各种检测

转载 于 2013-02-22 03:47:00 发布 · 124 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:https://my.oschina.net/sincoder/blog/109738
文章标签:

#python

本文介绍了一系列用于检测常见虚拟环境和沙箱的技术。通过检查特定进程、文件路径、用户名等方式来判断是否运行在诸如Anubis、Total Emulation等分析环境中。此外还提供了针对特定软件如Kaspersky、Sandboxie的检测方法。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

#include <string>
#include <tlhelp32.h>
#include <TCHAR.H>   
#include <dir.h>

using namespace std;

int detected = 0;

DWORD GetModulePath(HINSTANCE hInst,LPTSTR pszBuffer,DWORD dwSize)
{
	DWORD dwLength = GetModuleFileName(hInst,pszBuffer,dwSize);
	
	if(dwLength)
	{
                
		while(dwLength && pszBuffer[ dwLength ] != _T('\\'))
		{
			dwLength--;
		}

		if(dwLength)
		{
			pszBuffer[ dwLength + 1 ] = _T('\000');
        }
	}
	
	return dwLength;
}

BOOL IsProcessRunning(const string szExeName)
{    
    PROCESSENTRY32 pce = {sizeof(PROCESSENTRY32)};
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
    
    if(Process32First(hSnapshot, &pce))
    {
                                 
        do
        {         
                              
            if(!strcmp((const char*)pce.szExeFile, (const char*)szExeName.c_str()))
            {       
            return 1;
            }  
              
        }while( Process32Next(hSnapshot, &pce) );
        
    }
    
    return 0; 
}

BOOL IsUsername(const string comp)
{
    char username[30];
    DWORD nSize;
    
    nSize = sizeof(username);
    GetUserName(username, &nSize);

    if(strcmp(username,comp.c_str()) == 0)
    {
        return 1;
    }
    return 0;
}

BOOL IsFileInFolder(const char* filefold)
{
    char buff[255];
    
    GetModuleFileName(0,buff,255);

    if (strstr(buff, filefold))
    {
       return 1;
    }
    
    return 0;
    
}

BOOL IsFolderExist(const string comp)
{
     
    if(chdir(comp.c_str()) == 0)
    {
       return 1;
    }

    return 0;
}

BOOL IsFileNameEqualThis(const string comp)
{
    char buff[255];  
    
    GetModuleFileName(0,buff,255);
    
    if(strcmp(buff,comp.c_str()) == 0)
    {
        detected++;
        return 1;
    }
    return 0;
}

BOOL IsFileExist(const string comp)
{
    FILE *fp = NULL,*fp2 = NULL;
    fp = fopen(comp.c_str(),"r");
        
    if(fp != NULL)
    {
        return 1;
    }
    
        return 0;
}

BOOL IsAnubis()
{

    if (IsFileInFolder("C:\\InsideTm\\") == 1)
    {
       detected = 1;
       return 1;
    }
    
    else if(IsFileNameEqualThis("C:\\sample.exe"))
    {
       detected = 1;
       return 1;
    }
    
    else if(IsUsername("user") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsTE()
{
     
    if(IsUsername("UserName") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsSandbox()
{
     
    if(IsUsername("USER") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsJB()
{
    
    if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;           
}    

BOOL IsNorman()
{
     
    if(IsUsername("currentuser") == 1 || IsUsername("CurrentUser") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsWireShark()
{
     
    if(IsProcessRunning("wireshark.exe") == 1)
    {
       detected = 1;
       return 1;
    }
    
    return 0;
}

BOOL IsKaspersky()
{
     
    if(IsProcessRunning("avp.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}


BOOL IsID()
{
         
    if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}  

BOOL IsSunbelt()
{
     
    if(GetModuleHandle("pstorec.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsFolderExist("C:\\analysis") == 1)
    {
        detected = 1;
        return 1;
    }
    
    else if(IsFileExist("C:\\analysis\\SandboxStarter.exe") == 1) //sometimes the IsFolderExist fail
    {
        detected = 1;
        return 1;
    }            
              
    return 0;
}

BOOL IsSandboxie()
{
     
    if(GetModuleHandle("SbieDll.dll"))
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsVPC() //steve10120
{
  HMODULE dll = LoadLibrary("C:\\vmcheck.dll");
  
  if(dll == NULL)
  {
      return 0;
  }

  BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine");

  BOOL retValue = FALSE;

  if(fnIsRunningInsideVirtualMachine != NULL)
  {                                                                  
      retValue = fnIsRunningInsideVirtualMachine();
      FreeLibrary(dll);
      detected = 1;
      return 1;
  }

  FreeLibrary(dll);
    
  return 0;
}

BOOL IsOther() //carb0n
{
   unsigned char bBuffer;
   unsigned long aCreateProcess = (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" );

   ReadProcessMemory( GetCurrentProcess( ), (void *) aCreateProcess, &bBuffer, 1, 0 );
   
   if( bBuffer == 0xE9 )
   {
       detected = 1;
       return 1;
   }

   return 0;
}

BOOL IsEmu() //Noble & ChainCoder
{
    DWORD countit, countit2;
    
    countit = GetTickCount(); 
    Sleep(500);
    countit2 = GetTickCount(); 

    if ((countit2 - countit) < 500)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsVB()
{
    
    if(IsProcessRunning("VBoxService.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsWPE()
{
     
    if(GetModuleHandle("WpeSpy.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsProcessRunning("WPE PRO.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}


BOOL malware()
{
    //some malware code
    cout << "MALWARE" << endl;
    
    return 0;
}


BOOL IsAll()
{
    if(IsAnubis() == 1)
    {
    }
    
    else if(IsTE() == 1)
    {
    }
    
    else if(IsSandbox() == 1)
    {
    }
    
    else if(IsJB() == 1)
    {
    }
    
    else if(IsNorman() == 1)
    {
    }
    
    else if(IsWireShark() == 1)
    {
    }
    
    else if(IsKaspersky() == 1)
    {
    }
    
    else if(IsID() == 1)
    {
    }
    
    else if(IsSunbelt() == 1)
    {
    }
    
    else if(IsSandboxie() == 1)
    {
    }
    
    else if(IsVPC() == 1)
    {
    }
    
    else if(IsVB() == 1)
    {
    }
    
    else if(IsWPE() == 1)
    {
    }
    
    else if(IsOther() == 1 || IsEmu() == 1)
    {
    }
    
    
    if(detected != 0)
    {        
        return 1;
    }

    
    return 0;
}

转载于:https://my.oschina.net/sincoder/blog/109738

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值