Detection of Sandboxes

最新推荐文章于 2022-10-21 23:45:00 发布

fisher_jiang

最新推荐文章于 2022-10-21 23:45:00 发布

阅读量1.5w

点赞数

分类专栏：网络安全文章标签： function string module microsoft access methods

网络安全专栏收录该内容

27 篇文章 0 订阅

订阅专栏

Detect 5 Different Sandboxes

I used the same methods in my other post for the Anubis and Sandboxie. I just added more detections for other similar sandboxes. One method uses the registry to retrieve the Product ID and check for Anubis, CWSandbox, and JoeBox. The other checks the loaded modules for files loaded with Sandboxie and ThreatExpert. The detection used for ThreatExpert should also detect some basic debuggers. It may be kind of sloppy because while finishing it up I was baked outta my mind.

'Detect 5 Different Sandboxes
'Coded by stoopid
'
' Detects:
'   -> Sandboxie : http://www.sandboxie.com/
'   -> ThreatExpert : http://www.threatexpert.com/
'   -> Anubis : http://anubis.iseclab.org/
'   -> CWSandbox : http://www.cwsandbox.org/
'   -> JoeBox : http://www.joebox.org/
'

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
    
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As MODULEENTRY32) As Long

Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As MODULEENTRY32) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long

Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long

Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long

Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long

Private Type MODULEENTRY32
    dwSize As Long
    th32ModuleID As Long
    th32ProcessID As Long
    GlblcntUsage As Long
    ProccntUsage As Long
    modBaseAddr As Byte
    modBaseSize As Long
    hModule As Long
    szModule As String * 256
    szExePath As String * 1024
End Type

Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1&
Const KEY_ALL_ACCESS = &H3F
Const TH32CS_SNAPMODULE = &H8

Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)
me32.dwSize = Len(me32)
Module32First hSnapShot, me32
Do While Module32Next(hSnapShot, me32) <> 0
    If InStr(1, LCase(me32.szModule), "sbiedll.dll") > 0 Then 'Sandboxie
        IsInSandbox = True
    ElseIf InStr(1, LCase(me32.szModule), "dbghelp.dll") > 0 Then 'ThreatExpert
        IsInSandbox = True
    End If
Loop
CloseHandle (hSnapShot)
If IsInSandbox = False Then
    hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, hKey)
    If hOpen = 0 Then
        hQuery = RegQueryValueEx(hKey, "ProductId", 0, REG_SZ, szBuffer, 128)
        If hQuery = 0 Then
            If InStr(1, szBuffer, "76487-337-8429955-22614") > 0 Then 'Anubis
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, "76487-644-3177037-23510") > 0 Then 'CWSandbox
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, "55274-640-2673064-23950") > 0 Then 'JoeBox
                IsInSandbox = True
            End If
        End If
    End If
    RegCloseKey (hKey)
End If
End Function

Sub Main()
If IsInSandbox = True Then
    MsgBox "Is in Sandbox"
Else
    MsgBox "Not in Sandbox"
End If
End Sub