From 01ac4d215323e5d5acf964bf323eb76162e7516e Mon Sep 17 00:00:00 2001
From: Duarte Silva <development@serializing.me>
Date: Mon, 18 May 2015 13:30:43 +0100
Subject: [PATCH] Added a check for less than one GiB of memory.

---
 pafish/gensandbox.c | 10 ++++++++++
 pafish/gensandbox.h |  2 ++
 pafish/main.c       |  8 ++++++++
 3 files changed, 20 insertions(+)

diff --git a/pafish/gensandbox.c b/pafish/gensandbox.c
index c31d75c..21be90c 100644
--- a/pafish/gensandbox.c
+++ b/pafish/gensandbox.c
@@ -1,4 +1,6 @@
 
+#define _WIN32_WINNT 0x0501 /* _WIN32_WINNT_WINXP */
+
 #include <windows.h>
 #include <winioctl.h>
 #include <string.h>
@@ -149,3 +151,11 @@ int gensandbox_one_cpu_GetSystemInfo() {
 	return siSysInfo.dwNumberOfProcessors < 2 ? TRUE : FALSE;
 }
 
+int gensandbox_less_than_onegb() {
+	MEMORYSTATUSEX statex;
+	statex.dwLength = sizeof (statex);
+
+	GlobalMemoryStatusEx(&statex);
+	return (statex.ullAvailPhys/1024) < 1048576 ? TRUE : FALSE;
+}
+
diff --git a/pafish/gensandbox.h b/pafish/gensandbox.h
index d5bf4c4..50be470 100644
--- a/pafish/gensandbox.h
+++ b/pafish/gensandbox.h
@@ -20,4 +20,6 @@ int gensandbox_one_cpu();
 
 int gensandbox_one_cpu_GetSystemInfo();
 
+int gensandbox_less_than_onegb();
+
 #endif
diff --git a/pafish/main.c b/pafish/main.c
index ac23e85..0096815 100644
--- a/pafish/main.c
+++ b/pafish/main.c
@@ -191,6 +191,14 @@ int main(void)
 	}
 	else print_not_traced();
 
+	printf("[*] Checking if pysical memory is < 1Gb ... ");
+	if (gensandbox_less_than_onegb() == TRUE) {
+		print_traced();
+		write_log("Sandbox traced by checking if pysical memory is less than 1Gb");
+		write_trace("hi_sandbox_pysicalmemory_less_1Gb");
+	}
+	else print_not_traced();
+
 	/* Hooks detection tricks */
 	printf("\n[-] Hooks detection\n");
 	printf("[*] Checking function DeleteFileW method 1 ... ");