function AntiThreatExpert: bool;
var
Handle: THandle;
begin
Handle := GetModuleHandle('dbghelp.dll');
if Handle <> 0 then Result := True;
end;
function IsInSandbox(Serial: string):boolean;
var
hOpen: HKEY;
sBuff: array[0..256] of char;
BuffSize: integer;
begin
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar('Software\Microsoft\Windows\CurrentVersion'), 0, KEY_QUERY_VALUE, hOpen)) = ERROR_SUCCESS then begin
BuffSize := SizeOf(sBuff);
RegQueryValueEx(hOpen, PChar('ProductId'), nil, nil, @sBuff, @BuffSize);
if sBuff = Serial then Result := True;
RegCloseKey(hOpen);
end;
end;
CW SANDBOX
IF IsInSandBox('76487-644-3177037-23510') then ExitProcess(0);
JOEBOX
IsInSandBox('55274-640-2673064-23950') then ExitProcess(0);
ANUBIS
IF IsInSandBox('76487-337-8429955-22614')) then ExitProcess(0);
function AntiBitDefender():boolean;
begin
OutputDebugString(PChar('Super')); //Hi
if GetLastError = 00000006 then
Result := TRUE
else
Result := FALSE;
end;
Function AntiEmulaters:Boolean;
Var
UpTime :DWORD;
UpTimeAfterSleep :Dword;
Begin
UpTime := GetTickCount;
Sleep(500);
UpTimeAfterSleep := GetTickCount;
if ( UpTimeAfterSleep - UpTime ) < 500 Then
Result:= True Else Result:= False;
end;
function DebuggerPresent : boolean;
type
TDebugProc = function : boolean;
stdcall;
var
Kernel32: HMODULE;
DebugProc: TDebugProc;
begin
Result := False;
Kernel32 := GetModuleHandle('kernel32');
if Kernel32<>0 then
begin
@DebugProc := GetProcAddress(Kernel32, 'IsDebuggerPresent');
if Assigned(DebugProc) then
Result := DebugProc
end;
end;
program IsInVM;
{$APPTYPE CONSOLE}
uses
windows;
function InVMware: Boolean;
asm
XOR EAX, EAX
PUSH OFFSET @@Handler
PUSH DWORD PTR FS:[EAX]
MOV DWORD PTR FS:[EAX], ESP
MOV EAX, 564D5868h
MOV EBX, 3c6cf712h
MOV ECX, 0Ah
MOV DX, 5658h
IN EAX, DX
MOV EAX, True
JMP @@NotHandle
@@Handler:
MOV EAX, [ESP+$C]
MOV TContext(EAX).EIP, OFFSET @@Handled
XOR EAX, EAX
RET
@@Handled:
XOR EAX, EAX
@@NotHandle:
XOR EBX, EBX
POP DWORD PTR FS:[EBX]
ADD ESP, 4
end;
function IsInVPC: boolean; assembler;
asm
push ebp
mov ecx, offset @@exception_handler
mov ebp, esp
push ebx
push ecx
push dword ptr fs:[0]
mov dword ptr fs:[0], esp
mov ebx, 0 // flag
mov eax, 1 // VPC function number
// call VPC
db 00Fh, 03Fh, 007h, 00Bh
mov eax, dword ptr ss:[esp]
mov dword ptr fs:[0], eax
add esp, 8
test ebx, ebx
setz al
lea esp, dword ptr ss:[ebp-4]
mov ebx, dword ptr ss:[esp]
mov ebp, dword ptr ss:[esp+4]
add esp, 8
jmp @@ret
@@exception_handler:
mov ecx, [esp+0Ch]
mov dword ptr [ecx+0A4h], -1
add dword ptr [ecx+0B8h], 4
xor eax, eax
ret
@@ret:
end;
begin
if IsInVPC then writeln('Virtual PC detected') else writeln('Virtual Pc not detected');
if InVMware then writeln('VMWare Machine detected') else writeln('VMWare Machine not detected');
readln;
end.