-
-
[原创]检测Kaspersky沙盒之RegSetValue大法
-
发表于:
2010-2-3 10:55
7194
-
[原创]检测Kaspersky沙盒之RegSetValue大法
继上一篇的OpenProcess大法之后,现在放出RegSetValue大法。
其实这些检测方法的挖掘是建立在对沙盒工作原理的了解之上,熟悉它的工作流程,知道哪里是处理难点。我认为那种完全的盲人摸象,在对原理不甚明了就胡乱测试的方法不可取。
检测方法可以说是无穷无尽的~~~只要是假的就真不了~~~
下面是源代码:
//
//AUTHOR:黑客守卫者
//BLOG:http://hi.baidu.com/ihxdef
//URL:http://hi.baidu.com/ihxdef/blog/item/0f880bf94285c704d8f9fdc7.html
//
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
//
//Define
//
int DetectSandBox(void);
//
//Routine
//
int DetectSandBox(void)
{
//
//Routine Description:
//
//This routine detect if is run in real OS or SandBox.
//Tested in win xp.
//
//Arguments:
//
//None
//
//Return Value:
//
// -1 for error
// 0 for run in real OS
// 1 for run in SandBox
// 2 for Kaspersky not installed
//
//Detect
//
char szKasperskyPath[256] = {0};
lstrcpy(szKasperskyPath, "SOFTWARE\\KasperskyLab\\protected");
HKEY hKaspersky = NULL;
if( RegOpenKey(HKEY_LOCAL_MACHINE,szKasperskyPath,&hKaspersky) != ERROR_SUCCESS )
{
RegCloseKey(hKaspersky);
return 2;
}
else
{
LONG lRet = 0;
lRet = RegSetValue(hKaspersky,"Kaspersky",REG_SZ,"SandBox",sizeof("SandBox"));
//
//Check the result
//
if( lRet == ERROR_SUCCESS )
{
RegCloseKey(hKaspersky);
return 1;
}
else
{
RegCloseKey(hKaspersky);
return 0;
}
}
RegCloseKey(hKaspersky);
return -1;
}
//
//Entry
//
int main(void)
{
int iRet = DetectSandBox();
if( iRet == 1 )
{
MessageBox(NULL,"RUN IN SANDBOX! DAMN IT!","NOTICE",MB_ICONSTOP);
}
else
if( iRet == 0 )
{
MessageBox(NULL,"RUN IN REAL OS!","NOTICE",MB_ICONINFORMATION);
}
else
if( iRet == 2 )
{
MessageBox(NULL,"KASPERSKY NOT INSTALLED!","NOTICE",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"UNKNOWN ERROR! DAMN IT!","NOTICE",MB_ICONSTOP);
}
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课