-
-
[原创]检测Kaspersky沙盒之RegSetValue大法
-
-
[原创]检测Kaspersky沙盒之RegSetValue大法
继上一篇的OpenProcess大法之后,现在放出RegSetValue大法。
其实这些检测方法的挖掘是建立在对沙盒工作原理的了解之上,熟悉它的工作流程,知道哪里是处理难点。我认为那种完全的盲人摸象,在对原理不甚明了就胡乱测试的方法不可取。
检测方法可以说是无穷无尽的~~~只要是假的就真不了~~~
下面是源代码:
//
//AUTHOR:黑客守卫者
//BLOG:90fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2A6i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6A6K9s2S2V1k6h3j5`.
//URL:eefK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2A6i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6A6K9s2S2V1k6h3k6Q4x3V1k6T1L8r3!0Y4i4K6u0r3K9i4c8W2L8g2)9J5c8U0m8X3z5o6R3H3j5X3j5&6y4o6t1^5y4h3x3%4x3o6c8V1z5r3j5&6k6X3c8U0y4#2)9J5k6h3S2@1L8h3H3`.
//
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
//
//Define
//
int DetectSandBox(void);
//
//Routine
//
int DetectSandBox(void)
{
//
//Routine Description:
//
//This routine detect if is run in real OS or SandBox.
//Tested in win xp.
//
//Arguments:
//
//None
//
//Return Value:
//
// -1 for error
// 0 for run in real OS
// 1 for run in SandBox
// 2 for Kaspersky not installed
//
//Detect
//
char szKasperskyPath[256] = {0};
lstrcpy(szKasperskyPath, "SOFTWARE\\KasperskyLab\\protected");
HKEY hKaspersky = NULL;
if( RegOpenKey(HKEY_LOCAL_MACHINE,szKasperskyPath,&hKaspersky) != ERROR_SUCCESS )
{
RegCloseKey(hKaspersky);
return 2;
}
else
{
LONG lRet = 0;
lRet = RegSetValue(hKaspersky,"Kaspersky",REG_SZ,"SandBox",sizeof("SandBox"));
//
//Check the result
//
if( lRet == ERROR_SUCCESS )
{
RegCloseKey(hKaspersky);
return 1;
}
else
{
RegCloseKey(hKaspersky);
return 0;
}
}
RegCloseKey(hKaspersky);
return -1;
}
//
//Entry
//
int main(void)
{
int iRet = DetectSandBox();
if( iRet == 1 )
{
MessageBox(NULL,"RUN IN SANDBOX! DAMN IT!","NOTICE",MB_ICONSTOP);
}
else
if( iRet == 0 )
{
MessageBox(NULL,"RUN IN REAL OS!","NOTICE",MB_ICONINFORMATION);
}
else
if( iRet == 2 )
{
MessageBox(NULL,"KASPERSKY NOT INSTALLED!","NOTICE",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"UNKNOWN ERROR! DAMN IT!","NOTICE",MB_ICONSTOP);
}
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
