├── README.md
├── SLib.sln
├── SLib
├── App.config
├── Filesystem.cs
├── Generic.cs
├── GlobalObjects.cs
├── Hardware.cs
├── NetworkHelpers.cs
├── OsChecks.cs
├── OsFeatures.cs
├── Processes.cs
├── Properties
│ └── AssemblyInfo.cs
├── RegistryQuery.cs
├── SLib.csproj
├── SLib.sln
└── UiArtifacts.cs
├── SLibTests
├── App.config
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
└── SLibTests.csproj
└── img
├── img01.png
└── img02.png
/README.md:
--------------------------------------------------------------------------------
1 | # SLib - Sanbox Evasion Library in C#
2 |
3 | Slib is a C# library that contains various checks to try to identify if a computer is a sandbox or not.
4 |
5 | It is based on the methods defined by Checkpoint in the following link:
6 | - https://evasions.checkpoint.com
7 |
8 |
9 | # Implemented techniques
10 | ## Filesystem
11 | - Check if specific files exist
12 | - Check if specific directories are present
13 | - Check if full path to the executable contains one of the specific strings
14 | - Check if the executable is run from specific directory
15 | - Check if the executable files with specific names are present in physical disk drives' root
16 | ## Registry
17 | - Check if particular registry paths exist
18 | - Check if particular registry keys contain specified strings
19 | ## Generic OS queries
20 | - Check if username is specific
21 | - Check if computer name is specific
22 | - Check if host name is specific
23 | - Check if total RAM is low
24 | - Check if screen resolution is non-usual for host OS
25 | - Check if number of processors is low
26 | - Check if quantity of monitors is small
27 | - Check if hard disk drive size and free space are small
28 | - Check if system uptime is small
29 | ## Global OS objects
30 | - Check for specific global mutexes
31 | ## UI artifacts
32 | - Check if windows with certain class names are present in the OS
33 | - Check if top level windows' number is too small
34 | ## OS features
35 | - Checking debug privileges
36 | ## Processes
37 | - Check if specific files exist
38 | - Check if specific libraries are loaded in the process address space
39 | - Check number of processes:
40 | ## Network
41 | - Check if MAC address is specific
42 | - Check if adapter name is specific
43 | - Check if network belongs to security perimeter
44 | - Cuckoo ResultServer connection based anti-emulation technique
45 | ## Hardware
46 | - Check if HDD has specific name
47 | - Check if HDD Vendor ID has specific value
48 | - Check if CPU temperature information is available
49 |
50 |
51 | 
52 |
53 | 
54 |
55 | # Author
56 | [@aetsu](https://twitter.com/aetsu)
57 |
--------------------------------------------------------------------------------
/SLib.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30717.126
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SLib", "SLib\SLib.csproj", "{5223FEF1-60BA-423D-83C4-656B66C44A7A}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SLibTests", "SLibTests\SLibTests.csproj", "{AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Debug|x64 = Debug|x64
14 | Release|Any CPU = Release|Any CPU
15 | Release|x64 = Release|x64
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
19 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Debug|Any CPU.Build.0 = Debug|Any CPU
20 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Debug|x64.ActiveCfg = Debug|x64
21 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Debug|x64.Build.0 = Debug|x64
22 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Release|Any CPU.Build.0 = Release|Any CPU
24 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Release|x64.ActiveCfg = Release|Any CPU
25 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Release|x64.Build.0 = Release|Any CPU
26 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
27 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Debug|Any CPU.Build.0 = Debug|Any CPU
28 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Debug|x64.ActiveCfg = Debug|Any CPU
29 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Debug|x64.Build.0 = Debug|Any CPU
30 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Release|Any CPU.ActiveCfg = Release|Any CPU
31 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Release|Any CPU.Build.0 = Release|Any CPU
32 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Release|x64.ActiveCfg = Release|Any CPU
33 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Release|x64.Build.0 = Release|Any CPU
34 | EndGlobalSection
35 | GlobalSection(SolutionProperties) = preSolution
36 | HideSolutionNode = FALSE
37 | EndGlobalSection
38 | GlobalSection(ExtensibilityGlobals) = postSolution
39 | SolutionGuid = {A793D924-083E-4FA8-8A26-0E157E905713}
40 | EndGlobalSection
41 | EndGlobal
42 |
--------------------------------------------------------------------------------
/SLib/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SLib/Filesystem.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 |
5 | namespace SLib
6 | {
7 | public class Filesystem
8 | {
9 | //Check if specific files exist
10 | public Generic.SandboxRes checkFiles()
11 | {
12 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
13 |
14 | string[] list1 = { @"c:\take_screenshot.ps1", @"c:\loaddll.exe", @"c:\email.doc", @"c:\email.htm", @"c:\123\email.doc", @"c:\123\email.docx", @"c:\a\foobar.bmp", @"c:\a\foobar.doc", @"c:\a\foobar.gif", @"c:\symbols\aagmmc.pdb" };
15 | foreach (string f in list1)
16 | {
17 | try
18 | {
19 | if (File.Exists(f))
20 | {
21 | Generic.SandboxTag aux = new Generic.SandboxTag("General", f);
22 | returnData.tagList.Add(aux);
23 | }
24 | }
25 | catch (Exception e)
26 | {
27 | //Console.WriteLine("[/] Error:" + e);
28 | }
29 |
30 | }
31 | string[] list2 = { @"c:\windows\system32\drivers\prleth.sys", @"c:\windows\system32\drivers\prlfs.sys", @"c:\windows\system32\drivers\prlmouse.sys", @"c:\windows\system32\drivers\prlvideo.sys", @"c:\windows\system32\drivers\prltime.sys", @"c:\windows\system32\drivers\prl_pv32.sys", @"c:\windows\system32\drivers\prl_paravirt_32.sys" };
32 | foreach (string f in list2)
33 | {
34 | try
35 | {
36 | if (File.Exists(f))
37 | {
38 | Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", f);
39 | returnData.tagList.Add(aux);
40 | }
41 | }
42 | catch (Exception e)
43 | {
44 | //Console.WriteLine("[/] Error:" + e);
45 | }
46 | }
47 | string[] list3 = { @"c:\windows\system32\drivers\VBoxMouse.sys", @"c:\windows\system32\drivers\VBoxGuest.sys", @"c:\windows\system32\drivers\VBoxSF.sys", @"c:\windows\system32\drivers\VBoxVideo.sys", @"c:\windows\system32\vboxdisp.dll", @"c:\windows\system32\vboxhook.dll", @"c:\windows\system32\vboxmrxnp.dll", @"c:\windows\system32\vboxogl.dll", @"c:\windows\system32\vboxoglarrayspu.dll", @"c:\windows\system32\vboxoglcrutil.dll", @"c:\windows\system32\vboxoglerrorspu.dll", @"c:\windows\system32\vboxoglfeedbackspu.dll", @"c:\windows\system32\vboxoglpackspu.dll", @"c:\windows\system32\vboxoglpassthroughspu.dll", @"c:\windows\system32\vboxservice.exe", @"c:\windows\system32\vboxtray.exe", @"c:\windows\system32\VBoxControl.exe" };
48 | foreach (string f in list3)
49 | {
50 | try
51 | {
52 | if (File.Exists(f))
53 | {
54 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", f);
55 | returnData.tagList.Add(aux);
56 | }
57 | }
58 | catch (Exception e)
59 | {
60 | //Console.WriteLine("[/] Error:" + e);
61 | }
62 | }
63 | string[] list4 = { @"c:\windows\system32\drivers\vmsrvc.sys", @"c:\windows\system32\drivers\vpc-s3.sys" };
64 | foreach (string f in list4)
65 | {
66 | try
67 | {
68 | if (File.Exists(f))
69 | {
70 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", f);
71 | returnData.tagList.Add(aux);
72 | }
73 | }
74 | catch (Exception e)
75 | {
76 | //Console.WriteLine("[/] Error:" + e);
77 | }
78 | }
79 | string[] list5 = { @"c:\windows\system32\drivers\vmmouse.sys", @"c:\windows\system32\drivers\vmnet.sys", @"c:\windows\system32\drivers\vmxnet.sys", @"c:\windows\system32\drivers\vmhgfs.sys", @"c:\windows\system32\drivers\vmx86.sys", @"c:\windows\system32\drivers\hgfs.sys" };
80 | foreach (string f in list5)
81 | {
82 | try
83 | {
84 | if (File.Exists(f))
85 | {
86 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", f);
87 | returnData.tagList.Add(aux);
88 | }
89 | }
90 | catch (Exception e)
91 | {
92 | //Console.WriteLine("[/] Error:" + e);
93 | }
94 | }
95 |
96 | if (returnData.tagList.Count > 0)
97 | {
98 | returnData.isSandbox = true;
99 | }
100 | return returnData;
101 | }
102 |
103 | //Check if specific directories are present
104 | public Generic.SandboxRes checkDirectories()
105 | {
106 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
107 | try
108 | {
109 | if (Directory.Exists(@"c:\analysis"))
110 | {
111 | Generic.SandboxTag aux = new Generic.SandboxTag("CWSandbox", @"c:\analysis");
112 | returnData.tagList.Add(aux);
113 | }
114 | }
115 | catch (Exception e)
116 | {
117 | //Console.WriteLine("[/] Error:" + e);
118 | }
119 | try
120 | {
121 | if (Directory.Exists(Environment.GetEnvironmentVariable("ProgramFiles") + @"\oracle\virtualbox guest additions"))
122 | {
123 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", Environment.GetEnvironmentVariable("ProgramFiles") + @"\oracle\virtualbox guest additions");
124 | returnData.tagList.Add(aux);
125 | }
126 | }
127 | catch (Exception e)
128 | {
129 | //Console.WriteLine("[/] Error:" + e);
130 | }
131 | try
132 | {
133 | if (Directory.Exists(Environment.GetEnvironmentVariable("ProgramFiles") + @"\VMWare"))
134 | {
135 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", Environment.GetEnvironmentVariable("ProgramFiles") + @"\VMWare");
136 | returnData.tagList.Add(aux);
137 | }
138 | }
139 | catch (Exception e)
140 | {
141 | //Console.WriteLine("[/] Error:" + e);
142 | }
143 |
144 | if (returnData.tagList.Count > 0)
145 | {
146 | returnData.isSandbox = true;
147 | }
148 | return returnData;
149 | }
150 |
151 | //Check if full path to the executable contains one of the specific strings
152 | //Check if the executable is run from specific directory
153 | public Generic.SandboxRes checkExePath()
154 | {
155 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
156 | string[] list1 = { "sample", "virus", "sandbox" };
157 | foreach (string f in list1)
158 | {
159 | try
160 | {
161 | if (Directory.GetCurrentDirectory().ToLower().Contains(f.ToLower()))
162 | {
163 | Generic.SandboxTag aux = new Generic.SandboxTag("General", f);
164 | returnData.tagList.Add(aux);
165 | }
166 | }
167 | catch (Exception e)
168 | {
169 | //Console.WriteLine("[/] Error:" + e);
170 | }
171 | }
172 | string[] list2 = { @"c:\insidetm" };
173 | foreach (string f in list2)
174 | {
175 | try
176 | {
177 | if (Directory.GetCurrentDirectory().ToLower().Contains(f.ToLower()))
178 | {
179 | Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", f);
180 | returnData.tagList.Add(aux);
181 | }
182 | }
183 | catch (Exception e)
184 | {
185 | //Console.WriteLine("[/] Error:" + e);
186 | }
187 | }
188 |
189 | if (returnData.tagList.Count > 0)
190 | {
191 | returnData.isSandbox = true;
192 | }
193 | return returnData;
194 | }
195 |
196 | //Check if the executable files with specific names are present in physical disk drives' root
197 | public Generic.SandboxRes checkExeRoot()
198 | {
199 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
200 | string[] list1 = { "malware.exe", "sample.exe" };
201 | foreach (string f in list1)
202 | {
203 | try
204 | {
205 | if (File.Exists(Path.GetPathRoot(Environment.SystemDirectory) + "\\" + f))
206 | {
207 | Generic.SandboxTag aux = new Generic.SandboxTag("General", f);
208 | returnData.tagList.Add(aux);
209 | }
210 | }
211 | catch (Exception e)
212 | {
213 | //Console.WriteLine("[/] Error:" + e);
214 | }
215 | }
216 | string[] list2 = { @"c:\insidetm" };
217 | foreach (string f in list2)
218 | {
219 | try
220 | {
221 | if (Directory.GetCurrentDirectory().ToLower().Contains(f.ToLower()))
222 | {
223 | Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", f);
224 | returnData.tagList.Add(aux);
225 | }
226 | }
227 | catch (Exception e)
228 | {
229 | //Console.WriteLine("[/] Error:" + e);
230 | }
231 | }
232 |
233 | if (returnData.tagList.Count > 0)
234 | {
235 | returnData.isSandbox = true;
236 | }
237 | return returnData;
238 | }
239 | }
240 | }
241 |
--------------------------------------------------------------------------------
/SLib/Generic.cs:
--------------------------------------------------------------------------------
1 | using System.Collections.Generic;
2 |
3 | namespace SLib
4 | {
5 | public static class Generic
6 | {
7 | public struct SandboxTag
8 | {
9 | public string tag;
10 | public string query;
11 |
12 | public SandboxTag(string tag, string query)
13 | {
14 | this.tag = tag;
15 | this.query = query;
16 | }
17 | }
18 |
19 |
20 | public struct SandboxRes
21 | {
22 | public bool isSandbox;
23 | public List tagList;
24 |
25 | public SandboxRes(bool isSandbox, List tagList)
26 | {
27 | this.isSandbox = isSandbox;
28 | this.tagList = tagList;
29 | }
30 | }
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/SLib/GlobalObjects.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Threading;
4 |
5 | namespace SLib
6 | {
7 | public class GlobalObjects
8 | {
9 | //Check for specific global mutexes
10 | public Generic.SandboxRes checkGlobalMutexes()
11 | {
12 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
13 | //DeepFreeze
14 | Mutex m = null;
15 | bool doesNotExist = false;
16 | try
17 | {
18 | m = Mutex.OpenExisting("Frz_State");
19 | }
20 | catch (WaitHandleCannotBeOpenedException)
21 | {
22 | doesNotExist = true;
23 | }
24 | catch (Exception e)
25 | {
26 | Console.WriteLine("[/] Error:" + e);
27 | }
28 | if (doesNotExist == false)
29 | {
30 | Generic.SandboxTag aux = new Generic.SandboxTag("DeepFreeze", "Frz_State");
31 | returnData.tagList.Add(aux);
32 | }
33 | //VirtualPC
34 | doesNotExist = false;
35 | try
36 | {
37 | m = Mutex.OpenExisting("MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex");
38 | }
39 | catch (WaitHandleCannotBeOpenedException)
40 | {
41 | doesNotExist = true;
42 | }
43 | catch (Exception e)
44 | {
45 | Console.WriteLine("[/] Error:" + e);
46 | }
47 | if (doesNotExist == false)
48 | {
49 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", "MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex");
50 | returnData.tagList.Add(aux);
51 | }
52 | //Sandboxie
53 | string[] list1 = { @"Sandboxie_SingleInstanceMutex_Control", "SBIE_BOXED_ServiceInitComplete_Mutex1" };
54 | foreach (string mutexName in list1)
55 | {
56 | doesNotExist = false;
57 | try
58 | {
59 | m = Mutex.OpenExisting(mutexName);
60 | }
61 | catch (WaitHandleCannotBeOpenedException)
62 | {
63 | doesNotExist = true;
64 | }
65 | catch (Exception e)
66 | {
67 | Console.WriteLine("[/] Error:" + e);
68 | }
69 | if (doesNotExist == false)
70 | {
71 | Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", mutexName);
72 | returnData.tagList.Add(aux);
73 | }
74 | }
75 |
76 | if (returnData.tagList.Count > 0)
77 | {
78 | returnData.isSandbox = true;
79 | }
80 | return returnData;
81 | }
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/SLib/Hardware.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Management;
4 |
5 |
6 | namespace SLib
7 | {
8 | public class Hardware
9 | {
10 | //Check if HDD has specific name
11 | public Generic.SandboxRes checkHdName()
12 | {
13 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
14 |
15 | ManagementObjectSearcher moSearcher = new ManagementObjectSearcher("SELECT * FROM Win32_DiskDrive");
16 |
17 | foreach (ManagementObject wmi_HD in moSearcher.Get())
18 | {
19 | try
20 | {
21 | //VMWare
22 | if (wmi_HD["Model"].ToString().ToLower().Contains("VMWare".ToLower()))
23 | {
24 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", wmi_HD["Model"].ToString());
25 | returnData.tagList.Add(aux);
26 | }
27 | //QEMU
28 | if (wmi_HD["Model"].ToString().ToLower().Contains("QEMU".ToLower()))
29 | {
30 | Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", wmi_HD["Model"].ToString());
31 | returnData.tagList.Add(aux);
32 | }
33 | //VirtualBox
34 | if (wmi_HD["Model"].ToString().ToLower().Contains("VBOX".ToLower()))
35 | {
36 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", wmi_HD["Model"].ToString());
37 | returnData.tagList.Add(aux);
38 | }
39 | //VirtualPC
40 | if (wmi_HD["Model"].ToString().ToLower().Contains("VIRTUAL HD".ToLower()))
41 | {
42 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", wmi_HD["Model"].ToString());
43 | returnData.tagList.Add(aux);
44 | }
45 | }
46 | catch (Exception e)
47 | {
48 | //Console.WriteLine("[/] Error:" + e);
49 | }
50 | }
51 |
52 | if (returnData.tagList.Count > 0)
53 | {
54 | returnData.isSandbox = true;
55 | }
56 | return returnData;
57 | }
58 |
59 | //Check if HDD Vendor ID has specific value
60 | public Generic.SandboxRes checkHdVendor()
61 | {
62 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
63 |
64 | ManagementObjectSearcher moSearcher = new ManagementObjectSearcher("SELECT * FROM Win32_DiskDrive");
65 |
66 | foreach (ManagementObject wmi_HD in moSearcher.Get())
67 | {
68 | try
69 | {
70 | //VMWare
71 | if (wmi_HD["PNPDeviceID"].ToString().ToLower().Contains("vmware".ToLower()))
72 | {
73 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", wmi_HD["PNPDeviceID"].ToString());
74 | returnData.tagList.Add(aux);
75 | }
76 | //VirtualBox
77 | if (wmi_HD["PNPDeviceID"].ToString().ToLower().Contains("VBOX".ToLower()))
78 | {
79 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", wmi_HD["PNPDeviceID"].ToString());
80 | returnData.tagList.Add(aux);
81 | }
82 | }
83 | catch (Exception e)
84 | {
85 | //Console.WriteLine("[/] Error:" + e);
86 | }
87 | }
88 |
89 | if (returnData.tagList.Count > 0)
90 | {
91 | returnData.isSandbox = true;
92 | }
93 | return returnData;
94 | }
95 |
96 | //Check if CPU temperature information is available
97 | public Generic.SandboxRes checkAudio()
98 | {
99 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
100 | ManagementObjectSearcher searcher = new ManagementObjectSearcher("root\\WMI", "SELECT * FROM MSAcpi_ThermalZoneTemperature");
101 | try
102 | {
103 | searcher.Get();
104 | foreach (ManagementObject queryObj in searcher.Get())
105 | {
106 | double temp = Convert.ToDouble(queryObj["CurrentTemperature"].ToString());
107 | double temp_cel = (temp / 10 - 273.15);
108 | }
109 | }
110 | catch (Exception e)
111 | {
112 | //Console.WriteLine("[/] Error:" + e);
113 | Generic.SandboxTag aux = new Generic.SandboxTag("CPU Temperature available", "False");
114 | returnData.tagList.Add(aux);
115 | }
116 |
117 |
118 | if (returnData.tagList.Count > 0)
119 | {
120 | returnData.isSandbox = true;
121 | }
122 | return returnData;
123 | }
124 | }
125 | }
126 |
--------------------------------------------------------------------------------
/SLib/NetworkHelpers.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Net;
5 | using System.Net.NetworkInformation;
6 |
7 | namespace SLib
8 | {
9 | public class NetworkHelpers
10 | {
11 | //Check if MAC address is specific
12 | public Generic.SandboxRes checkMac()
13 | {
14 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
15 | string[] list1 = { "000569", "000C29", "001C14", "005056" };
16 | foreach (NetworkInterface nic in NetworkInterface.GetAllNetworkInterfaces())
17 | {
18 | if (nic.OperationalStatus == OperationalStatus.Up)
19 | {
20 | //VirtualBox
21 | if (nic.GetPhysicalAddress().ToString().StartsWith("080027"))
22 | {
23 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", nic.GetPhysicalAddress().ToString());
24 | returnData.tagList.Add(aux);
25 | }
26 | //Parallels
27 | if (nic.GetPhysicalAddress().ToString().StartsWith("001C42"))
28 | {
29 | Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", nic.GetPhysicalAddress().ToString());
30 | returnData.tagList.Add(aux);
31 | }
32 | //Xen
33 | if (nic.GetPhysicalAddress().ToString().StartsWith("0016E3"))
34 | {
35 | Generic.SandboxTag aux = new Generic.SandboxTag("Xen", nic.GetPhysicalAddress().ToString());
36 | returnData.tagList.Add(aux);
37 | }
38 | //VMWare
39 | foreach (string m in list1)
40 | {
41 | if (nic.GetPhysicalAddress().ToString().StartsWith(m))
42 | {
43 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", nic.GetPhysicalAddress().ToString());
44 | returnData.tagList.Add(aux);
45 | }
46 | }
47 |
48 | }
49 | }
50 |
51 |
52 | if (returnData.tagList.Count > 0)
53 | {
54 | returnData.isSandbox = true;
55 | }
56 | return returnData;
57 | }
58 |
59 | //Check if adapter name is specific
60 | public Generic.SandboxRes checkAdapterName()
61 | {
62 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
63 | foreach (NetworkInterface nic in NetworkInterface.GetAllNetworkInterfaces())
64 | {
65 | if (nic.OperationalStatus == OperationalStatus.Up)
66 | {
67 | //VMWare
68 | if (nic.Name.ToLower() == "vmware")
69 | {
70 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", nic.Name);
71 | returnData.tagList.Add(aux);
72 | }
73 | }
74 | }
75 |
76 | if (returnData.tagList.Count > 0)
77 | {
78 | returnData.isSandbox = true;
79 | }
80 | return returnData;
81 | }
82 |
83 | //Check if network belongs to security perimeter
84 | public Generic.SandboxRes checkIP()
85 | {
86 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
87 | string[] list1 = { "Amazon", "anonymous", "BitDefender", "BlackOakComputers", "Blue Coat", "BlueCoat", "Cisco", "cloud", "Data Center", "DataCenter", "DataCentre", "dedicated", "ESET, Spol", "FireEye", "ForcePoint", "Fortinet", "Hetzner", "hispeed.ch", "hosted", "Hosting", "Iron Port", "IronPort", "LeaseWeb", "MessageLabs", "Microsoft", "MimeCast", "NForce", "Ovh Sas", "Palo Alto", "ProofPoint", "Rackspace", "security", "Server", "Strong Technologies", "Trend Micro", "TrendMicro", "TrustWave", "VMVault", "Zscaler" };
88 | string html = string.Empty;
89 | try
90 | {
91 | ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
92 | HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://geoip.maxmind.com/geoip/v2.1/city/me?");
93 | request.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
94 | request.UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.1; rv:11.3) like Gecko";
95 | request.Referer = "https://www.maxmind.com/en/locate-my-ip-address";
96 |
97 | if (request.Proxy != null)
98 | {
99 | request.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
100 | }
101 | using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
102 | using (Stream stream = response.GetResponseStream())
103 | using (StreamReader reader = new StreamReader(stream))
104 | {
105 | html = reader.ReadToEnd();
106 | }
107 | foreach (string tag in list1)
108 | {
109 | if (html.ToLower().Contains(tag.ToLower()))
110 | {
111 | Generic.SandboxTag aux = new Generic.SandboxTag("Network tag", tag);
112 | returnData.tagList.Add(aux);
113 | }
114 | }
115 | }
116 | catch (Exception e)
117 | {
118 | //Console.WriteLine("[/] Error:" + e);
119 | }
120 |
121 | if (returnData.tagList.Count > 0)
122 | {
123 | returnData.isSandbox = true;
124 | }
125 | return returnData;
126 | }
127 |
128 | //Cuckoo ResultServer connection based anti-emulation technique
129 | public Generic.SandboxRes checkCuckoo()
130 | {
131 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
132 | IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
133 | TcpConnectionInformation[] connections = properties.GetActiveTcpConnections();
134 | foreach (TcpConnectionInformation c in connections)
135 | {
136 | if (c.RemoteEndPoint.ToString().EndsWith(":2042"))
137 | {
138 | Generic.SandboxTag aux = new Generic.SandboxTag("Cuckoo", c.RemoteEndPoint.ToString());
139 | returnData.tagList.Add(aux);
140 | }
141 | }
142 |
143 | if (returnData.tagList.Count > 0)
144 | {
145 | returnData.isSandbox = true;
146 | }
147 | return returnData;
148 | }
149 | }
150 | }
151 |
--------------------------------------------------------------------------------
/SLib/OsChecks.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Management;
5 | using System.Net;
6 | using System.Windows.Forms;
7 |
8 | namespace SLib
9 | {
10 | public class OsChecks
11 | {
12 | //Check if username is specific
13 | public Generic.SandboxRes checkUsername()
14 | {
15 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
16 | //General
17 | string[] list1 = { "admin", "andy", "honey", "john", "john doe", "malnetvm", "maltest", "malware", "roo", "sandbox", "snort", "tequilaboomboom", "test", "virus", "virusclone", "wilbert" };
18 | foreach (string name in list1)
19 | {
20 | try
21 | {
22 | if (name.ToLower() == Environment.UserName.ToLower())
23 | {
24 | Generic.SandboxTag aux = new Generic.SandboxTag("General", name);
25 | returnData.tagList.Add(aux);
26 | }
27 | }
28 | catch (Exception e)
29 | {
30 | Console.WriteLine("[/] Error:" + e);
31 | }
32 |
33 | }
34 | //Nepenthes
35 | try
36 | {
37 | if ("nepenthes".ToLower() == Environment.UserName.ToLower())
38 | {
39 | Generic.SandboxTag aux = new Generic.SandboxTag("Nepenthes", "nepenthes");
40 | returnData.tagList.Add(aux);
41 | }
42 | }
43 | catch (Exception e)
44 | {
45 | Console.WriteLine("[/] Error:" + e);
46 | }
47 | //Norman
48 | try
49 | {
50 | if ("currentuser".ToLower() == Environment.UserName.ToLower())
51 | {
52 | Generic.SandboxTag aux = new Generic.SandboxTag("Norman", "currentuser");
53 | returnData.tagList.Add(aux);
54 | }
55 | }
56 | catch (Exception e)
57 | {
58 | Console.WriteLine("[/] Error:" + e);
59 | }
60 | //ThreatExpert
61 | try
62 | {
63 | if ("username".ToLower() == Environment.UserName.ToLower())
64 | {
65 | Generic.SandboxTag aux = new Generic.SandboxTag("ThreatExpert", "username");
66 | returnData.tagList.Add(aux);
67 | }
68 | }
69 | catch (Exception e)
70 | {
71 | Console.WriteLine("[/] Error:" + e);
72 | }
73 | //Sandboxie
74 | try
75 | {
76 | if ("user".ToLower() == Environment.UserName.ToLower())
77 | {
78 | Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", "user");
79 | returnData.tagList.Add(aux);
80 | }
81 | }
82 | catch (Exception e)
83 | {
84 | Console.WriteLine("[/] Error:" + e);
85 | }
86 | //VMware
87 | try
88 | {
89 | if ("vmware".ToLower() == Environment.UserName.ToLower())
90 | {
91 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", "vmware");
92 | returnData.tagList.Add(aux);
93 | }
94 | }
95 | catch (Exception e)
96 | {
97 | Console.WriteLine("[/] Error:" + e);
98 | }
99 |
100 | if (returnData.tagList.Count > 0)
101 | {
102 | returnData.isSandbox = true;
103 | }
104 | return returnData;
105 | }
106 |
107 | //Check if computer name is specific
108 | public Generic.SandboxRes checkComputerName()
109 | {
110 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
111 | //Generic
112 | string[] list1 = { "klone_x64-pc", "tequilaboomboom" };
113 | foreach (string name in list1)
114 | {
115 | try
116 | {
117 | if (name.ToLower() == Environment.MachineName.ToLower())
118 | {
119 | Generic.SandboxTag aux = new Generic.SandboxTag("Generic", name);
120 | returnData.tagList.Add(aux);
121 | }
122 | }
123 | catch (Exception e)
124 | {
125 | Console.WriteLine("[/] Error:" + e);
126 | }
127 | }
128 | //Anubis
129 | string[] list2 = { "TU-4NH09SMCG1HC", "InsideTm" };
130 | foreach (string name in list2)
131 | {
132 | try
133 | {
134 | if (name.ToLower() == Environment.MachineName.ToLower())
135 | {
136 | Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", name);
137 | returnData.tagList.Add(aux);
138 | }
139 | }
140 | catch (Exception e)
141 | {
142 | Console.WriteLine("[/] Error:" + e);
143 | }
144 | }
145 |
146 | if (returnData.tagList.Count > 0)
147 | {
148 | returnData.isSandbox = true;
149 | }
150 | return returnData;
151 | }
152 |
153 | //Check if host name is specific
154 | public Generic.SandboxRes checkHostName()
155 | {
156 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
157 | //General
158 | try
159 | {
160 | if ("SystemIT".ToLower() == Dns.GetHostName().ToLower())
161 | {
162 | Generic.SandboxTag aux = new Generic.SandboxTag("Generic", "SystemIT");
163 | returnData.tagList.Add(aux);
164 | }
165 | }
166 | catch (Exception e)
167 | {
168 | Console.WriteLine("[/] Error:" + e);
169 | }
170 |
171 | if (returnData.tagList.Count > 0)
172 | {
173 | returnData.isSandbox = true;
174 | }
175 | return returnData;
176 | }
177 |
178 | //Check if total RAM is low
179 | public Generic.SandboxRes checkComputerRAM()
180 | {
181 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
182 | try
183 | {
184 | double minium = 1; //1GB
185 | ObjectQuery wql = new ObjectQuery("SELECT * FROM Win32_OperatingSystem");
186 | ManagementObjectSearcher searcher = new ManagementObjectSearcher(wql);
187 | ManagementObjectCollection results = searcher.Get();
188 |
189 | double res;
190 | double fres = 0;
191 | foreach (ManagementObject result in results)
192 | {
193 | res = Convert.ToDouble(result["TotalVisibleMemorySize"]);
194 | fres += Math.Round((res / (1024 * 1024)), 2);
195 | }
196 | if (fres <= minium)
197 | {
198 | Generic.SandboxTag aux = new Generic.SandboxTag("RAM", fres.ToString());
199 | returnData.tagList.Add(aux);
200 | }
201 | }
202 | catch (Exception e)
203 | {
204 | Console.WriteLine("[/] Error:" + e);
205 | }
206 |
207 | if (returnData.tagList.Count > 0)
208 | {
209 | returnData.isSandbox = true;
210 | }
211 | return returnData;
212 | }
213 |
214 | //Check if screen resolution is non-usual for host OS
215 | public Generic.SandboxRes checkScreenRes()
216 | {
217 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
218 | //https://www.hobo-web.co.uk/best-screen-size/
219 | List list1 = new List { "1920x1080", "1366x768", "1440x900", "1536x864", "2560x1440", "1680x1050", "1280x720", "1280x800", "360x640", "1600x900" };
220 | string screenWidth = Screen.PrimaryScreen.Bounds.Width.ToString();
221 | string screenHeight = Screen.PrimaryScreen.Bounds.Height.ToString();
222 | if (!list1.Contains(screenWidth + "x" + screenHeight))
223 | {
224 | Generic.SandboxTag aux = new Generic.SandboxTag("Screen resolution", screenWidth + "x" + screenHeight);
225 | returnData.tagList.Add(aux);
226 | }
227 |
228 | if (returnData.tagList.Count > 0)
229 | {
230 | returnData.isSandbox = true;
231 | }
232 | return returnData;
233 | }
234 |
235 | //Check if number of processors is low
236 | public Generic.SandboxRes checkNProcessors()
237 | {
238 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
239 |
240 | if (Environment.ProcessorCount < 2)
241 | {
242 | Generic.SandboxTag aux = new Generic.SandboxTag("Number of processors", Environment.ProcessorCount.ToString());
243 | returnData.tagList.Add(aux);
244 | }
245 |
246 | if (returnData.tagList.Count > 0)
247 | {
248 | returnData.isSandbox = true;
249 | }
250 | return returnData;
251 | }
252 |
253 | //Check if quantity of monitors is small
254 | public Generic.SandboxRes checkNScreens()
255 | {
256 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
257 | int currentMonitorCount = Screen.AllScreens.Length;
258 | if (currentMonitorCount < 1)
259 | {
260 | Generic.SandboxTag aux = new Generic.SandboxTag("Quantity of monitors", currentMonitorCount.ToString());
261 | returnData.tagList.Add(aux);
262 | }
263 |
264 | if (returnData.tagList.Count > 0)
265 | {
266 | returnData.isSandbox = true;
267 | }
268 | return returnData;
269 | }
270 |
271 | //Check if hard disk drive size and free space are small
272 | public Generic.SandboxRes checkHDSize()
273 | {
274 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
275 | string mainDrive = Path.GetPathRoot(Environment.GetFolderPath(Environment.SpecialFolder.System));
276 | DriveInfo[] allDrives = DriveInfo.GetDrives();
277 |
278 | foreach (DriveInfo d in allDrives)
279 | {
280 | try
281 | {
282 | if (mainDrive == d.Name)
283 | {
284 | if (Math.Round(((double)d.TotalSize / (1024 * 1024 * 1024)), 2) <= 60) //60GB
285 | {
286 | Generic.SandboxTag aux = new Generic.SandboxTag("Hard disk drive size", Math.Round(((double)d.TotalSize / (1024 * 1024 * 1024)), 2).ToString() + " GB");
287 | returnData.tagList.Add(aux);
288 | }
289 | //if (Math.Round(((double)d.AvailableFreeSpace / (1024 * 1024 * 1024)), 2) <= 60) //60GB
290 | //{
291 | // Generic.SandboxTag aux = new Generic.SandboxTag("Hard disk free space", Math.Round(((double)d.AvailableFreeSpace / (1024 * 1024 * 1024)), 2).ToString() + " GB");
292 | // returnData.tagList.Add(aux);
293 | //}
294 | }
295 | }
296 | catch (Exception e)
297 | {
298 | Console.WriteLine("[/] Error:" + e);
299 | }
300 |
301 | }
302 |
303 | if (returnData.tagList.Count > 0)
304 | {
305 | returnData.isSandbox = true;
306 | }
307 | return returnData;
308 | }
309 |
310 | //Check if system uptime is small
311 | public Generic.SandboxRes checkSystemUptime()
312 | {
313 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
314 | int result = Environment.TickCount & Int32.MaxValue;
315 | int uptimeMax = 1000 * 60 * 12; // 12 minutes
316 | if (result < uptimeMax)
317 | {
318 | Generic.SandboxTag aux = new Generic.SandboxTag("System uptime", result.ToString() + " milliseconds");
319 | returnData.tagList.Add(aux);
320 | }
321 |
322 | if (returnData.tagList.Count > 0)
323 | {
324 | returnData.isSandbox = true;
325 | }
326 | return returnData;
327 | }
328 |
329 |
330 | //[DllImport("kernel32.dll", SetLastError = true)]
331 | //static extern bool IsNativeVhdBoot(ref bool NativeVhdBoot);
332 |
333 |
334 | //Check if os was boot from virtual hard disk
335 | //public Generic.SandboxRes checkBootVirtual()
336 | //{
337 | // Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
338 | // bool isNative = false;
339 | // bool auxB = false;
340 | // isNative = IsNativeVhdBoot(ref auxB);
341 | // if (isNative)
342 | // {
343 | // Generic.SandboxTag aux = new Generic.SandboxTag("Boot from virtual hard disk", isNative.ToString());
344 | // returnData.tagList.Add(aux);
345 | // }
346 | // if (returnData.tagList.Count > 0)
347 | // {
348 | // returnData.isSandbox = true;
349 | // }
350 | // return returnData;
351 | //}
352 | }
353 | }
354 |
--------------------------------------------------------------------------------
/SLib/OsFeatures.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 | using System.Runtime.InteropServices;
5 |
6 | namespace SLib
7 | {
8 | public class OsFeatures
9 | {
10 | [Flags]
11 | public enum ProcessAccessFlags : uint
12 | {
13 | QueryLimitedInformation = 0x1000
14 | }
15 |
16 | [DllImport("kernel32.dll", SetLastError = true)]
17 | private static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess,
18 | bool bInheritHandle, int dwProcessId);
19 |
20 |
21 | //Checking debug privileges
22 | public Generic.SandboxRes checkDebugPrivs()
23 | {
24 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
25 | try
26 | {
27 | Process[] target = Process.GetProcessesByName("csrss");
28 | if (target.Length > 0)
29 | {
30 | IntPtr hprocess = OpenProcess(ProcessAccessFlags.QueryLimitedInformation, false, target[0].Id);
31 | if (hprocess != IntPtr.Zero)
32 | {
33 | Generic.SandboxTag aux = new Generic.SandboxTag("Debug privileges", "Enabled");
34 | returnData.tagList.Add(aux);
35 | }
36 |
37 | }
38 | }
39 | catch (Exception e)
40 | {
41 | //Console.WriteLine("[/] Error:" + e);
42 | }
43 |
44 | if (returnData.tagList.Count > 0)
45 | {
46 | returnData.isSandbox = true;
47 | }
48 | return returnData;
49 | }
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/SLib/Processes.cs:
--------------------------------------------------------------------------------
1 | using System.Collections.Generic;
2 | using System.Diagnostics;
3 |
4 | namespace SLib
5 | {
6 | public class Processes
7 | {
8 | //Check if specific files exist
9 | public Generic.SandboxRes checkProcessName()
10 | {
11 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
12 | //VirtualBox
13 | string[] list1 = { "vboxservice", "vboxtray" };
14 | foreach (string p in list1)
15 | {
16 | Process[] pByName = Process.GetProcessesByName(p);
17 | if (pByName.Length > 0)
18 | {
19 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", p);
20 | returnData.tagList.Add(aux);
21 | }
22 | }
23 | //JoeBox
24 | string[] list2 = { "joeboxserver", "joeboxcontrol" };
25 | foreach (string p in list2)
26 | {
27 | Process[] pByName = Process.GetProcessesByName(p);
28 | if (pByName.Length > 0)
29 | {
30 | Generic.SandboxTag aux = new Generic.SandboxTag("JoeBox", p);
31 | returnData.tagList.Add(aux);
32 | }
33 | }
34 | //Parallels
35 | string[] list3 = { "prl_cc", "prl_tools" };
36 | foreach (string p in list3)
37 | {
38 | Process[] pByName = Process.GetProcessesByName(p);
39 | if (pByName.Length > 0)
40 | {
41 | Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", p);
42 | returnData.tagList.Add(aux);
43 | }
44 | }
45 | //VirtualPC
46 | string[] list4 = { "vmsrvc", "vmusrvc" };
47 | foreach (string p in list4)
48 | {
49 | Process[] pByName = Process.GetProcessesByName(p);
50 | if (pByName.Length > 0)
51 | {
52 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", p);
53 | returnData.tagList.Add(aux);
54 | }
55 | }
56 | //VMWare
57 | string[] list5 = { "vmtoolsd", "vmacthlp", "vmwaretray", "vmwareuser", "vmware", "vmount2" };
58 | foreach (string p in list5)
59 | {
60 | Process[] pByName = Process.GetProcessesByName(p);
61 | if (pByName.Length > 0)
62 | {
63 | Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", p);
64 | returnData.tagList.Add(aux);
65 | }
66 | }
67 | //Xen
68 | string[] list6 = { "xenservice", "xsvc_depriv" };
69 | foreach (string p in list6)
70 | {
71 | Process[] pByName = Process.GetProcessesByName(p);
72 | if (pByName.Length > 0)
73 | {
74 | Generic.SandboxTag aux = new Generic.SandboxTag("Xen", p);
75 | returnData.tagList.Add(aux);
76 | }
77 | }
78 | //WPE Pro
79 | string[] list7 = { "WPE Pro" };
80 | foreach (string p in list7)
81 | {
82 | Process[] pByName = Process.GetProcessesByName(p);
83 | if (pByName.Length > 0)
84 | {
85 | Generic.SandboxTag aux = new Generic.SandboxTag("WPE Pro", p);
86 | returnData.tagList.Add(aux);
87 | }
88 | }
89 |
90 | if (returnData.tagList.Count > 0)
91 | {
92 | returnData.isSandbox = true;
93 | }
94 | return returnData;
95 | }
96 |
97 |
98 | //Check if specific libraries are loaded in the process address space
99 | public Generic.SandboxRes checkProcessDll()
100 | {
101 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
102 | Process currentProcess = Process.GetCurrentProcess();
103 | ProcessModuleCollection myProcessModuleCollection = currentProcess.Modules;
104 | List list1 = new List { "api_log.dll", "dir_watch.dll", "pstorec.dll" };
105 | foreach (ProcessModule m in myProcessModuleCollection)
106 | {
107 | //CWSandbox
108 | if (list1.Contains(m.ModuleName.ToLower()))
109 | {
110 | Generic.SandboxTag aux = new Generic.SandboxTag("CWSandbox", m.ModuleName);
111 | returnData.tagList.Add(aux);
112 | }
113 | //Sandboxie
114 | if ("sbiedll.dll" == m.ModuleName.ToLower())
115 | {
116 | Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", m.ModuleName);
117 | returnData.tagList.Add(aux);
118 | }
119 | //ThreatExpert
120 | if ("dbghelp.dll" == m.ModuleName.ToLower())
121 | {
122 | Generic.SandboxTag aux = new Generic.SandboxTag("ThreatExpert", m.ModuleName);
123 | returnData.tagList.Add(aux);
124 | }
125 | //VirtualPC
126 | if ("vmcheck.dll" == m.ModuleName.ToLower())
127 | {
128 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", m.ModuleName);
129 | returnData.tagList.Add(aux);
130 | }
131 | //WPE Pro
132 | if ("wpespy.dll" == m.ModuleName.ToLower())
133 | {
134 | Generic.SandboxTag aux = new Generic.SandboxTag("WPE Pro", m.ModuleName);
135 | returnData.tagList.Add(aux);
136 | }
137 | }
138 |
139 | if (returnData.tagList.Count > 0)
140 | {
141 | returnData.isSandbox = true;
142 | }
143 | return returnData;
144 | }
145 |
146 | //Check number of processes
147 | public Generic.SandboxRes checkNProcess()
148 | {
149 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
150 | Process[] processL = Process.GetProcesses();
151 | if (processL.Length < 85)
152 | {
153 | Generic.SandboxTag aux = new Generic.SandboxTag("Number of processes", processL.Length.ToString());
154 | returnData.tagList.Add(aux);
155 | }
156 |
157 | if (returnData.tagList.Count > 0)
158 | {
159 | returnData.isSandbox = true;
160 | }
161 | return returnData;
162 | }
163 | }
164 | }
165 |
--------------------------------------------------------------------------------
/SLib/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SLib")]
9 | [assembly: AssemblyDescription("Sandbox Evasion Lib")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("CoonLabs")]
12 | [assembly: AssemblyProduct("SLib")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("5223fef1-60ba-423d-83c4-656b66c44a7a")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SLib/RegistryQuery.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using Microsoft.Win32;
7 |
8 |
9 | namespace SLib
10 | {
11 | public class RegistryQuery
12 | {
13 | //Check if particular registry paths exist
14 | public Generic.SandboxRes checkPath()
15 | {
16 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
17 | //VMware
18 | try
19 | {
20 | RegistryKey regUser = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\VMware, Inc.\VMware Tools", false);
21 | if (regUser != null)
22 | {
23 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKCU\SOFTWARE\VMware, Inc.\VMware Tools");
24 | returnData.tagList.Add(aux);
25 | }
26 | }
27 | catch (Exception e)
28 | {
29 | //Console.WriteLine("[/] Error:" + e);
30 | }
31 | string[] list1 = { @"SOFTWARE\VMware, Inc.\VMware Tools", @"SYSTEM\ControlSet001\Services\vmdebug", @"SYSTEM\ControlSet001\Services\vmmouse", @"SYSTEM\ControlSet001\Services\VMTools", @"SYSTEM\ControlSet001\Services\VMMEMCTL", @"SYSTEM\ControlSet001\Services\vmware", @"SYSTEM\ControlSet001\Services\vmci", @"SYSTEM\ControlSet001\Services\vmx86" };
32 | foreach (string s in list1)
33 | {
34 | try
35 | {
36 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
37 | if (regMachine != null)
38 | {
39 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", "HKLM\\" + s);
40 | returnData.tagList.Add(aux);
41 | }
42 | }
43 | catch (Exception e)
44 | {
45 | //Console.WriteLine("[/] Error:" + e);
46 | }
47 | }
48 | //General
49 | try
50 | {
51 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(@"Software\Classes\Folder\shell\sandbox", false);
52 | if (regMachine != null)
53 | {
54 | Generic.SandboxTag aux = new Generic.SandboxTag("General", @"HKLM\Software\Classes\Folder\shell\sandbox");
55 | returnData.tagList.Add(aux);
56 | }
57 | }
58 | catch (Exception e)
59 | {
60 | //Console.WriteLine("[/] Error:" + e);
61 | }
62 | //Hyper-V
63 | string[] list2 = { @"SOFTWARE\Microsoft\Hyper-V", @"SOFTWARE\Microsoft\VirtualMachine", @"SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters", @"SYSTEM\ControlSet001\Services\vmicheartbeat", @"SYSTEM\ControlSet001\Services\vmicvss", @"SYSTEM\ControlSet001\Services\vmicshutdown", @"SYSTEM\ControlSet001\Services\vmicexchange" };
64 | foreach (string s in list2)
65 | {
66 | try
67 | {
68 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
69 | if (regMachine != null)
70 | {
71 | Generic.SandboxTag aux = new Generic.SandboxTag("Hyper-V", "HKLM\\" + s);
72 | returnData.tagList.Add(aux);
73 | }
74 | }
75 | catch (Exception e)
76 | {
77 | //Console.WriteLine("[/] Error:" + e);
78 | }
79 | }
80 | //Sandboxie
81 | string[] list3 = { @"SYSTEM\CurrentControlSet\Services\SbieDrv", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie" };
82 | foreach (string s in list3)
83 | {
84 | try
85 | {
86 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
87 | if (regMachine != null)
88 | {
89 | Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", "HKLM\\" + s);
90 | returnData.tagList.Add(aux);
91 | }
92 | }
93 | catch (Exception e)
94 | {
95 | //Console.WriteLine("[/] Error:" + e);
96 | }
97 | }
98 | //VirtualBox
99 | string[] list4 = { @"HARDWARE\ACPI\DSDT\VBOX__", @"HARDWARE\ACPI\FADT\VBOX__", @"HARDWARE\ACPI\RSDT\VBOX__", @"SOFTWARE\Oracle\VirtualBox Guest Additions", @"SYSTEM\ControlSet001\Services\VBoxGuest", @"SYSTEM\ControlSet001\Services\VBoxMouse", @"SYSTEM\ControlSet001\Services\VBoxService", @"SYSTEM\ControlSet001\Services\VBoxSF", @"SYSTEM\ControlSet001\Services\VBoxVideo" };
100 | foreach (string s in list4)
101 | {
102 | try
103 | {
104 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
105 | if (regMachine != null)
106 | {
107 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", "HKLM\\" + s);
108 | returnData.tagList.Add(aux);
109 | }
110 | }
111 | catch (Exception e)
112 | {
113 | //Console.WriteLine("[/] Error:" + e);
114 | }
115 | }
116 | //VirtualPC
117 | string[] list5 = { @"SYSTEM\ControlSet001\Services\vpcbus", @"SYSTEM\ControlSet001\Services\vpc-s3", @"SYSTEM\ControlSet001\Services\vpcuhub", @"SYSTEM\ControlSet001\Services\msvmmouf" };
118 | foreach (string s in list5)
119 | {
120 | try
121 | {
122 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
123 | if (regMachine != null)
124 | {
125 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", "HKLM\\" + s);
126 | returnData.tagList.Add(aux);
127 | }
128 | }
129 | catch (Exception e)
130 | {
131 | //Console.WriteLine("[/] Error:" + e);
132 | }
133 | }
134 | //Xen
135 | string[] list6 = { @"HARDWARE\ACPI\DSDT\xen", @"HARDWARE\ACPI\FADT\xen", @"HARDWARE\ACPI\RSDT\xen", @"SYSTEM\ControlSet001\Services\xenevtchn", @"SYSTEM\ControlSet001\Services\xennet", @"SYSTEM\ControlSet001\Services\xennet6", @"SYSTEM\ControlSet001\Services\xensvc", @"SYSTEM\ControlSet001\Services\xenvdb" };
136 | foreach (string s in list6)
137 | {
138 | try
139 | {
140 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
141 | if (regMachine != null)
142 | {
143 | Generic.SandboxTag aux = new Generic.SandboxTag("Xen", "HKLM\\" + s);
144 | returnData.tagList.Add(aux);
145 | }
146 | }
147 | catch (Exception e)
148 | {
149 | //Console.WriteLine("[/] Error:" + e);
150 | }
151 | }
152 | //Wine
153 | try
154 | {
155 | RegistryKey regUser = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Wine", false);
156 | if (regUser != null)
157 | {
158 | Generic.SandboxTag aux = new Generic.SandboxTag("Wine", @"SOFTWARE\Wine");
159 | returnData.tagList.Add(aux);
160 | }
161 | }
162 | catch (Exception e)
163 | {
164 | //Console.WriteLine("[/] Error:" + e);
165 | }
166 | try
167 | {
168 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Wine", false);
169 | if (regMachine != null)
170 | {
171 | Generic.SandboxTag aux = new Generic.SandboxTag("Wine", @"SOFTWARE\Wine");
172 | returnData.tagList.Add(aux);
173 | }
174 | }
175 | catch (Exception e)
176 | {
177 | //Console.WriteLine("[/] Error:" + e);
178 | }
179 |
180 | if (returnData.tagList.Count > 0)
181 | {
182 | returnData.isSandbox = true;
183 | }
184 | return returnData;
185 | }
186 |
187 | //Check if particular registry keys contain specified strings
188 | public Generic.SandboxRes checkKeyValue()
189 | {
190 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
191 | //VMWare
192 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VMWARE"))
193 | {
194 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - VMWARE");
195 | returnData.tagList.Add(aux);
196 | }
197 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VMWARE"))
198 | {
199 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - VMWARE");
200 | returnData.tagList.Add(aux);
201 | }
202 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VMWARE"))
203 | {
204 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - VMWARE");
205 | returnData.tagList.Add(aux);
206 | }
207 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "VMWARE"))
208 | {
209 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - VMWARE");
210 | returnData.tagList.Add(aux);
211 | }
212 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "INTEL - 6040000"))
213 | {
214 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - INTEL - 6040000");
215 | returnData.tagList.Add(aux);
216 | }
217 | if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "VMWARE"))
218 | {
219 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - VMWARE");
220 | returnData.tagList.Add(aux);
221 | }
222 | if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "VMWARE"))
223 | {
224 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System\BIOS : SystemProductName - VMWARE");
225 | returnData.tagList.Add(aux);
226 | }
227 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "0", "VMWARE"))
228 | {
229 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : 0 - VMWARE");
230 | returnData.tagList.Add(aux);
231 | }
232 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "1", "VMWARE"))
233 | {
234 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : 1 - VMWARE");
235 | returnData.tagList.Add(aux);
236 | }
237 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
238 | {
239 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : DeviceDesc - VMWARE");
240 | returnData.tagList.Add(aux);
241 | }
242 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "FriendlyName", "VMWARE"))
243 | {
244 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : FriendlyName - VMWARE");
245 | returnData.tagList.Add(aux);
246 | }
247 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
248 | {
249 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : DeviceDesc - VMWARE");
250 | returnData.tagList.Add(aux);
251 | }
252 | if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "FriendlyName", "VMWARE"))
253 | {
254 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum : FriendlyName - VMWARE");
255 | returnData.tagList.Add(aux);
256 | }
257 | if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
258 | {
259 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum : DeviceDesc - VMWARE");
260 | returnData.tagList.Add(aux);
261 | }
262 | if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "FriendlyName", "VMWARE"))
263 | {
264 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum : FriendlyName - VMWARE");
265 | returnData.tagList.Add(aux);
266 | }
267 | if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
268 | {
269 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum : DeviceDesc - VMWARE");
270 | returnData.tagList.Add(aux);
271 | }
272 | if (checkKey("HKCR", @"Installer\Products", "ProductName", "vmware tools"))
273 | {
274 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKCR\Installer\Products : ProductName - vmware tools");
275 | returnData.tagList.Add(aux);
276 | }
277 | if (checkKey("HKCU", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "DisplayName", "vmware tools"))
278 | {
279 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : DisplayName - vmware tools");
280 | returnData.tagList.Add(aux);
281 | }
282 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "DisplayName", "vmware tools"))
283 | {
284 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : DisplayName - vmware tools");
285 | returnData.tagList.Add(aux);
286 | }
287 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "CoInstallers32", "vmx"))
288 | {
289 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : CoInstallers32 - vmx");
290 | returnData.tagList.Add(aux);
291 | }
292 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "DriverDesc", "VMware"))
293 | {
294 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : DriverDesc - VMware");
295 | returnData.tagList.Add(aux);
296 | }
297 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "InfSection", "vmx"))
298 | {
299 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : InfSection - vmx");
300 | returnData.tagList.Add(aux);
301 | }
302 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "ProviderName", "VMware"))
303 | {
304 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : ProviderName - VMware");
305 | returnData.tagList.Add(aux);
306 | }
307 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "Device Description", "VMware"))
308 | {
309 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : Device Description - VMware");
310 | returnData.tagList.Add(aux);
311 | }
312 | if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\SystemInformation", "SystemProductName", "VMWARE"))
313 | {
314 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation : SystemProductName - VMWARE");
315 | returnData.tagList.Add(aux);
316 | }
317 | RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Video", false);
318 | string[] valueNames = regMachine.GetSubKeyNames();
319 | foreach (string entry in valueNames)
320 | {
321 | if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video", "Service", "vm3dmp"))
322 | {
323 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video : Service - vm3dmp");
324 | returnData.tagList.Add(aux);
325 | }
326 | if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video", "Service", "vmx_svga"))
327 | {
328 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video : Service - vmx_svga");
329 | returnData.tagList.Add(aux);
330 | }
331 | if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\0000", "Device Description", "VMware SVGA"))
332 | {
333 | Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\0000 : Device Description - VMware SVGA");
334 | returnData.tagList.Add(aux);
335 | }
336 | }
337 | //Xen
338 | if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "Xen"))
339 | {
340 | Generic.SandboxTag aux = new Generic.SandboxTag("Xen", @"HKLM\HARDWARE\Description\System\BIOS : SystemProductName - Xen");
341 | returnData.tagList.Add(aux);
342 | }
343 | //General
344 | if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "A M I"))
345 | {
346 | Generic.SandboxTag aux = new Generic.SandboxTag("General", @"HKLM\HARDWARE\Description\System\BIOS : SystemProductName - A M I");
347 | returnData.tagList.Add(aux);
348 | }
349 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosDate", "06/23/99"))
350 | {
351 | Generic.SandboxTag aux = new Generic.SandboxTag("General", @"HKLM\HARDWARE\Description\System : SystemBiosDate - 06/23/99");
352 | returnData.tagList.Add(aux);
353 | }
354 | //BOCHS
355 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "BOCHS"))
356 | {
357 | Generic.SandboxTag aux = new Generic.SandboxTag("BOCHS", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - BOCHS");
358 | returnData.tagList.Add(aux);
359 | }
360 | if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "BOCHS"))
361 | {
362 | Generic.SandboxTag aux = new Generic.SandboxTag("BOCHS", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - BOCHS");
363 | returnData.tagList.Add(aux);
364 | }
365 | //Anubis
366 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductID", "76487-337-8429955-22614"))
367 | {
368 | Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion : ProductID - 76487-337-8429955-22614");
369 | returnData.tagList.Add(aux);
370 | }
371 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductID", "76487-337-8429955-22614"))
372 | {
373 | Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion : ProductID - 76487-337-8429955-22614");
374 | returnData.tagList.Add(aux);
375 | }
376 | //CwSandbox
377 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductID", "76487-644-3177037-23510"))
378 | {
379 | Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion : ProductID - 76487-644-3177037-23510");
380 | returnData.tagList.Add(aux);
381 | }
382 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductID", "76487-644-3177037-23510"))
383 | {
384 | Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion : ProductID - 76487-644-3177037-23510");
385 | returnData.tagList.Add(aux);
386 | }
387 | //JoeBox
388 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductID", "55274-640-2673064-23950"))
389 | {
390 | Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion : ProductID - 55274-640-2673064-23950");
391 | returnData.tagList.Add(aux);
392 | }
393 | if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductID", "55274-640-2673064-23950"))
394 | {
395 | Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion : ProductID - 55274-640-2673064-23950");
396 | returnData.tagList.Add(aux);
397 | }
398 | //Parallels
399 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "PARALLELS"))
400 | {
401 | Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - PARALLELS");
402 | returnData.tagList.Add(aux);
403 | }
404 | if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "PARALLELS"))
405 | {
406 | Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - PARALLELS");
407 | returnData.tagList.Add(aux);
408 | }
409 | //QEMU
410 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "QEMU"))
411 | {
412 | Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - QEMU");
413 | returnData.tagList.Add(aux);
414 | }
415 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "QEMU"))
416 | {
417 | Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HKLM\HARDWARE\Description\System : SystemBiosVersion - QEMU");
418 | returnData.tagList.Add(aux);
419 | }
420 | if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "QEMU"))
421 | {
422 | Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - QEMU");
423 | returnData.tagList.Add(aux);
424 | }
425 | if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS ", "SystemManufacturer", "QEMU"))
426 | {
427 | Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HARDWARE\Description\System\BIOS : VideoBiosVersion - QEMU");
428 | returnData.tagList.Add(aux);
429 | }
430 | //VirtualBox
431 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VBOX"))
432 | {
433 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0: Identifier - VBOX");
434 | returnData.tagList.Add(aux);
435 | }
436 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VBOX"))
437 | {
438 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0: Identifier - VBOX");
439 | returnData.tagList.Add(aux);
440 | }
441 | if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VBOX"))
442 | {
443 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0: Identifier - VBOX");
444 | returnData.tagList.Add(aux);
445 | }
446 | if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "VBOX"))
447 | {
448 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\Description\System: SystemBiosVersion - VBOX");
449 | returnData.tagList.Add(aux);
450 | }
451 | if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "VIRTUALBOX"))
452 | {
453 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\Description\System: VideoBiosVersion - VIRTUALBOX");
454 | returnData.tagList.Add(aux);
455 | }
456 | if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "VIRTUAL"))
457 | {
458 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\Description\System\BIOS: SystemProductName - VIRTUAL");
459 | returnData.tagList.Add(aux);
460 | }
461 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "DeviceDesc", "VBOX"))
462 | {
463 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum: DeviceDesc - VBOX");
464 | returnData.tagList.Add(aux);
465 | }
466 | if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "FriendlyName", "VBOX"))
467 | {
468 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum: FriendlyName - VBOX");
469 | returnData.tagList.Add(aux);
470 | }
471 | if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "DeviceDesc", "VBOX"))
472 | {
473 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum: DeviceDesc - VBOX");
474 | returnData.tagList.Add(aux);
475 | }
476 | if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "FriendlyName", "VBOX"))
477 | {
478 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum: FriendlyName - VBOX");
479 | returnData.tagList.Add(aux);
480 | }
481 | if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "DeviceDesc", "VBOX"))
482 | {
483 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum: DeviceDesc - VBOX");
484 | returnData.tagList.Add(aux);
485 | }
486 | if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "FriendlyName", "VBOX"))
487 | {
488 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum: FriendlyName - VBOX");
489 | returnData.tagList.Add(aux);
490 | }
491 | if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\SystemInformation", "SystemProductName", "VIRTUAL"))
492 | {
493 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation: SystemProductName - VIRTUAL");
494 | returnData.tagList.Add(aux);
495 | }
496 | if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\SystemInformation", "SystemProductName", "VIRTUALBOX"))
497 | {
498 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation: SystemProductName - VIRTUALBOX");
499 | returnData.tagList.Add(aux);
500 | }
501 |
502 | if (returnData.tagList.Count > 0)
503 | {
504 | returnData.isSandbox = true;
505 | }
506 | return returnData;
507 | }
508 |
509 |
510 | private bool checkKey(string root, string registryPath, string key, string value)
511 | {
512 | bool output = false;
513 | try
514 | {
515 | RegistryKey auxKey = null;
516 | if (root == "HKLM")
517 | {
518 | auxKey = Registry.LocalMachine.OpenSubKey(registryPath, false);
519 | }
520 | else if (root == "HKCU")
521 | {
522 | auxKey = Registry.CurrentUser.OpenSubKey(registryPath, false);
523 | }
524 | else if (root == "HKCR")
525 | {
526 | auxKey = Registry.ClassesRoot.OpenSubKey(registryPath, false);
527 | }
528 | if (auxKey != null)
529 | {
530 | object auxValue = auxKey.GetValue(key);
531 | if (auxValue is string)
532 | {
533 | string v = (string)auxValue;
534 | if (v.ToLower().Contains(value.ToLower()))
535 | {
536 | output = true;
537 | }
538 | }
539 | else if (auxValue is string[])
540 | {
541 | string[] v = (string[])auxValue;
542 | foreach (string element in v)
543 | {
544 | if (element.ToLower().Contains(value.ToLower()))
545 | {
546 | output = true;
547 | }
548 | }
549 | }
550 | }
551 | }
552 | catch (Exception e)
553 | {
554 | Console.WriteLine(e);
555 | output = false;
556 | }
557 | return output;
558 | }
559 | }
560 | }
561 |
--------------------------------------------------------------------------------
/SLib/SLib.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}
8 | Library
9 | SLib
10 | SLib
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 | true
39 | bin\x64\Debug\
40 | DEBUG;TRACE
41 | full
42 | x64
43 | 7.3
44 | prompt
45 |
46 |
47 | bin\x64\Release\
48 | TRACE
49 | true
50 | pdbonly
51 | x64
52 | 7.3
53 | prompt
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
--------------------------------------------------------------------------------
/SLib/SLib.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30717.126
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SLib", "SLib.csproj", "{5223FEF1-60BA-423D-83C4-656B66C44A7A}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SLibTests", "..\SLibTests\SLibTests.csproj", "{AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {5223FEF1-60BA-423D-83C4-656B66C44A7A}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {A793D924-083E-4FA8-8A26-0E157E905713}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/SLib/UiArtifacts.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 | using System.Runtime.InteropServices;
5 |
6 | namespace SLib
7 | {
8 | public class UiArtifacts
9 | {
10 | [DllImport("user32.dll", SetLastError = true)]
11 | static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
12 |
13 | //Check if windows with certain class names are present in the OS
14 | public Generic.SandboxRes checkWindowTitle()
15 | {
16 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
17 |
18 | IntPtr hWnd = FindWindow("VBoxTrayToolWndClass", null);
19 | if (hWnd.ToInt32() != 0)
20 | {
21 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", "VBoxTrayToolWndClass");
22 | returnData.tagList.Add(aux);
23 | }
24 | IntPtr hWnd2 = FindWindow(null, "VBoxTrayToolWnd");
25 | if (hWnd2.ToInt32() != 0)
26 | {
27 | Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", "VBoxTrayToolWnd");
28 | returnData.tagList.Add(aux);
29 | }
30 |
31 | if (returnData.tagList.Count > 0)
32 | {
33 | returnData.isSandbox = true;
34 | }
35 | return returnData;
36 | }
37 |
38 | //Check if top level windows' number is too small
39 | public Generic.SandboxRes checkNWindows()
40 | {
41 | Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List());
42 |
43 | Process[] processlist = Process.GetProcesses();
44 | int count = 0;
45 | foreach (Process process in processlist)
46 | {
47 | if (!String.IsNullOrEmpty(process.MainWindowTitle))
48 | {
49 | count++;
50 | }
51 | }
52 | if (count < 10)
53 | {
54 | Generic.SandboxTag aux = new Generic.SandboxTag("Number of top level windows", count.ToString());
55 | returnData.tagList.Add(aux);
56 | }
57 |
58 | if (returnData.tagList.Count > 0)
59 | {
60 | returnData.isSandbox = true;
61 | }
62 | return returnData;
63 | }
64 | }
65 | }
66 |
--------------------------------------------------------------------------------
/SLibTests/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/SLibTests/Program.cs:
--------------------------------------------------------------------------------
1 | using SLib;
2 | using System;
3 |
4 | namespace SLibTests
5 | {
6 | class Program
7 | {
8 | static void Main(string[] args)
9 | {
10 | Filesystem fsChecks = new Filesystem();
11 | Generic.SandboxRes fsRes1 = fsChecks.checkFiles();
12 | Console.WriteLine("[+] Filesystem detection methods");
13 | Console.WriteLine(" [-] Check if specific files exist");
14 | Console.WriteLine(" [*] Is sandbox? " + fsRes1.isSandbox.ToString());
15 | foreach (Generic.SandboxTag tag in fsRes1.tagList)
16 | {
17 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
18 | }
19 |
20 | Generic.SandboxRes fsRes2 = fsChecks.checkDirectories();
21 | Console.WriteLine(" [-] Check if specific directories are present");
22 | Console.WriteLine(" [*] Is sandbox? " + fsRes2.isSandbox.ToString());
23 | foreach (Generic.SandboxTag tag in fsRes2.tagList)
24 | {
25 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
26 | }
27 | Generic.SandboxRes fsRes3 = fsChecks.checkExePath();
28 | Console.WriteLine(" [-] Check if full path to the executable contains one of the specific strings &\n" +
29 | " Check if the executable is run from specific directory");
30 | Console.WriteLine(" [*] Is sandbox? " + fsRes3.isSandbox.ToString());
31 | foreach (Generic.SandboxTag tag in fsRes3.tagList)
32 | {
33 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
34 | }
35 | Generic.SandboxRes fsRes4 = fsChecks.checkExeRoot();
36 | Console.WriteLine(" [-] Check if the executable files with specific names are present in physical disk drives' root");
37 | Console.WriteLine(" [*] Is sandbox? " + fsRes4.isSandbox.ToString());
38 | foreach (Generic.SandboxTag tag in fsRes4.tagList)
39 | {
40 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
41 | }
42 | Console.WriteLine();
43 | RegistryQuery rQuery = new RegistryQuery();
44 | Console.WriteLine("[+] Registry detection methods");
45 | Generic.SandboxRes rQueryRes1 = rQuery.checkPath();
46 | Console.WriteLine(" [-] Check if particular registry paths exist");
47 | Console.WriteLine(" [*] Is sandbox? " + rQueryRes1.isSandbox.ToString());
48 | foreach (Generic.SandboxTag tag in rQueryRes1.tagList)
49 | {
50 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
51 | }
52 | Generic.SandboxRes rQueryRes2 = rQuery.checkKeyValue();
53 | Console.WriteLine(" [-] Check if particular registry keys contain specified strings");
54 | Console.WriteLine(" [*] Is sandbox? " + rQueryRes2.isSandbox.ToString());
55 | foreach (Generic.SandboxTag tag in rQueryRes2.tagList)
56 | {
57 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
58 | }
59 |
60 | Console.WriteLine();
61 | OsChecks osCheck = new OsChecks();
62 | Console.WriteLine("[+] Detection via generic OS checks");
63 | Generic.SandboxRes osCheckRes1 = osCheck.checkUsername();
64 | Console.WriteLine(" [-] Check if username is specific");
65 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes1.isSandbox.ToString());
66 | foreach (Generic.SandboxTag tag in osCheckRes1.tagList)
67 | {
68 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
69 | }
70 | Generic.SandboxRes osCheckRes2 = osCheck.checkComputerName();
71 | Console.WriteLine(" [-] Check if computer name is specific");
72 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes2.isSandbox.ToString());
73 | foreach (Generic.SandboxTag tag in osCheckRes2.tagList)
74 | {
75 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
76 | }
77 | Generic.SandboxRes osCheckRes3 = osCheck.checkHostName();
78 | Console.WriteLine(" [-] Check if host name is specific");
79 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes3.isSandbox.ToString());
80 | foreach (Generic.SandboxTag tag in osCheckRes3.tagList)
81 | {
82 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
83 | }
84 | Generic.SandboxRes osCheckRes4 = osCheck.checkComputerRAM();
85 | Console.WriteLine(" [-] Check if total RAM is low");
86 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes4.isSandbox.ToString());
87 | foreach (Generic.SandboxTag tag in osCheckRes4.tagList)
88 | {
89 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
90 | }
91 | Generic.SandboxRes osCheckRes5 = osCheck.checkScreenRes();
92 | Console.WriteLine(" [-] Check if screen resolution is non-usual for host OS");
93 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes5.isSandbox.ToString());
94 | foreach (Generic.SandboxTag tag in osCheckRes5.tagList)
95 | {
96 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
97 | }
98 | Generic.SandboxRes osCheckRes6 = osCheck.checkNProcessors();
99 | Console.WriteLine(" [-] Check if number of processors is low");
100 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes6.isSandbox.ToString());
101 | foreach (Generic.SandboxTag tag in osCheckRes6.tagList)
102 | {
103 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
104 | }
105 | Generic.SandboxRes osCheckRes7 = osCheck.checkNScreens();
106 | Console.WriteLine(" [-] Check if quantity of monitors is small");
107 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes7.isSandbox.ToString());
108 | foreach (Generic.SandboxTag tag in osCheckRes7.tagList)
109 | {
110 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
111 | }
112 | Generic.SandboxRes osCheckRes8 = osCheck.checkHDSize();
113 | Console.WriteLine(" [-] Check if hard disk drive size and free space are small");
114 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes8.isSandbox.ToString());
115 | foreach (Generic.SandboxTag tag in osCheckRes8.tagList)
116 | {
117 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
118 | }
119 | Generic.SandboxRes osCheckRes9 = osCheck.checkSystemUptime();
120 | Console.WriteLine(" [-] Check if system uptime is small");
121 | Console.WriteLine(" [*] Is sandbox? " + osCheckRes9.isSandbox.ToString());
122 | foreach (Generic.SandboxTag tag in osCheckRes9.tagList)
123 | {
124 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
125 | }
126 | //Generic.SandboxRes osCheckRes10 = osCheck.checkBootVirtual();
127 | //Console.WriteLine(" [-] Check if os was boot from virtual hard disk");
128 | //Console.WriteLine(" [*] Is sandbox? " + osCheckRes10.isSandbox.ToString());
129 | //foreach (Generic.SandboxTag tag in osCheckRes10.tagList)
130 | //{
131 | // Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
132 | //}
133 |
134 | Console.WriteLine();
135 | GlobalObjects gObjects = new GlobalObjects();
136 | Console.WriteLine("[+] Global objects detection methods");
137 | Generic.SandboxRes gObjects1 = gObjects.checkGlobalMutexes();
138 | Console.WriteLine(" [-] Check for specific global mutexes");
139 | Console.WriteLine(" [*] Is sandbox? " + gObjects1.isSandbox.ToString());
140 | foreach (Generic.SandboxTag tag in gObjects1.tagList)
141 | {
142 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
143 | }
144 |
145 | Console.WriteLine();
146 | UiArtifacts uiArtifact = new UiArtifacts();
147 | Console.WriteLine("[+] UI artifacts detection methods");
148 | Generic.SandboxRes uiArtifactRes1 = uiArtifact.checkWindowTitle();
149 | Console.WriteLine(" [-] Check if windows with certain class names are present in the OS");
150 | Console.WriteLine(" [*] Is sandbox? " + uiArtifactRes1.isSandbox.ToString());
151 | foreach (Generic.SandboxTag tag in uiArtifactRes1.tagList)
152 | {
153 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
154 | }
155 | Generic.SandboxRes uiArtifactRes2 = uiArtifact.checkNWindows();
156 | Console.WriteLine(" [-] Check if windows with certain class names are present in the OS");
157 | Console.WriteLine(" [*] Is sandbox? " + uiArtifactRes2.isSandbox.ToString());
158 | foreach (Generic.SandboxTag tag in uiArtifactRes2.tagList)
159 | {
160 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
161 | }
162 |
163 | Console.WriteLine();
164 | OsFeatures osFeature = new OsFeatures();
165 | Console.WriteLine("[+] OS features detection methods");
166 | Generic.SandboxRes osFeatureRes1 = osFeature.checkDebugPrivs();
167 | Console.WriteLine(" [-] Checking debug privileges");
168 | Console.WriteLine(" [*] Is sandbox? " + osFeatureRes1.isSandbox.ToString());
169 | foreach (Generic.SandboxTag tag in osFeatureRes1.tagList)
170 | {
171 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
172 | }
173 |
174 | Console.WriteLine();
175 | Processes processHelper = new Processes();
176 | Console.WriteLine("[+] Processes and libraries detection methods");
177 | Generic.SandboxRes processRes1 = processHelper.checkProcessName();
178 | Console.WriteLine(" [-] Check specific running processes and loaded libraries");
179 | Console.WriteLine(" [*] Is sandbox? " + processRes1.isSandbox.ToString());
180 | foreach (Generic.SandboxTag tag in processRes1.tagList)
181 | {
182 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
183 | }
184 | Generic.SandboxRes processRes2 = processHelper.checkProcessDll();
185 | Console.WriteLine(" [-] Check if specific libraries are loaded in the process address space");
186 | Console.WriteLine(" [*] Is sandbox? " + processRes2.isSandbox.ToString());
187 | foreach (Generic.SandboxTag tag in processRes2.tagList)
188 | {
189 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
190 | }
191 | Generic.SandboxRes processRes3 = processHelper.checkNProcess();
192 | Console.WriteLine(" [-] Check number of processes");
193 | Console.WriteLine(" [*] Is sandbox? " + processRes3.isSandbox.ToString());
194 | foreach (Generic.SandboxTag tag in processRes3.tagList)
195 | {
196 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
197 | }
198 |
199 | Console.WriteLine();
200 | NetworkHelpers networkHelper = new NetworkHelpers();
201 | Console.WriteLine("[+] Network detection methods");
202 | Generic.SandboxRes networkRes1 = networkHelper.checkMac();
203 | Console.WriteLine(" [-] Check if MAC address is specific");
204 | Console.WriteLine(" [*] Is sandbox? " + networkRes1.isSandbox.ToString());
205 | foreach (Generic.SandboxTag tag in networkRes1.tagList)
206 | {
207 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
208 | }
209 | Generic.SandboxRes networkRes2 = networkHelper.checkAdapterName();
210 | Console.WriteLine(" [-] Check if adapter name is specific");
211 | Console.WriteLine(" [*] Is sandbox? " + networkRes2.isSandbox.ToString());
212 | foreach (Generic.SandboxTag tag in networkRes2.tagList)
213 | {
214 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
215 | }
216 | Generic.SandboxRes networkRes3 = networkHelper.checkIP();
217 | Console.WriteLine(" [-] Check if network belongs to security perimeter");
218 | Console.WriteLine(" [*] Is sandbox? " + networkRes3.isSandbox.ToString());
219 | foreach (Generic.SandboxTag tag in networkRes3.tagList)
220 | {
221 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
222 | }
223 | Generic.SandboxRes networkRes4 = networkHelper.checkCuckoo();
224 | Console.WriteLine(" [-] Cuckoo ResultServer connection based anti-emulation technique");
225 | Console.WriteLine(" [*] Is sandbox? " + networkRes4.isSandbox.ToString());
226 | foreach (Generic.SandboxTag tag in networkRes4.tagList)
227 | {
228 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
229 | }
230 |
231 | Console.WriteLine();
232 | Hardware hwHelper = new Hardware();
233 | Console.WriteLine("[+] Hardware info detection methods");
234 | Generic.SandboxRes hwRes1 = hwHelper.checkHdName();
235 | Console.WriteLine(" [-] Check if HDD has specific name");
236 | Console.WriteLine(" [*] Is sandbox? " + hwRes1.isSandbox.ToString());
237 | foreach (Generic.SandboxTag tag in hwRes1.tagList)
238 | {
239 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
240 | }
241 | Generic.SandboxRes hwRes2 = hwHelper.checkHdVendor();
242 | Console.WriteLine(" [-] Check if HDD Vendor ID has specific value");
243 | Console.WriteLine(" [*] Is sandbox? " + hwRes2.isSandbox.ToString());
244 | foreach (Generic.SandboxTag tag in hwRes2.tagList)
245 | {
246 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
247 | }
248 | Generic.SandboxRes hwRes3 = hwHelper.checkAudio();
249 | Console.WriteLine(" [-] Check if CPU temperature information is available");
250 | Console.WriteLine(" [*] Is sandbox? " + hwRes3.isSandbox.ToString());
251 | foreach (Generic.SandboxTag tag in hwRes3.tagList)
252 | {
253 | Console.WriteLine(" Tag: {0} -> {1}", tag.tag, tag.query);
254 | }
255 |
256 | Console.ReadLine();
257 | }
258 | }
259 | }
260 |
--------------------------------------------------------------------------------
/SLibTests/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("SLibTests")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SLibTests")]
13 | [assembly: AssemblyCopyright("Copyright © 2020")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("ac0406a4-fcea-40dc-9015-9dbee0f4a3a0")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/SLibTests/SLibTests.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {AC0406A4-FCEA-40DC-9015-9DBEE0F4A3A0}
8 | Exe
9 | SLibTests
10 | SLibTests
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 | {5223fef1-60ba-423d-83c4-656b66c44a7a}
54 | SLib
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/img/img01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Aetsu/SLib/e1e227d26ae1c3d5fec5c3ac2edf53eda4152b09/img/img01.png
--------------------------------------------------------------------------------
/img/img02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Aetsu/SLib/e1e227d26ae1c3d5fec5c3ac2edf53eda4152b09/img/img02.png
--------------------------------------------------------------------------------