simple code to detect the sandbox used by BitDefender
http://hi.baidu.com/sec_/blog/item/a7ede81f2856a60c304e15c2.html
since everyone else is posting anti sandbox code, I figured I'd post this.
simple code to detect the sandbox used by BitDefender. works by identifying a non native IDT base address. code could be modified to detect other VMs by changing the address that I'm using to identify BitDefender.
Code: |
/* BitDefenderDefender.c - Detect BitDefender sandbox emulation. Hella easy. Credits: - Joanna Rutkowska (for redpill) Coded by: s134k */ #include <stdio.h> typedef enum {FALSE, TRUE} BOOL; BOOL IsBDVM() { unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); if(*((unsigned*)&m[2]) == 0x80010160) return TRUE; return FALSE; } int main() { if(IsBDVM()) printf("\nBitDefender VM Detected.\n"); else printf("\nBitDefender VM Not Found.\n"); return 0; } |