Тема: AntiSandBox

it supports much Sandboxes/Emus, like Anubis, Threat Expert, Sandbox, JoeBox, Norman, WireShark, Kaspersky, iDEFENSE sysAnalyzer, Sunbelt, Sandboxie, Virtual PC, Virtual Box and others.

#include <stdio.h>
#include <windows.h>   
#include <tlhelp32.h>

char* sExes[] = { "joeboxserver.exe", "joeboxcontrol.exe", //joebox 
                  "wireshark.exe", //wireshark 
                  "avp.exe", //kaspersky
                  "sniff_hit.exe", "sysAnalyzer.exe" };  //sysanalyzer
                  
char* sUsers[] = { "username", //threat expert
                  "user", //sandbox
                  "currentuser" };  //norman
                  
char* sModules[] = { "api_log.dll", "dir_watch.dll", //sunbelt & sandboxie
                     "pstorec.dll", //sunbelt
                     "SbieDll.dll", }; //sandboxie
                  
int ProcessCheck()
{    
    PROCESSENTRY32 pe32 = { sizeof( PROCESSENTRY32 ) };
    HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPALL, 0 );
    
    if( Process32First( hSnapshot, &pe32 ) )
    {                       
        do 
        {         
            for( int i = 0; i < ( sizeof( sExes ) / sizeof( char* ) ); i++ )
            {
                if( strstr( pe32.szExeFile, sExes[ i ] ) )
                {
                    return( i + 1 );
                }
            }
        }
        while( Process32Next( hSnapshot, &pe32 ) );  
    }
    return( 0 );
}

int ModuleCheck()
{
    for( int i = 0; i < ( sizeof( sModules ) / sizeof( char* ) ); i++ )
    {
        if( GetModuleHandle( sModules[ i ] ) ) 
        {
            return( i + 1 );
        }
    }
    return( 0 );
}

int UserCheck()
{
    char szBuffer[30];
    unsigned long lSize = sizeof( szBuffer );
    
    if( GetUserName( szBuffer, &lSize ) == 0 )
        return( 1 );
        
    for( int i = 0; i < ( sizeof( sUsers ) / sizeof( char* ) ); i++ )
    {
         if( strstr( szBuffer, sUsers[ i ] ) )
         {
             return( i + 1 );
         }
    }
    return( 0 );
}

int main()
{
    if( ProcessCheck( ) == 0 )
        printf( "process check < clean\n" );
        
    if( ModuleCheck( ) == 0 )
        printf( "module check < clean\n" );
        
    if( UserCheck( ) == 0 )
        printf( "user check < clean\n" );
    
    getchar( );
    
    return 0;
}

Копипаст Откуда то....

Отредактировано spider-intruder (2009-05-16 17:53:54)

Re: AntiSandBox

Еще что то: (копировал как есть - много бреда, но кое что есть..)

#include <iostream>
#include <string>
#include <Windows.h>   
#include <tlhelp32.h>
#include <TCHAR.H>   
#include <dir.h>

using namespace std;

int detected = 0;

DWORD GetModulePath(HINSTANCE hInst,LPTSTR pszBuffer,DWORD dwSize)
{
    DWORD dwLength = GetModuleFileName(hInst,pszBuffer,dwSize);
    
    if(dwLength)
    {
                
        while(dwLength && pszBuffer[ dwLength ] != _T('\\'))
        {
            dwLength--;
        }

        if(dwLength)
        {
            pszBuffer[ dwLength + 1 ] = _T('\000');
        }
    }
    
    return dwLength;
}

BOOL IsProcessRunning(const string szExeName)
{    
    PROCESSENTRY32 pce = {sizeof(PROCESSENTRY32)};
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
    
    if(Process32First(hSnapshot, &pce))
    {
                                 
        do
        {         
                              
            if(!strcmp((const char*)pce.szExeFile, (const char*)szExeName.c_str()))
            {       
            return 1;
            }  
              
        }while( Process32Next(hSnapshot, &pce) );
        
    }
    
    return 0; 
}

BOOL IsUsername(const string comp)
{
    char username[30];
    DWORD nSize;
    
    nSize = sizeof(username);
    GetUserName(username, &nSize);

    if(strcmp(username,comp.c_str()) == 0)
    {
        return 1;
    }
    return 0;
}

BOOL IsFileInFolder(const char* filefold)
{
    char buff[255];
    
    GetModuleFileName(0,buff,255);

    if (strstr(buff, filefold))
    {
       return 1;
    }
    
    return 0;
    
}

BOOL IsFolderExist(const string comp)
{
     
    if(chdir(comp.c_str()) == 0)
    {
       return 1;
    }

    return 0;
}

BOOL IsAnubis()
{

    if (IsFileInFolder("C:\\InsideTm\\") == 1)
    {
       detected = 1;
       return 1;
    }
    
    return 0;
}

BOOL IsTE()
{
     
    if(IsUsername("username") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsSandbox()
{
     
    if(IsUsername("user") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsJB()
{
    
    if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;           
}    

BOOL IsNorman()
{
     
    if(IsUsername("currentuser") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsWireShark()
{
     
    if(IsProcessRunning("wireshark.exe") == 1)
    {
       detected = 1;
       return 1;
    }
    
    return 0;
}

BOOL IsKaspersky()
{
     
    if(IsProcessRunning("avp.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}


BOOL IsID() //Sunbelt & Sandboxie included
{
         
    if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}  

BOOL IsSunbelt()
{
     
    if(GetModuleHandle("pstorec.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsFolderExist("C:\\analysis") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsSandboxie()
{
     
    if(GetModuleHandle("SbieDll.dll"))
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsVPC() //steve10120
{
  HMODULE dll = LoadLibrary("C:\\vmcheck.dll");
  
  if(dll == NULL)
  {
      return 0;
  }

  BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine");

  BOOL retValue = FALSE;

  if(fnIsRunningInsideVirtualMachine != NULL)
  {                                                                  
      retValue = fnIsRunningInsideVirtualMachine();
      FreeLibrary(dll);
      detected = 1;
      return 1;
  }

  FreeLibrary(dll);
    
  return 0;
}

BOOL IsOther() //carb0n
{
   unsigned char bBuffer;
   unsigned long aCreateProcess = (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" );

   ReadProcessMemory( GetCurrentProcess( ), (void *) aCreateProcess, &bBuffer, 1, 0 );
   
   if( bBuffer == 0xE9 )
   {
       detected = 1;
       return 1;
   }

   return 0;
}

BOOL IsEmu() //Noble & ChainCoder
{
    DWORD countit, countit2;
    
    countit = GetTickCount(); 
    Sleep(500);
    countit2 = GetTickCount(); 

    if ((countit2 - countit) < 500)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsVB()
{
    
    if(IsProcessRunning("VBoxService.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}


BOOL malware()
{
    //some malware code
    cout << "MALWARE" << endl;
    
    return 0;
}


BOOL IsAll()
{
    if(IsAnubis() == 1)
    {
        cout << "Anubis detected..." << endl;
    }
    
    else if(IsTE() == 1)
    {
        cout << "Threat Expert detected..." << endl;
    }
    
    else if(IsSandbox() == 1)
    {
        cout << "Sandbox detected..." << endl;
    }
    
    else if(IsJB() == 1)
    {
        cout << "JoeBox detected..." << endl;
    }
    
    else if(IsNorman() == 1)
    {
        cout << "Norman detected" << endl;
    }
    
    else if(IsWireShark() == 1)
    {
        cout << "WireShark detected" << endl;
    }
    
    else if(IsKaspersky() == 1)
    {
        cout << "Kaspersky detected" << endl;
    }
    
    else if(IsID() == 1)
    {
        cout << "iDEFENSE sysAnalyzer detected" << endl;
    }
    
    else if(IsSunbelt() == 1)
    {
        cout << "Sunbelt detected" << endl;
    }
    
    else if(IsSandboxie() == 1)
    {
        cout << "Sandboxie detected" << endl;
    }
    
    else if(IsVPC() == 1)
    {
        cout << "Virtual PC detected" << endl;
    }
    
    else if(IsVB() == 1)
    {
        cout << "Virtual Box detected" << endl;
    }
    
    else if(IsOther() == 1 || IsEmu() == 1)
    {
        cout << "Some others detected" << endl;
    }
    
    
    if(detected != 0)
    {
        cout << "Detected some Emulators/sandboxs, exiting...\a" << endl;
        
        return 1;
    }

    cout << "Nothing found, executing malware..." << endl;
    malware();
    
    return 0;
}

int main()
{
    IsAll();
    system("PAUSE");
    return 0;
}

3 Ответ от SmanxX1

  • SmanxX1
  • Участник
  • Неактивен

Re: AntiSandBox

Некрасиво как-то...
Да и зачем здесь вообще копипаст?

П.С. Нечто подобное:
http://www.codeproject.com/KB/system/VmDetect.aspx

4 Ответ от Pernat1y

  • Pernat1y
  • Участник
  • Неактивен

Re: AntiSandBox

char* sUsers[] = { "username", //threat expert
                  "user", //sandbox

так процентов 20 "нормальных" машин отсеять можно =\

Отредактировано Pernat1y (2009-06-01 15:27:49)

5 Ответ от columbus2010

Re: AntiSandBox

На самом деле копипаст этот, давно устарел уже.
Работает только вот что:
1. Sandboxie (www.sandboxie.com)
Если присуствует в своем же процессе ДЛЛ GetModuleHandle("SbieDll.dll")
2. sunbelt (if( GetModuleHandle("pstorec.dll") ) return 1; if( IsFolderExist("C:\\analysis") ) return 1;)
Это все в настоящее время.

Еще способ, обращаясь к драйверу диска получить ProductId и SerialNumber
VMware Virtual IDE Hard Drive
virtualbox ( virtualbox.org ) VBOX HARDDISK
QEMU ( www.qemu.org ) QEMU HARDDISK