├── .png
├── LICENSE
├── README.md
├── WDKTestCert SYSTEM,133087515274835630.cer
└── detect.cc


/.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kkent030315/detect-anyrun/88768b0c28a0e31360f1e1f1cd3656e5b56c096c/.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 kkent030315
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Associated article: [Attacking ANY.RUN for Sandbox Detection Development](https://medium.com/@orangemaster674/attacking-any-run-for-sandbox-detection-development-747c1a8aa4fd)
 2 | 
 3 | # ANY.RUN Sandbox Detection
 4 | 
 5 | - Part 1: The symblic device name of the driver.
 6 | - Part 2: The non-standard filesystem behaviour under protected ANY.RUN installed files and folders.
 7 | 
 8 | ![IMG](.png)
 9 | 
10 | <sup>
11 | Part <u>3</u>: Coming Soon
12 | </sup>
13 | 
14 | ### Irrelevant Glossaries
15 | 
16 | - The ANY.RUN components are under `%ProgramFiles%\\KernelLogger`.
17 | - The usermode agent (a Windows service) is registered as `aga` with binary path `%ProgramFiles%\\KernelLogger\\aga.exe`.
18 | - The virtual machine runs in a test signing mode.
19 |   - ANY.RUN driver `A3E64E55_fl_x64.sys` is signed by WDK test certificate [attached here](./WDKTestCert%20SYSTEM,133087515274835630.cer).
20 | - The macshift embedded in the ANY.RUN package spoofs MAC address but it is still able to obtain the original *permanent* MAC address by calling out the NDIS driver.
21 | - The hypervisor presense bit in the CPU indicates is not present.
22 | - Pinning SSL/TLS certificate against most popular and stable website may help you identify the intermediate certificate inserted by ANY.RUN to sniff the traffics.
23 | 


--------------------------------------------------------------------------------
/WDKTestCert SYSTEM,133087515274835630.cer:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDDjCCAfagAwIBAgIQE1MbESvnRJ9GwPRpSnFt6zANBgkqhkiG9w0BAQUFADAw
 3 | MS4wLAYDVQQDEyVXREtUZXN0Q2VydCBTWVNURU0sMTMzMDg3NTE1Mjc0ODM1NjMw
 4 | MB4XDTIyMDkyNzExMjUyOFoXDTMyMDkyNzAwMDAwMFowMDEuMCwGA1UEAxMlV0RL
 5 | VGVzdENlcnQgU1lTVEVNLDEzMzA4NzUxNTI3NDgzNTYzMDCCASIwDQYJKoZIhvcN
 6 | AQEBBQADggEPADCCAQoCggEBANFK66d+r0hRhYiM1J743XJzFDcFSwMlgjBMI+67
 7 | f7CgINl8WtJv8ylvvPSJG5vbPMx8QBqTNfPwZqK32fqYALIr35TDyFPYa10kXgYa
 8 | YHKOTTOj++mq2GydlLciZoJy1+np+B0uF5VEonKQUC13pJMhDjRX63g6W/883FSi
 9 | Id4TGWzdsyM3j2DrMcCwg/JSzB2PhDw9R5+vvQxyOkHUH1Rcgua8NuwwYyCAlYNl
10 | 2NP30lIqGUUviMQO+jC3MM9Mwc3xu5qQCMvvS0N1Vqnmqo8L1G6Edjjkp2fhmGzr
11 | W6cZT7kd/T4zOI5AO5yFAnZvUkAgbLwDcq4jHBqrFj9mpxUCAwEAAaMkMCIwCwYD
12 | VR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IB
13 | AQBbt8/WnmhFwi4daFk5gd3MP+EvFRejMYAvl4LdKfX6aS+EnItwKyNOoKmm4BBG
14 | Btep/FjJat2g73AbdeDY5p4XaZrbJk0KjH4Dvm2dU89Djg1IxheHU12M7K483xH4
15 | he1OsazIhaDpjyk3zxY01MWFqZQQS0l6rUndG59QX3Etbhb2vZGqjzDzbfxfpJQm
16 | t985qwsDVMI+y+Q2qtOLfyPDwarTojKGdl+twb/e0L7h1Y4eqwVi30htyshKgV26
17 | YemFhIUMm3okhIeFqgGLU3kuidAm7dx1o6bAMxc7GDjHZRr7JKyS8m2GDscOFvPo
18 | bsN+DuyZIo6xbo2lVQJIYIW6
19 | -----END CERTIFICATE-----
20 | 


--------------------------------------------------------------------------------
/detect.cc:
--------------------------------------------------------------------------------
 1 | 
 2 | #define PHNT_VERSION PHNT_WIN11
 3 | #include <phnt_windows.h>
 4 | #include <phnt.h>
 5 | 
 6 | #include <iostream>
 7 | 
 8 | #pragma comment(lib, "ntdll.lib")
 9 | 
10 | #define ANYRUN_DRIVER_DEVICE_NAME "\\\\?\\\\A3E64E55_fl"
11 | 
12 | static bool detect_anyrun()
13 | {
14 |     HANDLE hFile;
15 |     
16 |     hFile = CreateFile(
17 |         /*lpFileName*/TEXT(ANYRUN_DRIVER_DEVICE_NAME),
18 |         /*dwDesiredAccess*/GENERIC_READ,
19 |         /*dwShareMode*/0,
20 |         /*lpSecurityAttributes*/NULL,
21 |         /*dwCreationDisposition*/OPEN_EXISTING,
22 |         /*dwFlagsAndAttributes*/0,
23 |         /*hTemplateFile*/NULL
24 |     );
25 | 
26 |     if (hFile == INVALID_HANDLE_VALUE)
27 |     {
28 |         return false;
29 |     }
30 | 
31 |     CloseHandle(hFile);
32 | 
33 |     return true;
34 | }
35 | 
36 | static int detect_anyrun2()
37 | {
38 |     NTSTATUS status;
39 | 
40 |     UNICODE_STRING name;
41 |     RtlInitUnicodeString(&name, L"\\??\\C:\\Program Files\\KernelLogger");
42 | 
43 |     HANDLE hFile;
44 |     IO_STATUS_BLOCK iosb = { 0 };
45 |     OBJECT_ATTRIBUTES attrs;
46 |     InitializeObjectAttributes(&attrs, &name, 0, NULL, NULL);
47 | 
48 |     status = NtCreateFile(
49 |         /*FileHandle*/&hFile,
50 |         /*DesiredAccess*/GENERIC_READ | SYNCHRONIZE,
51 |         /*ObjectAttributes*/&attrs,
52 |         /*IoStatusBlock*/&iosb,
53 |         /*AllocationSize*/NULL,
54 |         /*FileAttributes*/FILE_ATTRIBUTE_DIRECTORY,
55 |         /*ShareAccess*/FILE_SHARE_READ,
56 |         /*CreateDisposition*/FILE_OPEN,
57 |         /*CreateOptions*/FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
58 |         /*EaBuffer*/NULL,
59 |         /*EaLength*/0
60 |     );
61 | 
62 |     // ANY.RUN minifilter returns non-standard status code, STATUS_NO_SUCH_FILE
63 |     // If this status code is returned, it means that the directory is protected
64 |     // by the ANY.RUN minifilter driver.
65 |     // To patch this detection, I would recommend returning STATUS_OBJECT_NAME_NOT_FOUND
66 |     // that is a standard status code for this situation.
67 |     if (status == STATUS_NO_SUCH_FILE)
68 |         return true;
69 | 
70 |     // Not actually the case, maybe conflict with other software installation.
71 |     if (NT_SUCCESS(status))
72 |         NtClose(hFile);
73 | 
74 |     return false;
75 | }
76 | 
77 | int main()
78 | {
79 |     if (detect_anyrun() || detect_anyrun2())
80 |         wprintf(L"AnyRun detected\n");
81 |     else
82 |         wprintf(L"You're good to go\n");
83 | 
84 |     return 0;
85 | }
86 | 


--------------------------------------------------------------------------------