Merge branch 'virtualminds-master' into dev-chaos

pafish/gensandbox.c

@@ -3,6 +3,7 @@
 #include <winioctl.h>
 #include <string.h>
 #include <stdint.h>
+#include <stdio.h>
 
 #include "types.h"
 #include "gensandbox.h"
@@ -111,3 +112,31 @@ int gensandbox_rdtsc() {
 	return (ret2 - ret) > 1000 ? TRUE : FALSE;
 }
 
+int gensandbox_common_names() {
+	DWORD dwSize = MAX_PATH;
+	char szLogicalDrives[MAX_PATH] = {0};
+	char filename[MAX_PATH] = {0};
+	DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
+	BOOL exists;
+
+	if (dwResult > 0 && dwResult <= MAX_PATH)
+	{
+		char* szSingleDrive = szLogicalDrives;
+		while(*szSingleDrive)
+		{
+			snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
+			exists = pafish_exists_file(filename);
+			if (exists)
+				return TRUE;
+
+			snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
+			exists = pafish_exists_file(filename);
+			if (exists)
+				return TRUE;
+
+			szSingleDrive += strlen(szSingleDrive) + 1;
+		}
+	}
+	return FALSE;
+}
+

pafish/gensandbox.h

@@ -16,4 +16,6 @@ int gensandbox_sleep_patched();
 
 int gensandbox_rdtsc();
 
+int gensandbox_common_names();
+
 #endif

pafish/main.c

@@ -101,6 +101,14 @@ int main(int argc, char *argv[])
 	}
 	else print_not_traced();
 
+	printf("[*] Checking common sample names in drives root ... ");
+	if (gensandbox_common_names() == TRUE) {
+		print_traced();
+		write_log("Sandbox traced by checking common sample names in drives root");
+		write_trace("hi_sandbox_common_names");
+	}
+	else print_not_traced();
+
 	printf("[*] Checking if disk size <= 60GB via DeviceIoControl() ... ");
 	if (gensandbox_drive_size() == TRUE) {
 		print_traced();