Thread: Detect 5 Different Sandboxes

I used the same methods in my other post for the Anubis and Sandboxie. I just added more detections for other similar sandboxes. One method uses the registry to retrieve the Product ID and check for Anubis, CWSandbox, and JoeBox. The other checks the loaded modules for files loaded with Sandboxie and ThreatExpert. The detection used for ThreatExpert should also detect some basic debuggers. It may be kind of sloppy because while finishing it up I was baked outta my mind.

Code:

'Detect 5 Different Sandboxes
'Coded by stoopid
'
' Detects:
'   -> Sandboxie : http://www.sandboxie.com/
'   -> ThreatExpert : http://www.threatexpert.com/
'   -> Anubis : http://anubis.iseclab.org/
'   -> CWSandbox : http://www.cwsandbox.org/
'   -> JoeBox : http://www.joebox.org/
'

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
    
Private Declare Function Module32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As MODULEENTRY32) As Long

Private Declare Function Module32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As MODULEENTRY32) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long

Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long

Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long

Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long

Private Type MODULEENTRY32
    dwSize As Long
    th32ModuleID As Long
    th32ProcessID As Long
    GlblcntUsage As Long
    ProccntUsage As Long
    modBaseAddr As Byte
    modBaseSize As Long
    hModule As Long
    szModule As String * 256
    szExePath As String * 1024
End Type

Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1&
Const KEY_ALL_ACCESS = &H3F
Const TH32CS_SNAPMODULE = &H8

Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)
me32.dwSize = Len(me32)
Module32First hSnapShot, me32
Do While Module32Next(hSnapShot, me32) <> 0
    If InStr(1, LCase(me32.szModule), "sbiedll.dll") > 0 Then 'Sandboxie
        IsInSandbox = True
    ElseIf InStr(1, LCase(me32.szModule), "dbghelp.dll") > 0 Then 'ThreatExpert
        IsInSandbox = True
    End If
Loop
CloseHandle (hSnapShot)
If IsInSandbox = False Then
    hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, hKey)
    If hOpen = 0 Then
        hQuery = RegQueryValueEx(hKey, "ProductId", 0, REG_SZ, szBuffer, 128)
        If hQuery = 0 Then
            If InStr(1, szBuffer, "76487-337-8429955-22614") > 0 Then 'Anubis
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, "76487-644-3177037-23510") > 0 Then 'CWSandbox
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, "55274-640-2673064-23950") > 0 Then 'JoeBox
                IsInSandbox = True
            End If
        End If
    End If
    RegCloseKey (hKey)
End If
End Function

Sub Main()
If IsInSandbox = True Then
    MsgBox "Is in Sandbox"
Else
    MsgBox "Not in Sandbox"
End If
End Sub

thanx 4 sharing this great code ,,,


but i wanna ask about "SbieDll.dll",, could'nt we use FreeLibrary to unload it 4m our process memory ?? does it works 4 other sandboxes ?

thanx again

Really impressive, I'll probelly use some of this code (ported to delphi ofcourse) in Nidhogg, I'll leave a credit to you Good work.

Originally Posted by Syntax_err

could'nt we use FreeLibrary to unload it 4m our process memory ??

My original idea was to unload the module if it was present but I was having a few issues with the FreeLibrary function and I got lazy when messing with it. You can however unload the module with the FreeLibraryAndExitThread function within the Kernel32 module, although you need some knowledge of ANSI functions when using the GetModuleHandleEx function for the handle.

Originally Posted by p0ke

Really impressive, I'll probelly use some of this code (ported to delphi ofcourse) in Nidhogg, I'll leave a credit to you Good work.

Thanks, sounds good.

any1 can port this into delphi ?? will be really thankfull.

Thanks in advance!

Thank you for share

stoopid ,,,

have a nice day

do u know how does Sandboxes detect changes ,, User mode Hooks ??

and wht if we inject the extracting/executing code on a running process ?? should it be detected ?

nd maybe i'll use ur function in my own RAT ( w credit 2u ) ,,

Good work. Mentioning it on my blog. I hope you do not mind?

Sandboxi = User Mode Hooks , Inline

i tried to remove the hooks 4m sandboxed notepad ,, but the library restore it again :@ n when u unload the library ,,, the process crash , cuz the Hooked API function's Addresses pointing to the module :@ ,,,

it's like a fork in the throat

good luck

Originally Posted by Metahuman

Good work. Mentioning it on my blog. I hope you do not mind?

Not at all. Make sure to send me the link though so I can check it out.

Originally Posted by Syntax_err

Sandboxi = User Mode Hooks , Inline

i tried to remove the hooks 4m sandboxed notepad ,, but the library restore it again :@ n when u unload the library ,,, the process crash , cuz the Hooked API function's Addresses pointing to the module :@ ,,,

it's like a fork in the throat

good luck

Yeah I was having some of the same problems with FreeLibrary and FreeLibraryAndExitThread in the process. I thought I was calling the function wrong but I'm going to look into it a little more later on when I'm done with my injection functions.