一、判断CPU核心数 dwNumberOfProcessors
#include <iostream>
#include <windows.h>
int GetCPUCoreCount() {
SYSTEM_INFO sysInfo;
GetNativeSystemInfo(&sysInfo);
return sysInfo.dwNumberOfProcessors;
}
bool IsCPUCoreCountLessThanTwo() {
int coreCount = GetCPUCoreCount();
return coreCount < 2;
}
int main() {
if (IsCPUCoreCountLessThanTwo()) {
std::cerr << "CPU核心数小于2,程序退出。" << std::endl;
return 1; // CPU核心数小于2,退出程序
}
std::cout << "CPU核心数足够: " << GetCPUCoreCount() << std::endl;
// 其他Code
return 0; // 正常退出
}
二、检测进程数CreateToolhelp32Snapshot、Process32Next
检测当前环境的进程有没有超过60个,如果没有就退出
void BypassSimulation()
{ HANDLE snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (INVALID_HANDLE_VALUE == snapShot)
{
return;
}
PROCESSENTRY32 pe = { sizeof(pe) }; int num = 0;
for (BOOL ret = Process32First(snapShot, &pe); ret; ret = Process32Next(snapShot, &pe))
{
// 其他Code
}
if (num <= 60)
{
exit(1);
}}
三、检测微信(钓鱼)CreateToolhelp32Snapshot、Process32Next、Process32First
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
#include <string>
bool IsProcessExists(const wchar_t* processName) {
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) return false;
PROCESSENTRY32 processEntry;
processEntry.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnapshot, &processEntry)) {
CloseHandle(hSnapshot);
return false;
}
do {
if (_wcsicmp(processEntry.szExeFile, processName) == 0) {
CloseHandle(hSnapshot);
return true;
}
} while (Process32Next(hSnapshot, &processEntry));
CloseHandle(hSnapshot);
return false;
}
int main() {
// 检查进程是否存在
if (!IsProcessExists(L"WeChatAppEx.exe")) {
std::wcerr << L"进程 svchostex.exe 不存在,程序退出。" << std::endl;
return 1; // 进程不存在,退出程序
}
std::wcout << L"进程 svchostex.exe 存在,程序继续运行。" << std::endl;
//MessageBox(NULL,L"1",L"1",MB_OK);
// 其他Code
return 0; // 正常退出
}
四、检测文件夹
检测程序运ji行的当前用户桌面是否存在文件夹或文件,如果存在,并其中之一大于3个则运行后续功能代码;如果没有满足条件,则程序
bool IsDesktopNotEmpty() {
wchar_t desktopPath[MAX_PATH];
if (SHGetSpecialFolderPathW(NULL, desktopPath, CSIDL_DESKTOPDIRECTORY, FALSE)) {
WIN32_FIND_DATA findFileData;
HANDLE hFind = FindFirstFileW((std::wstring(desktopPath) + L"\\*").c_str(), &findFileData);
if (hFind != INVALID_HANDLE_VALUE) {
int fileCount = 0;
do {
if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
// Skip directories (including "." and "..")
if (wcscmp(findFileData.cFileName, L".") != 0 && wcscmp(findFileData.cFileName, L"..") != 0) {
fileCount++;
}
}
else {
fileCount++;
}
} while (FindNextFileW(hFind, &findFileData) != 0);
FindClose(hFind);
return fileCount > 3;
}
}
return false;
}
int main() {
// 检查当前用户桌面是否存在文件夹或文件
if (IsDesktopNotEmpty()) {
// 如果满足条件,继续执行后续功能
//MessageBox(NULL,L"1",L"1",MB_OK);
// 其他Code
}
else {
// 如果不满足条件,程序退出
exit(0);
}
return 0; // 正常退出
}
五、引用API大量读写操作延时
(ApiHamme.c)实现了一个名为ApiHammering的函数,首先是创建临时文件并写入随机数据,然后是获取临时文件夹路径,然后是循环创建临时文件并写入随机数据,清理数据,使用时反复操作2000次,运行程序时,磁盘疯狂读写,蓝队看了都流泪。
#include <Windows.h>
#include <iostream>
#include <ctime>
#include <cstdlib>
#include <crtdbg.h> // 引入用于调试内存分配
#define TMPFILE L"delays.tmp"
BOOL ApiHammering(DWORD Stress) {
WCHAR szPath[MAX_PATH * 2];
WCHAR szTmpPath[MAX_PATH];
HANDLE hFile = INVALID_HANDLE_VALUE;
PBYTE pRandBuffer = NULL;
SIZE_T sBufferSize = 0xFFFFF; // 定义缓冲区大小,注意这可能对于32位系统太大
DWORD dwError = ERROR_SUCCESS; // 定义错误代码变量,默认为无错误
// 获取临时文件夹路径
if (!GetTempPathW(MAX_PATH, szTmpPath)) {
dwError = GetLastError();
goto Cleanup;
}
// 构建完整文件路径
wsprintfW(szPath, L"%s%s", szTmpPath, TMPFILE);
for (DWORD i = 0; i < Stress; i++) {
// 分配缓冲区内存
pRandBuffer = static_cast<PBYTE>(HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sBufferSize));
if (pRandBuffer == NULL) {
dwError = GetLastError();
goto Cleanup;
}
// 初始化随机数种子
srand(static_cast<unsigned int>(time(NULL)));
INT Random = rand() % 0xFF;
// 使用随机数填充缓冲区
for (SIZE_T j = 0; j < sBufferSize; j++) {
pRandBuffer[j] = static_cast<BYTE>(Random);
}
// 以写入模式创建文件
hFile = CreateFileW(szPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_TEMPORARY, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
dwError = GetLastError();
goto Cleanup;
}
// 向文件写入随机数据
if (!WriteFile(hFile, pRandBuffer, static_cast<DWORD>(sBufferSize), NULL, NULL) ||
!FlushFileBuffers(hFile)) { // 确保数据写入磁盘
dwError = GetLastError();
CloseHandle(hFile);
goto Cleanup;
}
CloseHandle(hFile); // 关闭文件句柄
// 以读取模式打开文件,并设置关闭时删除文件
hFile = CreateFileW(szPath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
dwError = GetLastError();
goto Cleanup;
}
// 读取之前写入的随机数据
if (!ReadFile(hFile, pRandBuffer, static_cast<DWORD>(sBufferSize), NULL, NULL)) {
dwError = GetLastError();
CloseHandle(hFile);
goto Cleanup;
}
CloseHandle(hFile); // 关闭文件句柄
}
Cleanup:
if (pRandBuffer) {
HeapFree(GetProcessHeap(), 0, pRandBuffer);
}
if (hFile != INVALID_HANDLE_VALUE) {
CloseHandle(hFile);
}
return (dwError == ERROR_SUCCESS); // 如果没有错误发生,返回 TRUE
}
int main() {
_CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); // 启用调试内存分配
if (ApiHammering(2000)) {
std::wcout << L"API Hammering completed successfully." << std::endl;
}
else {
DWORD dwError = GetLastError(); // 获取错误代码
std::wcerr << L"API Hammering failed with error code: " << dwError << std::endl;
}
return 0;
}
六、检测内存页数量
#include <Windows.h>
#include <iostream>
using namespace std;
int GetNumPages() {
// 获取系统页面文件大小信息
MEMORYSTATUSEX statex;
statex.dwLength = sizeof(statex);
if (!GlobalMemoryStatusEx(&statex)) {
cerr << "Failed to get system memory status." << endl;
return 1;
}
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
return statex.ullTotalPageFile / systemInfo.dwPageSize;
}
int main() {
int numPages = GetNumPages();
cout << numPages << endl;
if (numPages < 4000000) {
cout << "内存页小于正常值,可能处于虚拟机环境" << endl;
return 1;
}
return 0;
}
七、检测硬盘数量
#include <Windows.h>
#include <iostream>
using namespace std;
int GetNumDrives() {
DWORD drives = GetLogicalDrives();
int numDrives = 0;
for (char i = 0; i < 26; i++) {
if (drives & (1 << i)) {
char path\[4\];
sprintf_s(path, "%c:\\\", 'A' + i);
UINT type = GetDriveTypeA(path);
if (type == DRIVE\_FIXED || type == DRIVE\_REMOVABLE) {
numDrives++;
}
}
}
return numDrives;
}
int main() {
int numDrives = GetNumDrives();
cout << numDrives << endl;
if (numDrives < 2) {
cout << "硬盘数量小于正常值,可能处于虚拟机环境" << endl;
return 1;
}
return 0;
}
八、 检测网络适配器数量
#include <iostream>
#include <Winsock2.h>
#include <iphlpapi.h>
#include <windows.h>
using namespace std;
#pragma comment(lib, "iphlpapi.lib")
int GetNumAdapters() {
DWORD dwSize = 0;
GetAdaptersAddresses(AF\_UNSPEC, GAA\_FLAG\_INCLUDE\_PREFIX, NULL, NULL, &dwSize);
PIP\_ADAPTER\_ADDRESSES pAddresses = (PIP\_ADAPTER\_ADDRESSES)new BYTE\[dwSize\];
GetAdaptersAddresses(AF\_UNSPEC, GAA\_FLAG\_INCLUDE\_PREFIX, NULL, pAddresses, &dwSize);
int numAdapters = 0;
PIP\_ADAPTER\_ADDRESSES pCurrAddresses = pAddresses;
while (pCurrAddresses) {
if (pCurrAddresses->OperStatus == IfOperStatusUp) {
numAdapters++;
}
pCurrAddresses = pCurrAddresses->Next;
}
return numAdapters;
}
int main() {
int numAdapters = GetNumAdapters();
cout << numAdapters << endl;
if (numAdapters < 2) {
cout << "网络适配器数量小于正常值,可能处于虚拟机环境" << endl;
return 1;
}
return 0;
}
九、检测时间流速
沙箱一个都有时间加速,通过这段代码判断时间是否被加速来判断是否在沙箱。
#include <iostream>
#include <chrono>
#include <thread>
using namespace std;
bool detect_sandbox() {
bool is_sandbox = false;
auto start\_time = chrono::high\_resolution_clock::now();
this\_thread::sleep\_for(chrono::milliseconds(100));
auto end\_time = chrono::high\_resolution_clock::now();
auto elapsed\_time = chrono::duration\_cast<chrono::milliseconds>(end\_time - start\_time);
if (elapsed_time.count() < 100) {
is_sandbox = true;
}
return is_sandbox;
}
int main() {
if (detect_sandbox()) {
cout << "This program may be running in a sandbox!" << endl;
} else {
cout << "This program is not running in a sandbox." << endl;
}
return 0;
}
等等等等,有很多,具体还是看实战环境。
标签:NULL,return,int,代码,demo1,沙箱,HANDLE,include,hFile From: https://www.cnblogs.com/o-O-oO/p/18382658