mirror of
https://github.com/a0rtega/pafish
synced 2024-11-25 23:59:37 +03:00
- Added detection for sample.exe and malware.exe
This commit is contained in:
parent
9fb472d7da
commit
d28c9a1fcd
@ -2,6 +2,7 @@
|
|||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
#include <winioctl.h>
|
#include <winioctl.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
#include "gensandbox.h"
|
#include "gensandbox.h"
|
||||||
@ -102,3 +103,33 @@ int gensandbox_sleep_patched() {
|
|||||||
if ((GetTickCount() - time1) > 450 ) return FALSE;
|
if ((GetTickCount() - time1) > 450 ) return FALSE;
|
||||||
else return TRUE;
|
else return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int gensandbox_common_names() {
|
||||||
|
DWORD dwSize = MAX_PATH;
|
||||||
|
char szLogicalDrives[MAX_PATH] = {0};
|
||||||
|
char filename[MAX_PATH] = {0};
|
||||||
|
DWORD dwResult = GetLogicalDriveStrings(dwSize,szLogicalDrives);
|
||||||
|
BOOL exists;
|
||||||
|
|
||||||
|
if (dwResult > 0 && dwResult <= MAX_PATH)
|
||||||
|
{
|
||||||
|
char* szSingleDrive = szLogicalDrives;
|
||||||
|
while(*szSingleDrive)
|
||||||
|
{
|
||||||
|
snprintf(filename, MAX_PATH, "%ssample.exe",szSingleDrive);
|
||||||
|
exists = pafish_exists_file(filename);
|
||||||
|
if (exists)
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
snprintf(filename, MAX_PATH, "%smalware.exe",szSingleDrive);
|
||||||
|
exists = pafish_exists_file(filename);
|
||||||
|
if (exists)
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
szSingleDrive += strlen(szSingleDrive) + 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
@ -14,4 +14,6 @@ int gensandbox_drive_size2();
|
|||||||
|
|
||||||
int gensandbox_sleep_patched();
|
int gensandbox_sleep_patched();
|
||||||
|
|
||||||
|
int gensandbox_common_names();
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -124,6 +124,14 @@ int main(int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
else print_not_traced();
|
else print_not_traced();
|
||||||
|
|
||||||
|
printf("[*] Checking common sample names ... ");
|
||||||
|
if (gensandbox_common_names() == TRUE) {
|
||||||
|
print_traced();
|
||||||
|
write_log("Sandbox traced by checking common sample names");
|
||||||
|
write_trace("hi_sandbox_common_names");
|
||||||
|
}
|
||||||
|
else print_not_traced();
|
||||||
|
|
||||||
/* Hooks detection tricks */
|
/* Hooks detection tricks */
|
||||||
printf("\n[-] Hooks detection\n");
|
printf("\n[-] Hooks detection\n");
|
||||||
printf("[*] Checking function DeleteFileW method 1 ... ");
|
printf("[*] Checking function DeleteFileW method 1 ... ");
|
||||||
|
Loading…
Reference in New Issue
Block a user