├── .gitattributes ├── .gitignore ├── AntiDebug.h ├── LICENSE ├── AntiVirtualization.h ├── AntiDebug.cpp ├── README.md └── AntiVirtualization.cpp /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /AntiDebug.h: -------------------------------------------------------------------------------- 1 | #ifndef ANTIDEBUG_H 2 | #define ANTIDEBUG_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | class AntiDebug { 12 | public: 13 | // Static method to get the single instance of the class 14 | static AntiDebug* getInstance(); 15 | 16 | // Anti-debugging check methods 17 | bool checkRemoteDebuggerPresent() const; 18 | bool checkDebuggerPresent() const; 19 | bool checkHardwareBreakpoints() const; 20 | bool hardwareRegistersBreakpointsDetection() const; 21 | bool checkBeingDebuggedFlagPEB() const; 22 | bool heapProtectionCheck() const; 23 | bool checkKUserSharedDataStructure() const; 24 | bool checkNtProcessDebugPort() const; 25 | bool AntiDebugAttach() const; 26 | private: 27 | 28 | // Singleton instance 29 | static std::unique_ptr instance; 30 | 31 | // Mutex for thread safety 32 | static std::mutex mutex; 33 | }; 34 | 35 | #endif // ANTIDEBUG_H 36 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 robert. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /AntiVirtualization.h: -------------------------------------------------------------------------------- 1 | #ifndef ANTIVIRTUALIZATION_H 2 | #define ANTIVIRTUALIZATION_H 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | class AntiVirtualization { 21 | public: 22 | 23 | static AntiVirtualization* getInstance(); 24 | 25 | bool isSandboxiePresent() const; 26 | bool isComodoSandboxPresent() const; 27 | bool isQihoo360SandboxPresent() const; 28 | bool isCuckooSandboxPresent() const; 29 | bool isEmulationPresent() const; 30 | bool isWinePresent() const; 31 | bool checkForHyperV() const; 32 | bool checkForBlacklistedNames() const; 33 | bool badVMFilesDetection() const; 34 | bool badVMProcessNames() const; 35 | bool checkDevices() const; 36 | bool checkForParallels() const; 37 | bool checkForQemu() const; 38 | bool triageCheck() const; 39 | 40 | private: 41 | 42 | static std::unique_ptr instance; 43 | 44 | static std::mutex mutex; 45 | }; 46 | 47 | #endif // ANTIVIRTUALIZATION_H 48 | -------------------------------------------------------------------------------- /AntiDebug.cpp: -------------------------------------------------------------------------------- 1 | #include "AntiDebug.h" 2 | 3 | #pragma comment(lib, "Kernel32.lib") 4 | 5 | std::mutex AntiDebug::mutex; 6 | std::unique_ptr AntiDebug::instance; 7 | 8 | typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)( 9 | IN HANDLE ProcessHandle, 10 | IN PROCESSINFOCLASS ProcessInformationClass, 11 | OUT PVOID ProcessInformation, 12 | IN ULONG ProcessInformationLength, 13 | OUT PULONG ReturnLength 14 | ); 15 | 16 | AntiDebug* AntiDebug::getInstance() { 17 | if (!instance) { 18 | std::lock_guard lock(mutex); 19 | if (!instance) { 20 | instance.reset(new AntiDebug()); 21 | } 22 | } 23 | return instance.get(); 24 | } 25 | 26 | bool AntiDebug::checkRemoteDebuggerPresent() const { 27 | BOOL isDebuggerPresent = FALSE; 28 | return CheckRemoteDebuggerPresent(GetCurrentProcess(), &isDebuggerPresent) && isDebuggerPresent; 29 | } 30 | 31 | bool AntiDebug::checkDebuggerPresent() const { 32 | return IsDebuggerPresent() != FALSE; 33 | } 34 | 35 | bool AntiDebug::checkHardwareBreakpoints() const { 36 | CONTEXT context; 37 | memset(&context, 0, sizeof(CONTEXT)); 38 | context.ContextFlags = CONTEXT_DEBUG_REGISTERS; 39 | 40 | if (!GetThreadContext(GetCurrentThread(), &context)) { 41 | // Handle error 42 | return false; 43 | } 44 | 45 | return (context.Dr0 || context.Dr1 || context.Dr2 || context.Dr3) && 46 | ((context.Dr7 & 0x1) || (context.Dr7 & 0x4) || (context.Dr7 & 0x10) || (context.Dr7 & 0x40)); 47 | } 48 | 49 | bool AntiDebug::hardwareRegistersBreakpointsDetection() const { 50 | CONTEXT context; 51 | memset(&context, 0, sizeof(CONTEXT)); // Initialize the context structure 52 | context.ContextFlags = CONTEXT_DEBUG_REGISTERS; 53 | 54 | HANDLE currentThread = GetCurrentThread(); 55 | 56 | // Retrieve the thread context 57 | if (GetThreadContext(currentThread, &context)) { 58 | if ((context.Dr0 != 0x00 || context.Dr1 != 0x00 || context.Dr2 != 0x00 || context.Dr3 != 0x00 || 59 | context.Dr6 != 0x00 || context.Dr7 != 0x00)) { 60 | CloseHandle(currentThread); 61 | return true; 62 | } 63 | } 64 | CloseHandle(currentThread); 65 | return false; 66 | } 67 | 68 | bool AntiDebug::checkBeingDebuggedFlagPEB() const { 69 | PEB* peb = reinterpret_cast(__readgsqword(0x60)); 70 | return peb->BeingDebugged != FALSE; 71 | } 72 | 73 | bool AntiDebug::heapProtectionCheck() const { 74 | HANDLE hHeap = GetProcessHeap(); 75 | if (hHeap == nullptr) { 76 | return false; 77 | } 78 | 79 | PROCESS_HEAP_ENTRY heapEntry; 80 | heapEntry.lpData = nullptr; // Initialize to null pointer 81 | 82 | while (HeapWalk(hHeap, &heapEntry)) { 83 | if ((heapEntry.wFlags & PROCESS_HEAP_ENTRY_BUSY) && 84 | (heapEntry.lpData != nullptr)) { 85 | // Ensure lpData points to at least sizeof(DWORD) bytes 86 | if (heapEntry.cbData >= sizeof(DWORD)) { 87 | DWORD* pData = reinterpret_cast(heapEntry.lpData); 88 | if (*pData == 0xABABABAB) { 89 | return true; 90 | } 91 | } 92 | } 93 | } 94 | 95 | return false; 96 | } 97 | 98 | bool AntiDebug::checkKUserSharedDataStructure() const { 99 | unsigned char* kuserDataAddress = reinterpret_cast(0x7ffe02d4); 100 | unsigned char b = *kuserDataAddress; 101 | return ((b & 0x01) || (b & 0x02)); 102 | } 103 | 104 | bool AntiDebug::checkNtProcessDebugPort() const { 105 | HMODULE hNtdll = LoadLibraryA("ntdll.dll"); 106 | if (hNtdll) { 107 | auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress( 108 | hNtdll, "NtQueryInformationProcess"); 109 | 110 | if (pfnNtQueryInformationProcess) { 111 | DWORD dwProcessDebugPort, dwReturned; 112 | NTSTATUS status = pfnNtQueryInformationProcess( 113 | GetCurrentProcess(), 114 | ProcessDebugPort, 115 | &dwProcessDebugPort, 116 | sizeof(DWORD), 117 | &dwReturned); 118 | 119 | FreeLibrary(hNtdll); 120 | if (NT_SUCCESS(status) && (-1 == dwProcessDebugPort)) { 121 | return true; 122 | } 123 | } 124 | FreeLibrary(hNtdll); 125 | } 126 | return false; 127 | } 128 | 129 | bool AntiDebug::AntiDebugAttach() const { 130 | HMODULE NtdllModule = GetModuleHandle(TEXT("ntdll.dll")); 131 | if (!NtdllModule) { 132 | // Handle error 133 | return false; 134 | } 135 | 136 | FARPROC DbgUiRemoteBreakinAddress = GetProcAddress(NtdllModule, "DbgUiRemoteBreakin"); 137 | FARPROC DbgBreakPointAddress = GetProcAddress(NtdllModule, "DbgBreakPoint"); 138 | BYTE Int3InvaildCode[] = { 0xCC }; 139 | BYTE RetCode[] = { 0xC3 }; 140 | HANDLE hProcess = GetCurrentProcess(); 141 | 142 | BOOL Status = WriteProcessMemory(hProcess, DbgUiRemoteBreakinAddress, Int3InvaildCode, sizeof(Int3InvaildCode), NULL); 143 | BOOL Status2 = WriteProcessMemory(hProcess, DbgBreakPointAddress, RetCode, sizeof(RetCode), NULL); 144 | 145 | if (Status && Status2) 146 | return true; 147 | return false; 148 | } 149 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AntiCrack-cpp 2 | ![GitHub Downloads (all assets, latest release)](https://img.shields.io/github/downloads/90th/AntiCrack-cpp/latest/total) ![GitHub last commit](https://img.shields.io/github/last-commit/90th/AntiCrack-cpp) ![GitHub Repo stars](https://img.shields.io/github/stars/90th/AntiCrack-cpp) 3 | 4 | AntiCrack-cpp is a C++ library designed to provide anti-virtualization and anti-debugging capabilities for your applications. While it may not prevent determined attackers from reverse engineering or cracking your software entirely, it offers a set of foolproof examples to enhance the security of your code. 5 | 6 | **it's important to note that no security solution can completely prevent determined attackers**. 7 | 8 | ## Features 9 | 10 | - **Anti-Debugging Checks:** Prevent debugging attempts by detecting various debuggers and debugging techniques. 11 | - **Virtualization Checks:** Identify common virtualization environments to thwart sandboxing and emulation. 12 | 13 | ### Anti-Debugging Checks: 14 | - **checkRemoteDebuggerPresent():** Detects a remote debugger. 15 | - **checkDebuggerPresent():** Detects attached debuggers. 16 | - **checkHardwareBreakpoints():** Detects hardware breakpoints. 17 | - **hardwareRegistersBreakpointsDetection():** Detects debug registers breakpoints. 18 | - **checkBeingDebuggedFlagPEB():** Checks the PEB for debug flags. 19 | - **heapProtectionCheck():** Detects heap protection. 20 | - **checkKUserSharedDataStructure():** Detects debug info in KUSER_SHARED_DATA. 21 | - **checkNtProcessDebugPort():** Detects debugging via PEB DebugPort. 22 | - **AntiDebugAttach():** Modifies memory to hinder debugging 23 | 24 | ### Virtualization Checks: 25 | - **isSandboxiePresent():** Detects Sandboxie. 26 | - **isComodoSandboxPresent():** Detects Comodo Sandbox. 27 | - **isQihoo360SandboxPresent():** Detects Qihoo 360 Sandbox. 28 | - **isCuckooSandboxPresent():** Detects Cuckoo Sandbox. 29 | - **isEmulationPresent():** Detects emulated environments. 30 | - **isWinePresent():** Detects Wine. 31 | - **checkForHyperV():** Detects Hyper-V virtualization. 32 | - **badVMProcessNames():** Detects VM process names. 33 | - **checkDevices():** Detects virtual devices. 34 | - **checkForBlacklistedNames():** Detects blacklisted VM environment names. 35 | - **badVMFilesDetection():** Detects VM-related files. 36 | - **checkForParallels():** Detects Parallels virtualization. 37 | - **checkForQemu():** Detects QEMU virtualization. 38 | - **triageCheck():** Comprehensive virtualization and emulation check. 39 | 40 | 41 | ## Installation 42 | 43 | - Anti-Debugging Checks: Provides functions to detect various debugging methods commonly used to analyze and manipulate code execution. 44 | - Anti-Virtualization Checks: Offers functionality to identify common virtualization environments and sandboxes. 45 | 46 | ## Example 47 | 48 | ```cpp 49 | #include 50 | #include 51 | #include 52 | #include "AntiDebug.h" 53 | #include "AntiVirtualization.h" 54 | 55 | int main() { 56 | AntiDebug* antiDebug = AntiDebug::getInstance(); 57 | AntiVirtualization* antiVirtualization = AntiVirtualization::getInstance(); 58 | 59 | while (true) { 60 | std::cout << "Anti-Debugging Checks:\n"; 61 | std::cout << "checkRemoteDebuggerPresent(): " << (antiDebug->checkRemoteDebuggerPresent() ? "true" : "false") << "\n"; 62 | std::cout << "checkDebuggerPresent(): " << (antiDebug->checkDebuggerPresent() ? "true" : "false") << "\n"; 63 | std::cout << "checkHardwareBreakpoints(): " << (antiDebug->checkHardwareBreakpoints() ? "true" : "false") << "\n"; 64 | std::cout << "hardwareRegistersBreakpointsDetection(): " << (antiDebug->hardwareRegistersBreakpointsDetection() ? "true" : "false") << "\n"; 65 | std::cout << "checkBeingDebuggedFlagPEB(): " << (antiDebug->checkBeingDebuggedFlagPEB() ? "true" : "false") << "\n"; 66 | std::cout << "heapProtectionCheck(): " << (antiDebug->heapProtectionCheck() ? "true" : "false") << "\n"; 67 | std::cout << "checkKUserSharedDataStructure(): " << (antiDebug->checkKUserSharedDataStructure() ? "true" : "false") << "\n"; 68 | std::cout << "checkNtProcessDebugPort(): " << (antiDebug->checkNtProcessDebugPort() ? "true" : "false") << "\n"; 69 | std::cout << "AntiDebugAttach(): " << (antiDebug->AntiDebugAttach() ? "true" : "false") << "\n"; 70 | 71 | 72 | std::cout << "\nVirtualization Checks:\n"; 73 | std::cout << "isSandboxiePresent(): " << (antiVirtualization->isSandboxiePresent() ? "true" : "false") << "\n"; 74 | std::cout << "isComodoSandboxPresent(): " << (antiVirtualization->isComodoSandboxPresent() ? "true" : "false") << "\n"; 75 | std::cout << "isQihoo360SandboxPresent(): " << (antiVirtualization->isQihoo360SandboxPresent() ? "true" : "false") << "\n"; 76 | std::cout << "isCuckooSandboxPresent(): " << (antiVirtualization->isCuckooSandboxPresent() ? "true" : "false") << "\n"; 77 | std::cout << "isEmulationPresent(): " << (antiVirtualization->isEmulationPresent() ? "true" : "false") << "\n"; 78 | std::cout << "isWinePresent(): " << (antiVirtualization->isWinePresent() ? "true" : "false") << "\n"; 79 | std::cout << "checkForHyperV(): " << (antiVirtualization->checkForHyperV() ? "true" : "false") << "\n"; 80 | std::cout << "badVMProcessNames(): " << (antiVirtualization->badVMProcessNames() ? "true" : "false") << "\n"; 81 | std::cout << "checkDevices(): " << (antiVirtualization->checkDevices() ? "true" : "false") << "\n"; 82 | std::cout << "checkForBlacklistedNames(): " << (antiVirtualization->checkForBlacklistedNames() ? "true" : "false") << "\n"; 83 | std::cout << "badVMFilesDetection(): " << (antiVirtualization->badVMFilesDetection() ? "true" : "false") << "\n"; 84 | std::cout << "checkForParallels(): " << (antiVirtualization->checkForParallels() ? "true" : "false") << "\n"; 85 | std::cout << "checkForQemu(): " << (antiVirtualization->checkForQemu() ? "true" : "false") << "\n"; 86 | std::cout << "triageCheck(): " << (antiVirtualization->triageCheck() ? "true" : "false") << "\n"; 87 | 88 | // Sleep for 1 second before checking again 89 | std::this_thread::sleep_for(std::chrono::seconds(1)); 90 | system("cls"); 91 | } 92 | 93 | return 0; 94 | } 95 | ``` 96 | ## Contributing 97 | 98 | Contributions are welcome! If you have any ideas for improvements or new features, feel free to open an issue or submit a pull request. 99 | 100 | -------------------------------------------------------------------------------- /AntiVirtualization.cpp: -------------------------------------------------------------------------------- 1 | #include "AntiVirtualization.h" 2 | 3 | #pragma comment(lib, "wbemuuid.lib") 4 | 5 | std::mutex AntiVirtualization::mutex; 6 | std::unique_ptr AntiVirtualization::instance; 7 | 8 | AntiVirtualization* AntiVirtualization::getInstance() { 9 | if (!instance) { 10 | std::lock_guard lock(mutex); 11 | if (!instance) { 12 | instance.reset(new AntiVirtualization()); 13 | } 14 | } 15 | return instance.get(); 16 | } 17 | 18 | bool AntiVirtualization::isSandboxiePresent() const { 19 | return (GetModuleHandle("SbieDll.dll") != nullptr); 20 | } 21 | 22 | bool AntiVirtualization::isComodoSandboxPresent() const { 23 | return (GetModuleHandle("cmdvrt32.dll") != nullptr || GetModuleHandle("cmdvrt64.dll") != nullptr); 24 | } 25 | 26 | bool AntiVirtualization::isQihoo360SandboxPresent() const { 27 | return (GetModuleHandle("SxIn.dll") != nullptr); 28 | } 29 | 30 | bool AntiVirtualization::isCuckooSandboxPresent() const { 31 | return (GetModuleHandle("cuckoomon.dll") != nullptr); 32 | } 33 | 34 | bool AntiVirtualization::isEmulationPresent() const { 35 | ULONGLONG tick = GetTickCount64(); 36 | std::this_thread::sleep_for(std::chrono::milliseconds(500)); 37 | ULONGLONG tick2 = GetTickCount64(); 38 | return ((tick2 - tick) < 500); 39 | } 40 | 41 | bool AntiVirtualization::isWinePresent() const { 42 | HMODULE moduleHandle = GetModuleHandle("kernel32.dll"); 43 | if (moduleHandle != nullptr) { 44 | FARPROC procAddress = GetProcAddress(moduleHandle, "wine_get_unix_file_name"); 45 | return (procAddress != nullptr); 46 | } 47 | return false; 48 | } 49 | 50 | bool AntiVirtualization::checkForHyperV() const { 51 | std::vector servicesToCheck = { "vmbus", "VMBusHID", "hyperkbd" }; 52 | 53 | // Enumerate all services on the system 54 | SC_HANDLE hSCManager = OpenSCManager(nullptr, nullptr, SC_MANAGER_ENUMERATE_SERVICE); 55 | if (hSCManager == nullptr) { 56 | return false; 57 | } 58 | 59 | DWORD bytesNeeded, servicesCount; 60 | if (!EnumServicesStatus(hSCManager, SERVICE_WIN32, SERVICE_ACTIVE, nullptr, 0, &bytesNeeded, &servicesCount, nullptr)) { 61 | CloseServiceHandle(hSCManager); 62 | return false; 63 | } 64 | 65 | std::vector buffer(bytesNeeded); 66 | ENUM_SERVICE_STATUS* services = reinterpret_cast(buffer.data()); 67 | 68 | if (!EnumServicesStatus(hSCManager, SERVICE_WIN32, SERVICE_ACTIVE, services, bytesNeeded, &bytesNeeded, &servicesCount, nullptr)) { 69 | CloseServiceHandle(hSCManager); 70 | return false; 71 | } 72 | 73 | CloseServiceHandle(hSCManager); 74 | 75 | // Check each service name 76 | for (DWORD i = 0; i < servicesCount; ++i) { 77 | std::string serviceName(services[i].lpServiceName); 78 | std::transform(serviceName.begin(), serviceName.end(), serviceName.begin(), ::tolower); 79 | 80 | for (const auto& serviceToCheck : servicesToCheck) { 81 | if (serviceName.find(serviceToCheck) != std::string::npos) { 82 | return true; 83 | } 84 | } 85 | } 86 | 87 | return false; 88 | } 89 | 90 | bool AntiVirtualization::badVMProcessNames() const { 91 | std::vector badProcessNames = { "vboxservice", "VGAuthService", "vmusrvc", "qemu-ga" }; 92 | 93 | HANDLE hProcessSnap; 94 | PROCESSENTRY32 pe32 = { 0 }; // Explicitly initialize PROCESSENTRY32 95 | 96 | hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 97 | if (hProcessSnap == INVALID_HANDLE_VALUE) { 98 | return false; 99 | } 100 | 101 | pe32.dwSize = sizeof(PROCESSENTRY32); 102 | 103 | if (!Process32First(hProcessSnap, &pe32)) { 104 | CloseHandle(hProcessSnap); 105 | return false; 106 | } 107 | 108 | do { 109 | std::string processName = pe32.szExeFile; 110 | for (const auto& badProcessName : badProcessNames) { 111 | if (processName == badProcessName) { 112 | CloseHandle(hProcessSnap); 113 | return true; 114 | } 115 | } 116 | } while (Process32Next(hProcessSnap, &pe32)); 117 | 118 | CloseHandle(hProcessSnap); 119 | return false; 120 | } 121 | 122 | bool AntiVirtualization::checkDevices() const { 123 | std::string devices[] = { "\\\\.\\pipe\\cuckoo", "\\\\.\\HGFS", "\\\\.\\vmci", "\\\\.\\VBoxMiniRdrDN", "\\\\.\\VBoxGuest", "\\\\.\\pipe\\VBoxMiniRdDN", "\\\\.\\VBoxTrayIPC", "\\\\.\\pipe\\VBoxTrayIPC" }; 124 | 125 | for (const auto& device : devices) { 126 | HANDLE pipe = CreateFileA(device.c_str(), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); 127 | if (pipe != INVALID_HANDLE_VALUE) { 128 | CloseHandle(pipe); 129 | return true; 130 | } 131 | } 132 | 133 | return false; 134 | } 135 | 136 | bool AntiVirtualization::checkForBlacklistedNames() const { 137 | std::vector badNames = { "Johnson", "Miller", "malware", "maltest", "CurrentUser", "Sandbox", "virus", "John Doe", "test user", "sand box", "WDAGUtilityAccount" }; 138 | 139 | char username[UNLEN + 1]; 140 | DWORD username_len = UNLEN + 1; 141 | if (!GetUserName(username, &username_len)) { 142 | return false; 143 | } 144 | 145 | std::string usernameStr(username); 146 | std::transform(usernameStr.begin(), usernameStr.end(), usernameStr.begin(), ::tolower); 147 | 148 | for (const auto& badUsername : badNames) { 149 | std::string lowerBadUsername = badUsername; 150 | std::transform(lowerBadUsername.begin(), lowerBadUsername.end(), lowerBadUsername.begin(), ::tolower); 151 | 152 | if (usernameStr == lowerBadUsername) { 153 | return true; 154 | } 155 | } 156 | 157 | return false; 158 | } 159 | 160 | bool AntiVirtualization::badVMFilesDetection() const { 161 | try { 162 | std::vector badFileNames = { "VBoxMouse.sys", "VBoxGuest.sys", "VBoxSF.sys", "VBoxVideo.sys", "vmmouse.sys", "vboxogl.dll" }; 163 | std::vector badDirs = { "C:\\Program Files\\VMware", "C:\\Program Files\\oracle\\virtualbox guest additions" }; 164 | 165 | char systemPath[MAX_PATH]; 166 | if (!GetSystemDirectory(systemPath, MAX_PATH)) { 167 | return false; 168 | } 169 | 170 | std::string systemDir(systemPath); 171 | 172 | for (const auto& entry : std::filesystem::directory_iterator(systemDir)) { 173 | if (entry.is_regular_file()) { 174 | std::string fileName = entry.path().filename().string(); 175 | std::transform(fileName.begin(), fileName.end(), fileName.begin(), ::tolower); 176 | 177 | for (const auto& badFileName : badFileNames) { 178 | std::string lowerBadFileName = badFileName; 179 | std::transform(lowerBadFileName.begin(), lowerBadFileName.end(), lowerBadFileName.begin(), ::tolower); 180 | 181 | if (fileName == lowerBadFileName) { 182 | return true; 183 | } 184 | } 185 | } 186 | } 187 | 188 | for (const auto& badDir : badDirs) { 189 | std::string lowerBadDir = badDir; 190 | std::transform(lowerBadDir.begin(), lowerBadDir.end(), lowerBadDir.begin(), ::tolower); 191 | 192 | if (std::filesystem::exists(lowerBadDir)) { 193 | return true; 194 | } 195 | } 196 | } 197 | catch (...) { 198 | // handle any exceptions if needed 199 | } 200 | 201 | return false; 202 | } 203 | 204 | bool AntiVirtualization::checkForParallels() const { 205 | std::vector badDriversList = { "prl_sf", "prl_tg", "prl_eth" }; 206 | for (const auto& driver : std::filesystem::directory_iterator("C:\\Windows\\System32")) { 207 | std::string driverName = driver.path().filename().string(); 208 | for (const auto& badDriver : badDriversList) { 209 | if (driverName.find(badDriver) != std::string::npos) { 210 | return true; 211 | } 212 | } 213 | } 214 | return false; 215 | } 216 | 217 | bool AntiVirtualization::checkForQemu() const { 218 | const std::string badDrivers[] = { "qemu-ga", "qemuwmi" }; 219 | 220 | char* systemRoot; 221 | size_t len; 222 | errno_t err = _dupenv_s(&systemRoot, &len, "SystemRoot"); 223 | if (err != 0 || systemRoot == nullptr) { 224 | // Handle error if _dupenv_s fails 225 | return false; 226 | } 227 | 228 | std::filesystem::path systemRootPath(systemRoot); 229 | free(systemRoot); // Free the memory allocated by _dupenv_s 230 | 231 | for (const auto& driver : std::filesystem::directory_iterator(systemRootPath / "System32")) { 232 | for (const auto& badDriver : badDrivers) { 233 | if (driver.path().string().find(badDriver) != std::string::npos) { 234 | return true; 235 | } 236 | } 237 | } 238 | 239 | return false; 240 | } 241 | 242 | bool AntiVirtualization::triageCheck() const { 243 | HRESULT hres; 244 | 245 | // Step 1: -------------------------------------------------- 246 | // Initialize COM. ------------------------------------------ 247 | 248 | hres = CoInitializeEx(0, COINIT_MULTITHREADED); 249 | if (FAILED(hres)) { 250 | CoUninitialize(); 251 | return false; // Program has failed. 252 | } 253 | 254 | // Step 2: -------------------------------------------------- 255 | // Set general COM security levels -------------------------- 256 | 257 | hres = CoInitializeSecurity( 258 | NULL, 259 | -1, // COM authentication 260 | NULL, // Authentication services 261 | NULL, // Reserved 262 | RPC_C_AUTHN_LEVEL_DEFAULT, // Default authentication 263 | RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation 264 | NULL, // Authentication info 265 | EOAC_NONE, // Additional capabilities 266 | NULL // Reserved 267 | ); 268 | 269 | if (FAILED(hres)) { 270 | CoUninitialize(); 271 | return false; // Program has failed. 272 | } 273 | 274 | // Step 3: --------------------------------------------------- 275 | // Obtain the initial locator to WMI ------------------------- 276 | 277 | IWbemLocator* pLoc = NULL; 278 | 279 | hres = CoCreateInstance( 280 | CLSID_WbemLocator, 281 | 0, 282 | CLSCTX_INPROC_SERVER, 283 | IID_IWbemLocator, (LPVOID*)&pLoc); 284 | 285 | if (FAILED(hres)) { 286 | CoUninitialize(); 287 | return false; // Program has failed. 288 | } 289 | 290 | // Step 4: ----------------------------------------------------- 291 | // Connect to WMI through the IWbemLocator::ConnectServer method 292 | 293 | IWbemServices* pSvc = NULL; 294 | 295 | // Connect to the root\cimv2 namespace with the current user and obtain pointer pSvc to make IWbemServices calls. 296 | hres = pLoc->ConnectServer( 297 | _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace 298 | NULL, // User name. NULL = current user 299 | NULL, // User password. NULL = current 300 | 0, // Locale. NULL indicates current 301 | NULL, // Security flags. 302 | 0, // Authority (e.g. Kerberos) 303 | 0, // Context object 304 | &pSvc // pointer to IWbemServices proxy 305 | ); 306 | 307 | if (FAILED(hres)) { 308 | pLoc->Release(); 309 | CoUninitialize(); 310 | return false; // Program has failed. 311 | } 312 | 313 | // Step 5: -------------------------------------------------- 314 | // Set security levels on the proxy ------------------------- 315 | hres = CoSetProxyBlanket( 316 | pSvc, // Indicates the proxy to set 317 | RPC_C_AUTHN_WINNT, // RPC_C_AUTHN_xxx 318 | RPC_C_AUTHZ_NONE, // RPC_C_AUTHZ_xxx 319 | NULL, // Server principal name 320 | RPC_C_AUTHN_LEVEL_CALL, // RPC_C_AUTHN_LEVEL_xxx 321 | RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx 322 | NULL, // client identity 323 | EOAC_NONE // proxy capabilities 324 | ); 325 | 326 | if (FAILED(hres)) { 327 | pSvc->Release(); 328 | pLoc->Release(); 329 | CoUninitialize(); 330 | return false; // Program has failed. 331 | } 332 | 333 | // Step 6: -------------------------------------------------- 334 | // Use the IWbemServices pointer to make requests of WMI ---- 335 | 336 | // For example, query for operating system data 337 | IEnumWbemClassObject* pEnumerator = NULL; 338 | hres = pSvc->ExecQuery( 339 | bstr_t("WQL"), 340 | bstr_t("SELECT * FROM Win32_DiskDrive"), 341 | WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 342 | NULL, 343 | &pEnumerator); 344 | 345 | if (FAILED(hres)) { 346 | pSvc->Release(); 347 | pLoc->Release(); 348 | CoUninitialize(); 349 | return false; // Program has failed. 350 | } 351 | 352 | // Step 7: ------------------------------------------------- 353 | // Get the data from the query in step 6 ------------------- 354 | 355 | IWbemClassObject* pclsObj; 356 | ULONG uReturn = 0; 357 | 358 | while (pEnumerator) { 359 | HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn); 360 | 361 | if (0 == uReturn) { 362 | break; 363 | } 364 | 365 | VARIANT vtProp; 366 | VariantInit(&vtProp); // Initialize VARIANT 367 | 368 | // Get the value of the Name property 369 | hr = pclsObj->Get(L"Model", 0, &vtProp, 0, 0); 370 | if (FAILED(hr)) { 371 | VariantClear(&vtProp); 372 | pclsObj->Release(); 373 | pSvc->Release(); 374 | pLoc->Release(); 375 | CoUninitialize(); 376 | return false; 377 | } 378 | 379 | std::wstring modelName = vtProp.bstrVal; 380 | VariantClear(&vtProp); 381 | 382 | if (modelName.find(L"DADY HARDDISK") != std::wstring::npos || modelName.find(L"QEMU HARDDISK") != std::wstring::npos) { 383 | pclsObj->Release(); 384 | pSvc->Release(); 385 | pLoc->Release(); 386 | CoUninitialize(); 387 | return true; 388 | } 389 | 390 | pclsObj->Release(); 391 | } 392 | 393 | // Cleanup 394 | // ========= 395 | 396 | pSvc->Release(); 397 | pLoc->Release(); 398 | pEnumerator->Release(); 399 | CoUninitialize(); 400 | 401 | return false; // Program successfully completed. 402 | } --------------------------------------------------------------------------------