that I have seen contains the "Identifier" key in "Scsi Port 1" and some others in "Scsi Port 2".
Is there any reason behind not including these keys? Or should I proceed and commit my changes.
Have fun.
[-] Windows version: 6.2 build 9200
[-] Running in WoW64: False
[-] CPU: GenuineIntel
Hypervisor: ♦►
CPU brand: Intel(R) Core(TM) i5-9400F CPU @ 2.90GHz
[-] Debuggers detection
[] Using IsDebuggerPresent() ... OK
[] Using BeingDebugged via PEB access ... OK
[-] CPU information based detections
[] Checking the difference between CPU timestamp counters (rdtsc) ... OK
[] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... OK
[] Checking hypervisor bit in cpuid feature bits ... OK
[] Checking cpuid hypervisor vendor for known VM vendors ... OK
[-] Generic reverse turing tests
[] Checking mouse presence ... OK
[] Checking mouse movement ... traced!
[] Checking mouse speed ... traced!
[] Checking mouse click activity ... traced!
[] Checking mouse double click activity ... traced!
[] Checking dialog confirmation ... OK
[*] Checking plausible dialog confirmation ... OK
[-] Generic sandbox detection
[] Checking username ... OK
[] Checking file path ... OK
[] Checking common sample names in drives root ... OK
[] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
[] Checking if Sleep() is patched using GetTickCount() ... OK
[] Checking if NumberOfProcessors is < 2 via PEB access ... OK
[] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[] Checking if pysical memory is < 1Gb ... OK
[] Checking operating system uptime using GetTickCount() ... OK
[*] Checking if operating system IsNativeVhdBoot() ... OK
[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK
[-] Wine detection
[] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[] Reg key (HKCU\SOFTWARE\Wine) ... OK
[-] VirtualBox detection
[] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK
[] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[] Additional system files ... OK
[] Looking for a MAC address starting with 08:00:27 ... OK
[] Looking for pseudo devices ... OK
[] Looking for VBoxTray windows ... OK
[] Looking for VBox network share ... OK
[] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK
[-] VMware detection
[] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK
[] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... traced!
[] Looking for network adapter name ... traced!
[] Looking for pseudo devices ... traced!
[] Looking for VMware serial number ... OK
[-] Qemu detection
[] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK
[-] Bochs detection
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK
[-] Pafish has finished analyzing the system, check the log file for more information
and visit the project's site:
https://github.com/a0rtega/pafish
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.