Common Sandbox Programs Detection

AntiDebug/ProcessDetection/ProcessDetection.go

@@ -2,7 +2,6 @@ package BadProcesses
 
 import (
 	"bytes"
-	"log"
 	"os/exec"
 	"strings"
 )

AntiVirtualization/AnyRunDetection/anyruncheck.go

@@ -0,0 +1,27 @@
+package AnyRunDetection
+
+import (
+	"log"
+	"net"
+	"strings"
+)
+
+// AnyRunDetection checks for the "52-54-00" MAC address prefix and returns true if found.
+func AnyRunDetection() (bool, error) {
+	// Retrieve all network interfaces
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		log.Printf("Error getting network interfaces: %v", err)
+		return false, err
+	}
+
+	// Loop through each interface and check the MAC address
+	for _, iface := range interfaces {
+		macAddress := iface.HardwareAddr.String() // Fetch the MAC address
+		if strings.HasPrefix(strings.ToUpper(strings.ReplaceAll(macAddress, "-", ":")), "52:54:00") {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

AntiVirtualization/ComodoAntivirusDetection/comodocheck.go

@@ -0,0 +1,82 @@
+package ComodoAntivirusDetection
+
+import (
+    "fmt"
+    "os"
+    "golang.org/x/sys/windows/registry"
+    "syscall"
+    "os/exec"
+    "strings"
+)
+
+// DetectComodoAntivirus checks if Comodo Antivirus is installed or present.
+func DetectComodoAntivirus() bool {
+    // Check for the installation paths
+    comodoPaths := []string{
+        "C:\\Program Files\\COMODO\\COMODO Internet Security\\",
+        "C:\\Program Files (x86)\\COMODO\\COMODO Internet Security\\",
+    }
+
+    for _, path := range comodoPaths {
+        if pathExists(path) {
+            return true
+        }
+    }
+
+    // Check for the Comodo Antivirus driver
+    driverPath := "C:\\Windows\\System32\\drivers\\cmdguard.sys"
+    if pathExists(driverPath) {
+        return true
+    }
+
+    // Check for Comodo Antivirus registry key
+    if checkComodoRegistry() {
+        return true
+    }
+
+    // Check for Comodo Antivirus service via WMIC
+    if checkComodoService() {
+        return true
+    }
+
+    return false
+}
+
+// pathExists checks if a given path exists.
+func pathExists(path string) bool {
+    _, err := os.Stat(path)
+    return !os.IsNotExist(err)
+}
+
+// checkComodoRegistry checks for Comodo Antivirus in the registry key.
+func checkComodoRegistry() bool {
+    comodoKey := `SOFTWARE\COMODO\CIS`
+    return registryKeyExists(registry.LOCAL_MACHINE, comodoKey)
+}
+
+// checkComodoService checks for the Comodo Antivirus service via WMIC.
+func checkComodoService() bool {
+    serviceName := "cmdagent"
+    return serviceExists(serviceName)
+}
+
+// serviceExists checks if a service exists using WMIC.
+func serviceExists(serviceName string) bool {
+    cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("Name='%s'", serviceName), "get", "Name")
+
+    // Hide the console window
+    cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+
+    output, err := cmd.Output()
+    return err == nil && strings.TrimSpace(string(output)) != ""
+}
+
+// registryKeyExists checks if a registry key exists.
+func registryKeyExists(root registry.Key, path string) bool {
+    key, err := registry.OpenKey(root, path, registry.QUERY_VALUE)
+    if err != nil {
+        return false
+    }
+    defer key.Close()
+    return true
+}

AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go

@@ -0,0 +1,111 @@
+package DeepFreezeDetection
+
+import (
+    "fmt"
+    "os"
+    "golang.org/x/sys/windows/registry"
+    "syscall"
+    "os/exec"
+    "strings"
+)
+
+// DetectDeepFreeze checks if Deep Freeze is installed or present.
+func DetectDeepFreeze() bool {
+    // Check for the installation paths
+    deepFreezePaths := []string{
+        "C:\\Program Files\\Faronics\\Deep Freeze\\",
+        "C:\\Program Files (x86)\\Faronics\\Deep Freeze\\",
+    }
+
+    for _, path := range deepFreezePaths {
+        if pathExists(path) {
+            return true
+        }
+    }
+
+    // Check for the Deep Freeze driver
+    driverPath := "C:\\Persi0.sys"
+    if pathExists(driverPath) {
+        return true
+    }
+
+    // Check for Deep Freeze registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
+    if checkHelpDirRegistry() {
+        return true
+    }
+
+    // Check for Autorecover MOFs containing "Faronics" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
+    if checkAutoRecoverMOFs() {
+        return true
+    }
+
+    // Check for Deep Freeze service via WMIC
+    if checkDeepFreezeService() {
+        return true
+    }
+
+    return false
+}
+
+// pathExists checks if a given path exists.
+func pathExists(path string) bool {
+    _, err := os.Stat(path)
+    return !os.IsNotExist(err)
+}
+
+// checkHelpDirRegistry checks for Deep Freeze in the HELPDIR registry key.
+func checkHelpDirRegistry() bool {
+    helpDirKey := `SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\HELPDIR`
+    return registryKeyExists(registry.LOCAL_MACHINE, helpDirKey)
+}
+
+// checkAutoRecoverMOFs checks for Autorecover MOFs containing "Faronics".
+func checkAutoRecoverMOFs() bool {
+    cimomKey := `SOFTWARE\Microsoft\Wbem\CIMOM`
+    key, err := registry.OpenKey(registry.LOCAL_MACHINE, cimomKey, registry.QUERY_VALUE)
+    if err != nil {
+        return false
+    }
+    defer key.Close()
+
+    // Get the "Autorecover MOFs" value
+    mofs, _, err := key.GetStringsValue("Autorecover MOFs")
+    if err != nil {
+        return false
+    }
+
+    // Check if any of the MOF paths contain the "Faronics" keyword
+    for _, mof := range mofs {
+        if strings.Contains(strings.ToLower(mof), "faronics") {
+            return true
+        }
+    }
+    return false
+}
+
+// checkDeepFreezeService checks for the Deep Freeze service via WMIC.
+func checkDeepFreezeService() bool {
+    serviceName := "DFServ"
+    return serviceExists(serviceName)
+}
+
+// serviceExists checks if a service exists using WMIC.
+func serviceExists(serviceName string) bool {
+    cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("Name='%s'", serviceName), "get", "Name")
+
+    // Hide the console window
+    cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+
+    output, err := cmd.Output()
+    return err == nil && strings.TrimSpace(string(output)) != ""
+}
+
+// registryKeyExists checks if a registry key exists.
+func registryKeyExists(root registry.Key, path string) bool {
+    key, err := registry.OpenKey(root, path, registry.QUERY_VALUE)
+    if err != nil {
+        return false
+    }
+    defer key.Close()
+    return true
+}

AntiVirtualization/HyperVDetection/hypervdetection.go

@@ -0,0 +1,60 @@
+package HyperVCheck
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+	"syscall"
+	"golang.org/x/sys/windows/registry"
+)
+
+// DetectHyperV checks if Hyper-V is installed using registry, service, and process checks.
+func DetectHyperV() (bool, error) {
+	// 1. Check Registry for Hyper-V
+	key, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization`, registry.QUERY_VALUE)
+	if err == nil {
+		defer key.Close()
+		enabled, _, err := key.GetIntegerValue("Enabled")
+		if err == nil && enabled == 1 {
+			return true, nil
+		}
+	}
+
+	// 2. Check if Hyper-V services are running (vmms and vmbus)
+	if isServiceExisting("vmms") || isServiceExisting("vmbus") {
+		return true, nil
+	}
+
+	// 3. Check if Hyper-V processes are running (vmms.exe and vmbus.sys)
+	if isProcessRunning("vmms.exe") || isProcessRunning("vmbus.sys") {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// isServiceExisting checks if a specific service exists and is running
+func isServiceExisting(serviceName string) bool {
+	cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("name='%s'", serviceName), "get", "name")
+	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+
+	return strings.Contains(strings.ToLower(string(output)), strings.ToLower(serviceName))
+}
+
+// isProcessRunning checks if a specific process is running
+func isProcessRunning(processName string) bool {
+	cmd := exec.Command("tasklist")
+	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+
+	output, err := cmd.Output()
+	if err != nil {
+		return false
+	}
+
+	return strings.Contains(strings.ToLower(string(output)), strings.ToLower(processName))
+}