//Check if windows with certain class names are present in the OS
public Generic.SandboxRes checkWindowTitle()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
IntPtr hWnd = FindWindow("VBoxTrayToolWndClass", null);
if (hWnd.ToInt32() != 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", "VBoxTrayToolWndClass");
returnData.tagList.Add(aux);
}
IntPtr hWnd2 = FindWindow(null, "VBoxTrayToolWnd");
if (hWnd2.ToInt32() != 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", "VBoxTrayToolWnd");
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if total RAM is low
public Generic.SandboxRes checkComputerRAM()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
try
{
double minium = 1; //1GB
ObjectQuery wql = new ObjectQuery("SELECT * FROM Win32_OperatingSystem");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(wql);
ManagementObjectCollection results = searcher.Get();
double res;
double fres = 0;
foreach (ManagementObject result in results)
{
res = Convert.ToDouble(result["TotalVisibleMemorySize"]);
fres += Math.Round((res / (1024 * 1024)), 2);
}
if (fres <= minium)
{
Generic.SandboxTag aux = new Generic.SandboxTag("RAM", fres.ToString());
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if CPU temperature information is available
public Generic.SandboxRes checkAudio()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
ManagementObjectSearcher searcher = new ManagementObjectSearcher("root\\WMI", "SELECT * FROM MSAcpi_ThermalZoneTemperature");
try
{
searcher.Get();
foreach (ManagementObject queryObj in searcher.Get())
{
double temp = Convert.ToDouble(queryObj["CurrentTemperature"].ToString());
double temp_cel = (temp / 10 - 273.15);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
Generic.SandboxTag aux = new Generic.SandboxTag("CPU Temperature available", "False");
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if HDD Vendor ID has specific value
public Generic.SandboxRes checkHdVendor()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
ManagementObjectSearcher moSearcher = new ManagementObjectSearcher("SELECT * FROM Win32_DiskDrive");
foreach (ManagementObject wmi_HD in moSearcher.Get())
{
try
{
//VMWare
if (wmi_HD["PNPDeviceID"].ToString().ToLower().Contains("vmware".ToLower()))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", wmi_HD["PNPDeviceID"].ToString());
returnData.tagList.Add(aux);
}
//VirtualBox
if (wmi_HD["PNPDeviceID"].ToString().ToLower().Contains("VBOX".ToLower()))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", wmi_HD["PNPDeviceID"].ToString());
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if top level windows' number is too small
public Generic.SandboxRes checkNWindows()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
Process[] processlist = Process.GetProcesses();
int count = 0;
foreach (Process process in processlist)
{
if (!String.IsNullOrEmpty(process.MainWindowTitle))
{
count++;
}
}
if (count < 10)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Number of top level windows", count.ToString());
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Checking debug privileges
public Generic.SandboxRes checkDebugPrivs()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
try
{
Process[] target = Process.GetProcessesByName("csrss");
if (target.Length > 0)
{
IntPtr hprocess = OpenProcess(ProcessAccessFlags.QueryLimitedInformation, false, target[0].Id);
if (hprocess != IntPtr.Zero)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Debug privileges", "Enabled");
returnData.tagList.Add(aux);
}
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if specific libraries are loaded in the process address space
public Generic.SandboxRes checkProcessDll()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
Process currentProcess = Process.GetCurrentProcess();
ProcessModuleCollection myProcessModuleCollection = currentProcess.Modules;
List <string> list1 = new List <string> {
"api_log.dll", "dir_watch.dll", "pstorec.dll"
};
foreach (ProcessModule m in myProcessModuleCollection)
{
//CWSandbox
if (list1.Contains(m.ModuleName.ToLower()))
{
Generic.SandboxTag aux = new Generic.SandboxTag("CWSandbox", m.ModuleName);
returnData.tagList.Add(aux);
}
//Sandboxie
if ("sbiedll.dll" == m.ModuleName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", m.ModuleName);
returnData.tagList.Add(aux);
}
//ThreatExpert
if ("dbghelp.dll" == m.ModuleName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("ThreatExpert", m.ModuleName);
returnData.tagList.Add(aux);
}
//VirtualPC
if ("vmcheck.dll" == m.ModuleName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", m.ModuleName);
returnData.tagList.Add(aux);
}
//WPE Pro
if ("wpespy.dll" == m.ModuleName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("WPE Pro", m.ModuleName);
returnData.tagList.Add(aux);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if number of processors is low
public Generic.SandboxRes checkNProcessors()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
if (Environment.ProcessorCount < 2)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Number of processors", Environment.ProcessorCount.ToString());
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check number of processes
public Generic.SandboxRes checkNProcess()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
Process[] processL = Process.GetProcesses();
if (processL.Length < 85)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Number of processes", processL.Length.ToString());
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if quantity of monitors is small
public Generic.SandboxRes checkNScreens()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
int currentMonitorCount = Screen.AllScreens.Length;
if (currentMonitorCount < 1)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Quantity of monitors", currentMonitorCount.ToString());
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if specific directories are present
public Generic.SandboxRes checkDirectories()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
try
{
if (Directory.Exists(@"c:\analysis"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("CWSandbox", @"c:\analysis");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
try
{
if (Directory.Exists(Environment.GetEnvironmentVariable("ProgramFiles") + @"\oracle\virtualbox guest additions"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", Environment.GetEnvironmentVariable("ProgramFiles") + @"\oracle\virtualbox guest additions");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
try
{
if (Directory.Exists(Environment.GetEnvironmentVariable("ProgramFiles") + @"\VMWare"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", Environment.GetEnvironmentVariable("ProgramFiles") + @"\VMWare");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if MAC address is specific
public Generic.SandboxRes checkMac()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
string[] list1 = { "000569", "000C29", "001C14", "005056" };
foreach (NetworkInterface nic in NetworkInterface.GetAllNetworkInterfaces())
{
if (nic.OperationalStatus == OperationalStatus.Up)
{
//VirtualBox
if (nic.GetPhysicalAddress().ToString().StartsWith("080027"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", nic.GetPhysicalAddress().ToString());
returnData.tagList.Add(aux);
}
//Parallels
if (nic.GetPhysicalAddress().ToString().StartsWith("001C42"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", nic.GetPhysicalAddress().ToString());
returnData.tagList.Add(aux);
}
//Xen
if (nic.GetPhysicalAddress().ToString().StartsWith("0016E3"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Xen", nic.GetPhysicalAddress().ToString());
returnData.tagList.Add(aux);
}
//VMWare
foreach (string m in list1)
{
if (nic.GetPhysicalAddress().ToString().StartsWith(m))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", nic.GetPhysicalAddress().ToString());
returnData.tagList.Add(aux);
}
}
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if system uptime is small
public Generic.SandboxRes checkSystemUptime()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
int result = Environment.TickCount & Int32.MaxValue;
int uptimeMax = 1000 * 60 * 12; // 12 minutes
if (result < uptimeMax)
{
Generic.SandboxTag aux = new Generic.SandboxTag("System uptime", result.ToString() + " milliseconds");
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if network belongs to security perimeter
public Generic.SandboxRes checkIP()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
string[] list1 = { "Amazon", "anonymous", "BitDefender", "BlackOakComputers", "Blue Coat", "BlueCoat", "Cisco", "cloud", "Data Center", "DataCenter", "DataCentre", "dedicated", "ESET, Spol", "FireEye", "ForcePoint", "Fortinet", "Hetzner", "hispeed.ch", "hosted", "Hosting", "Iron Port", "IronPort", "LeaseWeb", "MessageLabs", "Microsoft", "MimeCast", "NForce", "Ovh Sas", "Palo Alto", "ProofPoint", "Rackspace", "security", "Server", "Strong Technologies", "Trend Micro", "TrendMicro", "TrustWave", "VMVault", "Zscaler" };
string html = string.Empty;
try
{
ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://www.maxmind.com/geoip/v2.1/city/me?");
request.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
request.UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.1; rv:11.3) like Gecko";
request.Referer = "https://www.maxmind.com/en/locate-my-ip-address";
if (request.Proxy != null)
{
request.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
}
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
using (Stream stream = response.GetResponseStream())
using (StreamReader reader = new StreamReader(stream))
{
html = reader.ReadToEnd();
}
foreach (string tag in list1)
{
if (html.ToLower().Contains(tag.ToLower()))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Network tag", tag);
returnData.tagList.Add(aux);
}
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if computer name is specific
public Generic.SandboxRes checkComputerName()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//Generic
string[] list1 = { "klone_x64-pc", "tequilaboomboom" };
foreach (string name in list1)
{
try
{
if (name.ToLower() == Environment.MachineName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Generic", name);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
}
//Anubis
string[] list2 = { "TU-4NH09SMCG1HC", "InsideTm" };
foreach (string name in list2)
{
try
{
if (name.ToLower() == Environment.MachineName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", name);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if the executable files with specific names are present in physical disk drives' root
public Generic.SandboxRes checkExeRoot()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
string[] list1 = { "malware.exe", "sample.exe" };
foreach (string f in list1)
{
try
{
if (File.Exists(Path.GetPathRoot(Environment.SystemDirectory) + "\\" + f))
{
Generic.SandboxTag aux = new Generic.SandboxTag("General", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
string[] list2 = { @"c:\insidetm" };
foreach (string f in list2)
{
try
{
if (Directory.GetCurrentDirectory().ToLower().Contains(f.ToLower()))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Cuckoo ResultServer connection based anti-emulation technique
public Generic.SandboxRes checkCuckoo()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
TcpConnectionInformation[] connections = properties.GetActiveTcpConnections();
foreach (TcpConnectionInformation c in connections)
{
if (c.RemoteEndPoint.ToString().EndsWith(":2042"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Cuckoo", c.RemoteEndPoint.ToString());
returnData.tagList.Add(aux);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if screen resolution is non-usual for host OS
public Generic.SandboxRes checkScreenRes()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//https://www.hobo-web.co.uk/best-screen-size/
List <string> list1 = new List <string> {
"1920x1080", "1366x768", "1440x900", "1536x864", "2560x1440", "1680x1050", "1280x720", "1280x800", "360x640", "1600x900"
};
string screenWidth = Screen.PrimaryScreen.Bounds.Width.ToString();
string screenHeight = Screen.PrimaryScreen.Bounds.Height.ToString();
if (!list1.Contains(screenWidth + "x" + screenHeight))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Screen resolution", screenWidth + "x" + screenHeight);
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if adapter name is specific
public Generic.SandboxRes checkAdapterName()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
foreach (NetworkInterface nic in NetworkInterface.GetAllNetworkInterfaces())
{
if (nic.OperationalStatus == OperationalStatus.Up)
{
//VMWare
if (nic.Name.ToLower() == "vmware")
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", nic.Name);
returnData.tagList.Add(aux);
}
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if host name is specific
public Generic.SandboxRes checkHostName()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//General
try
{
if ("SystemIT".ToLower() == Dns.GetHostName().ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Generic", "SystemIT");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if hard disk drive size and free space are small
public Generic.SandboxRes checkHDSize()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
string mainDrive = Path.GetPathRoot(Environment.GetFolderPath(Environment.SpecialFolder.System));
DriveInfo[] allDrives = DriveInfo.GetDrives();
foreach (DriveInfo d in allDrives)
{
try
{
if (mainDrive == d.Name)
{
if (Math.Round(((double)d.TotalSize / (1024 * 1024 * 1024)), 2) <= 60) //60GB
{
Generic.SandboxTag aux = new Generic.SandboxTag("Hard disk drive size", Math.Round(((double)d.TotalSize / (1024 * 1024 * 1024)), 2).ToString() + " GB");
returnData.tagList.Add(aux);
}
//if (Math.Round(((double)d.AvailableFreeSpace / (1024 * 1024 * 1024)), 2) <= 60) //60GB
//{
// Generic.SandboxTag aux = new Generic.SandboxTag("Hard disk free space", Math.Round(((double)d.AvailableFreeSpace / (1024 * 1024 * 1024)), 2).ToString() + " GB");
// returnData.tagList.Add(aux);
//}
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if particular registry paths exist
public Generic.SandboxRes checkPath()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//VMware
try
{
RegistryKey regUser = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\VMware, Inc.\VMware Tools", false);
if (regUser != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKCU\SOFTWARE\VMware, Inc.\VMware Tools");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
string[] list1 = { @"SOFTWARE\VMware, Inc.\VMware Tools", @"SYSTEM\ControlSet001\Services\vmdebug", @"SYSTEM\ControlSet001\Services\vmmouse", @"SYSTEM\ControlSet001\Services\VMTools", @"SYSTEM\ControlSet001\Services\VMMEMCTL", @"SYSTEM\ControlSet001\Services\vmware", @"SYSTEM\ControlSet001\Services\vmci", @"SYSTEM\ControlSet001\Services\vmx86" };
foreach (string s in list1)
{
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", "HKLM\\" + s);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
//General
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(@"Software\Classes\Folder\shell\sandbox", false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("General", @"HKLM\Software\Classes\Folder\shell\sandbox");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
//Hyper-V
string[] list2 = { @"SOFTWARE\Microsoft\Hyper-V", @"SOFTWARE\Microsoft\VirtualMachine", @"SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters", @"SYSTEM\ControlSet001\Services\vmicheartbeat", @"SYSTEM\ControlSet001\Services\vmicvss", @"SYSTEM\ControlSet001\Services\vmicshutdown", @"SYSTEM\ControlSet001\Services\vmicexchange" };
foreach (string s in list2)
{
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Hyper-V", "HKLM\\" + s);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
//Sandboxie
string[] list3 = { @"SYSTEM\CurrentControlSet\Services\SbieDrv", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie" };
foreach (string s in list3)
{
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", "HKLM\\" + s);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
//VirtualBox
string[] list4 = { @"HARDWARE\ACPI\DSDT\VBOX__", @"HARDWARE\ACPI\FADT\VBOX__", @"HARDWARE\ACPI\RSDT\VBOX__", @"SOFTWARE\Oracle\VirtualBox Guest Additions", @"SYSTEM\ControlSet001\Services\VBoxGuest", @"SYSTEM\ControlSet001\Services\VBoxMouse", @"SYSTEM\ControlSet001\Services\VBoxService", @"SYSTEM\ControlSet001\Services\VBoxSF", @"SYSTEM\ControlSet001\Services\VBoxVideo" };
foreach (string s in list4)
{
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", "HKLM\\" + s);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
//VirtualPC
string[] list5 = { @"SYSTEM\ControlSet001\Services\vpcbus", @"SYSTEM\ControlSet001\Services\vpc-s3", @"SYSTEM\ControlSet001\Services\vpcuhub", @"SYSTEM\ControlSet001\Services\msvmmouf" };
foreach (string s in list5)
{
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", "HKLM\\" + s);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
//Xen
string[] list6 = { @"HARDWARE\ACPI\DSDT\xen", @"HARDWARE\ACPI\FADT\xen", @"HARDWARE\ACPI\RSDT\xen", @"SYSTEM\ControlSet001\Services\xenevtchn", @"SYSTEM\ControlSet001\Services\xennet", @"SYSTEM\ControlSet001\Services\xennet6", @"SYSTEM\ControlSet001\Services\xensvc", @"SYSTEM\ControlSet001\Services\xenvdb" };
foreach (string s in list6)
{
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(s, false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Xen", "HKLM\\" + s);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
//Wine
try
{
RegistryKey regUser = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Wine", false);
if (regUser != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Wine", @"SOFTWARE\Wine");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
try
{
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Wine", false);
if (regMachine != null)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Wine", @"SOFTWARE\Wine");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if specific files exist
public Generic.SandboxRes checkProcessName()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//VirtualBox
string[] list1 = { "vboxservice", "vboxtray" };
foreach (string p in list1)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", p);
returnData.tagList.Add(aux);
}
}
//JoeBox
string[] list2 = { "joeboxserver", "joeboxcontrol" };
foreach (string p in list2)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("JoeBox", p);
returnData.tagList.Add(aux);
}
}
//Parallels
string[] list3 = { "prl_cc", "prl_tools" };
foreach (string p in list3)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", p);
returnData.tagList.Add(aux);
}
}
//VirtualPC
string[] list4 = { "vmsrvc", "vmusrvc" };
foreach (string p in list4)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", p);
returnData.tagList.Add(aux);
}
}
//VMWare
string[] list5 = { "vmtoolsd", "vmacthlp", "vmwaretray", "vmwareuser", "vmware", "vmount2" };
foreach (string p in list5)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", p);
returnData.tagList.Add(aux);
}
}
//Xen
string[] list6 = { "xenservice", "xsvc_depriv" };
foreach (string p in list6)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Xen", p);
returnData.tagList.Add(aux);
}
}
//WPE Pro
string[] list7 = { "WPE Pro" };
foreach (string p in list7)
{
Process[] pByName = Process.GetProcessesByName(p);
if (pByName.Length > 0)
{
Generic.SandboxTag aux = new Generic.SandboxTag("WPE Pro", p);
returnData.tagList.Add(aux);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if specific files exist
public Generic.SandboxRes checkFiles()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
string[] list1 = { @"c:\take_screenshot.ps1", @"c:\loaddll.exe", @"c:\email.doc", @"c:\email.htm", @"c:\123\email.doc", @"c:\123\email.docx", @"c:\a\foobar.bmp", @"c:\a\foobar.doc", @"c:\a\foobar.gif", @"c:\symbols\aagmmc.pdb" };
foreach (string f in list1)
{
try
{
if (File.Exists(f))
{
Generic.SandboxTag aux = new Generic.SandboxTag("General", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
string[] list2 = { @"c:\windows\system32\drivers\prleth.sys", @"c:\windows\system32\drivers\prlfs.sys", @"c:\windows\system32\drivers\prlmouse.sys", @"c:\windows\system32\drivers\prlvideo.sys", @"c:\windows\system32\drivers\prltime.sys", @"c:\windows\system32\drivers\prl_pv32.sys", @"c:\windows\system32\drivers\prl_paravirt_32.sys" };
foreach (string f in list2)
{
try
{
if (File.Exists(f))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
string[] list3 = { @"c:\windows\system32\drivers\VBoxMouse.sys", @"c:\windows\system32\drivers\VBoxGuest.sys", @"c:\windows\system32\drivers\VBoxSF.sys", @"c:\windows\system32\drivers\VBoxVideo.sys", @"c:\windows\system32\vboxdisp.dll", @"c:\windows\system32\vboxhook.dll", @"c:\windows\system32\vboxmrxnp.dll", @"c:\windows\system32\vboxogl.dll", @"c:\windows\system32\vboxoglarrayspu.dll", @"c:\windows\system32\vboxoglcrutil.dll", @"c:\windows\system32\vboxoglerrorspu.dll", @"c:\windows\system32\vboxoglfeedbackspu.dll", @"c:\windows\system32\vboxoglpackspu.dll", @"c:\windows\system32\vboxoglpassthroughspu.dll", @"c:\windows\system32\vboxservice.exe", @"c:\windows\system32\vboxtray.exe", @"c:\windows\system32\VBoxControl.exe" };
foreach (string f in list3)
{
try
{
if (File.Exists(f))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
string[] list4 = { @"c:\windows\system32\drivers\vmsrvc.sys", @"c:\windows\system32\drivers\vpc-s3.sys" };
foreach (string f in list4)
{
try
{
if (File.Exists(f))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
string[] list5 = { @"c:\windows\system32\drivers\vmmouse.sys", @"c:\windows\system32\drivers\vmnet.sys", @"c:\windows\system32\drivers\vmxnet.sys", @"c:\windows\system32\drivers\vmhgfs.sys", @"c:\windows\system32\drivers\vmx86.sys", @"c:\windows\system32\drivers\hgfs.sys" };
foreach (string f in list5)
{
try
{
if (File.Exists(f))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMWare", f);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
//Console.WriteLine("[/] Error:" + e);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check for specific global mutexes
public Generic.SandboxRes checkGlobalMutexes()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//DeepFreeze
Mutex m = null;
bool doesNotExist = false;
try
{
m = Mutex.OpenExisting("Frz_State");
}
catch (WaitHandleCannotBeOpenedException)
{
doesNotExist = true;
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
if (doesNotExist == false)
{
Generic.SandboxTag aux = new Generic.SandboxTag("DeepFreeze", "Frz_State");
returnData.tagList.Add(aux);
}
//VirtualPC
doesNotExist = false;
try
{
m = Mutex.OpenExisting("MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex");
}
catch (WaitHandleCannotBeOpenedException)
{
doesNotExist = true;
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
if (doesNotExist == false)
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualPC", "MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex");
returnData.tagList.Add(aux);
}
//Sandboxie
string[] list1 = { @"Sandboxie_SingleInstanceMutex_Control", "SBIE_BOXED_ServiceInitComplete_Mutex1" };
foreach (string mutexName in list1)
{
doesNotExist = false;
try
{
m = Mutex.OpenExisting(mutexName);
}
catch (WaitHandleCannotBeOpenedException)
{
doesNotExist = true;
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
if (doesNotExist == false)
{
Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", mutexName);
returnData.tagList.Add(aux);
}
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if username is specific
public Generic.SandboxRes checkUsername()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//General
string[] list1 = { "admin", "andy", "honey", "john", "john doe", "malnetvm", "maltest", "malware", "roo", "sandbox", "snort", "tequilaboomboom", "test", "virus", "virusclone", "wilbert" };
foreach (string name in list1)
{
try
{
if (name.ToLower() == Environment.UserName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("General", name);
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
}
//Nepenthes
try
{
if ("nepenthes".ToLower() == Environment.UserName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Nepenthes", "nepenthes");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
//Norman
try
{
if ("currentuser".ToLower() == Environment.UserName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Norman", "currentuser");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
//ThreatExpert
try
{
if ("username".ToLower() == Environment.UserName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("ThreatExpert", "username");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
//Sandboxie
try
{
if ("user".ToLower() == Environment.UserName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("Sandboxie", "user");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
//VMware
try
{
if ("vmware".ToLower() == Environment.UserName.ToLower())
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", "vmware");
returnData.tagList.Add(aux);
}
}
catch (Exception e)
{
Console.WriteLine("[/] Error:" + e);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}
//Check if particular registry keys contain specified strings
public Generic.SandboxRes checkKeyValue()
{
Generic.SandboxRes returnData = new Generic.SandboxRes(false, new List <Generic.SandboxTag>());
//VMWare
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "INTEL - 6040000"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - INTEL - 6040000");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\HARDWARE\Description\System\BIOS : SystemProductName - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "0", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : 0 - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "1", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : 1 - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : DeviceDesc - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "FriendlyName", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : FriendlyName - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum : DeviceDesc - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "FriendlyName", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum : FriendlyName - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum : DeviceDesc - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "FriendlyName", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum : FriendlyName - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "DeviceDesc", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum : DeviceDesc - VMWARE");
returnData.tagList.Add(aux);
}
if (checkKey("HKCR", @"Installer\Products", "ProductName", "vmware tools"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKCR\Installer\Products : ProductName - vmware tools");
returnData.tagList.Add(aux);
}
if (checkKey("HKCU", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "DisplayName", "vmware tools"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : DisplayName - vmware tools");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "DisplayName", "vmware tools"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall : DisplayName - vmware tools");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "CoInstallers32", "vmx"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : CoInstallers32 - vmx");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "DriverDesc", "VMware"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : DriverDesc - VMware");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "InfSection", "vmx"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : InfSection - vmx");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "ProviderName", "VMware"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : ProviderName - VMware");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000", "Device Description", "VMware"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 : Device Description - VMware");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\SystemInformation", "SystemProductName", "VMWARE"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation : SystemProductName - VMWARE");
returnData.tagList.Add(aux);
}
RegistryKey regMachine = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Video", false);
string[] valueNames = regMachine.GetSubKeyNames();
foreach (string entry in valueNames)
{
if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video", "Service", "vm3dmp"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video : Service - vm3dmp");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video", "Service", "vmx_svga"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\Video : Service - vmx_svga");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\0000", "Device Description", "VMware SVGA"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VMware", @"HKLM\SYSTEM\CurrentControlSet\Control\Video\" + entry + @"\0000 : Device Description - VMware SVGA");
returnData.tagList.Add(aux);
}
}
//Xen
if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "Xen"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Xen", @"HKLM\HARDWARE\Description\System\BIOS : SystemProductName - Xen");
returnData.tagList.Add(aux);
}
//General
if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "A M I"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("General", @"HKLM\HARDWARE\Description\System\BIOS : SystemProductName - A M I");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosDate", "06/23/99"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("General", @"HKLM\HARDWARE\Description\System : SystemBiosDate - 06/23/99");
returnData.tagList.Add(aux);
}
//BOCHS
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "BOCHS"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("BOCHS", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - BOCHS");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "BOCHS"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("BOCHS", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - BOCHS");
returnData.tagList.Add(aux);
}
//Anubis
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductID", "76487-337-8429955-22614"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion : ProductID - 76487-337-8429955-22614");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductID", "76487-337-8429955-22614"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Anubis", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion : ProductID - 76487-337-8429955-22614");
returnData.tagList.Add(aux);
}
//CwSandbox
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductID", "76487-644-3177037-23510"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion : ProductID - 76487-644-3177037-23510");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductID", "76487-644-3177037-23510"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion : ProductID - 76487-644-3177037-23510");
returnData.tagList.Add(aux);
}
//JoeBox
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductID", "55274-640-2673064-23950"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion : ProductID - 55274-640-2673064-23950");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductID", "55274-640-2673064-23950"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("CwSandbox", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion : ProductID - 55274-640-2673064-23950");
returnData.tagList.Add(aux);
}
//Parallels
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "PARALLELS"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", @"HKLM\HARDWARE\Description\System : SystemBiosVersion - PARALLELS");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "PARALLELS"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("Parallels", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - PARALLELS");
returnData.tagList.Add(aux);
}
//QEMU
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "QEMU"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 : Identifier - QEMU");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "QEMU"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HKLM\HARDWARE\Description\System : SystemBiosVersion - QEMU");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "QEMU"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HARDWARE\Description\System : VideoBiosVersion - QEMU");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS ", "SystemManufacturer", "QEMU"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("QEMU", @"HKLM\HARDWARE\Description\System\BIOS : VideoBiosVersion - QEMU");
returnData.tagList.Add(aux);
}
//VirtualBox
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0: Identifier - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0: Identifier - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0", "Identifier", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0: Identifier - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "SystemBiosVersion", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\Description\System: SystemBiosVersion - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System", "VideoBiosVersion", "VIRTUALBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\Description\System: VideoBiosVersion - VIRTUALBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"HARDWARE\Description\System\BIOS", "SystemProductName", "VIRTUAL"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\HARDWARE\Description\System\BIOS: SystemProductName - VIRTUAL");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "DeviceDesc", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum: DeviceDesc - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet001\Services\Disk\Enum", "FriendlyName", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet001\Services\Disk\Enum: FriendlyName - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "DeviceDesc", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum: DeviceDesc - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet002\Services\Disk\Enum", "FriendlyName", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet002\Services\Disk\Enum: FriendlyName - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "DeviceDesc", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum: DeviceDesc - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\ControlSet003\Services\Disk\Enum", "FriendlyName", "VBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\ControlSet003\Services\Disk\Enum: FriendlyName - VBOX");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\SystemInformation", "SystemProductName", "VIRTUAL"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation: SystemProductName - VIRTUAL");
returnData.tagList.Add(aux);
}
if (checkKey("HKLM", @"SYSTEM\CurrentControlSet\Control\SystemInformation", "SystemProductName", "VIRTUALBOX"))
{
Generic.SandboxTag aux = new Generic.SandboxTag("VirtualBox", @"HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation: SystemProductName - VIRTUALBOX");
returnData.tagList.Add(aux);
}
if (returnData.tagList.Count > 0)
{
returnData.isSandbox = true;
}
return(returnData);
}