- Added detection for sample.exe and malware.exe

pafish/gensandbox.c

@@ -2,6 +2,7 @@
 #include <windows.h>
 #include <winioctl.h>
 #include <string.h>
+#include <stdio.h>
 
 #include "types.h"
 #include "gensandbox.h"
@@ -102,3 +103,33 @@ int gensandbox_sleep_patched() {
 	if ((GetTickCount() - time1) > 450 ) return FALSE;
 	else return TRUE;
 }
+
+int gensandbox_common_names() {
+    DWORD dwSize = MAX_PATH;
+    char szLogicalDrives[MAX_PATH] = {0};
+    char filename[MAX_PATH] = {0};
+    DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
+    BOOL exists;
+
+    if (dwResult > 0 && dwResult <= MAX_PATH)
+    {
+        char* szSingleDrive = szLogicalDrives;
+        while(*szSingleDrive)
+        {
+            snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
+            exists = pafish_exists_file(filename);
+            if (exists)
+                return TRUE;
+
+            snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
+            exists = pafish_exists_file(filename);
+            if (exists)
+                return TRUE;
+
+            szSingleDrive += strlen(szSingleDrive) + 1;
+        }
+    }
+
+    return FALSE;
+}
+

pafish/gensandbox.h

@@ -14,4 +14,6 @@ int gensandbox_drive_size2();
 
 int gensandbox_sleep_patched();
 
+int gensandbox_common_names();
+
 #endif

pafish/main.c

@@ -124,6 +124,14 @@ int main(int argc, char *argv[])
 	}
 	else print_not_traced();
 
+    printf("[*] Checking common sample names ... ");
+    if (gensandbox_common_names() == TRUE) {
+        print_traced();
+        write_log("Sandbox traced by checking common sample names");
+        write_trace("hi_sandbox_common_names");
+    }
+    else print_not_traced();
+
 	/* Hooks detection tricks */
 	printf("\n[-] Hooks detection\n");
 	printf("[*] Checking function DeleteFileW method 1 ... ");