1.8 KiB
1.8 KiB
反虚拟机/沙盒
c#WMI检测内存
:
using System;
using System.Management;
using System.Threading;
namespace Program
{
class Anti_Analysis
{
public static void RunAntiAnalysis()
{
if (isVM())
{
Environment.FailFast(null);
}
Thread.Sleep(1000);
}
public static bool isVM()
{
SelectQuery selectQuery = new SelectQuery("Select * from Win32_CacheMemory");
//SelectQuery selectQuery = new SelectQuery("Select * from CIM_Memory");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(selectQuery);
int i = 0;
foreach (ManagementObject DeviceID in searcher.Get())
i++;
return (i == 0);
}
}
}
c++即插即用设备
{% embed url="https://github.com/LordNoteworthy/al-khaser" caption="" %}
#include <Windows.h>
#include <iostream>
#include <string>
int main()
{
DISPLAY_DEVICE dd;
dd.cb = sizeof(dd);
int deviceIndex = 0;
while (EnumDisplayDevices(0, deviceIndex, &dd, 0))
{
std::wstring deviceName = dd.DeviceName;
int monitorIndex = 0;
while (EnumDisplayDevices(deviceName.c_str(), monitorIndex, &dd, 0))
{
int flag = strlen((const char*)dd.DeviceString);
if (flag > 2) {
std::wcout << "this is vm";
}
else
{
std::wcout << "this is not vm";
}
++monitorIndex;
}
++deviceIndex;
}
return 0;
}
{% embed url="https://github.com/a0rtega/pafish" caption="" %}
测试工具:
{% embed url="https://github.com/LordNoteworthy/al-khaser" caption="" %}
{% embed url="https://github.com/a0rtega/pafish" caption="" %}