diff --git a/AntiDebug/ProcessDetection/ProcessDetection.go b/AntiDebug/ProcessDetection/ProcessDetection.go index c177726..305642b 100644 --- a/AntiDebug/ProcessDetection/ProcessDetection.go +++ b/AntiDebug/ProcessDetection/ProcessDetection.go @@ -2,7 +2,6 @@ package BadProcesses import ( "bytes" - "log" "os/exec" "strings" ) diff --git a/AntiVirtualization/AnyRunDetection/anyruncheck.go b/AntiVirtualization/AnyRunDetection/anyruncheck.go new file mode 100644 index 0000000..b11959d --- /dev/null +++ b/AntiVirtualization/AnyRunDetection/anyruncheck.go @@ -0,0 +1,27 @@ +package AnyRunDetection + +import ( + "log" + "net" + "strings" +) + +// AnyRunDetection checks for the "52-54-00" MAC address prefix and returns true if found. +func AnyRunDetection() (bool, error) { + // Retrieve all network interfaces + interfaces, err := net.Interfaces() + if err != nil { + log.Printf("Error getting network interfaces: %v", err) + return false, err + } + + // Loop through each interface and check the MAC address + for _, iface := range interfaces { + macAddress := iface.HardwareAddr.String() // Fetch the MAC address + if strings.HasPrefix(strings.ToUpper(strings.ReplaceAll(macAddress, "-", ":")), "52:54:00") { + return true, nil + } + } + + return false, nil +} diff --git a/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go b/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go new file mode 100644 index 0000000..909450a --- /dev/null +++ b/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go @@ -0,0 +1,82 @@ +package ComodoAntivirusDetection + +import ( + "fmt" + "os" + "golang.org/x/sys/windows/registry" + "syscall" + "os/exec" + "strings" +) + +// DetectComodoAntivirus checks if Comodo Antivirus is installed or present. +func DetectComodoAntivirus() bool { + // Check for the installation paths + comodoPaths := []string{ + "C:\\Program Files\\COMODO\\COMODO Internet Security\\", + "C:\\Program Files (x86)\\COMODO\\COMODO Internet Security\\", + } + + for _, path := range comodoPaths { + if pathExists(path) { + return true + } + } + + // Check for the Comodo Antivirus driver + driverPath := "C:\\Windows\\System32\\drivers\\cmdguard.sys" + if pathExists(driverPath) { + return true + } + + // Check for Comodo Antivirus registry key + if checkComodoRegistry() { + return true + } + + // Check for Comodo Antivirus service via WMIC + if checkComodoService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkComodoRegistry checks for Comodo Antivirus in the registry key. +func checkComodoRegistry() bool { + comodoKey := `SOFTWARE\COMODO\CIS` + return registryKeyExists(registry.LOCAL_MACHINE, comodoKey) +} + +// checkComodoService checks for the Comodo Antivirus service via WMIC. +func checkComodoService() bool { + serviceName := "cmdagent" + return serviceExists(serviceName) +} + +// serviceExists checks if a service exists using WMIC. +func serviceExists(serviceName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("Name='%s'", serviceName), "get", "Name") + + // Hide the console window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + return err == nil && strings.TrimSpace(string(output)) != "" +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go b/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go new file mode 100644 index 0000000..47ef6ba --- /dev/null +++ b/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go @@ -0,0 +1,111 @@ +package DeepFreezeDetection + +import ( + "fmt" + "os" + "golang.org/x/sys/windows/registry" + "syscall" + "os/exec" + "strings" +) + +// DetectDeepFreeze checks if Deep Freeze is installed or present. +func DetectDeepFreeze() bool { + // Check for the installation paths + deepFreezePaths := []string{ + "C:\\Program Files\\Faronics\\Deep Freeze\\", + "C:\\Program Files (x86)\\Faronics\\Deep Freeze\\", + } + + for _, path := range deepFreezePaths { + if pathExists(path) { + return true + } + } + + // Check for the Deep Freeze driver + driverPath := "C:\\Persi0.sys" + if pathExists(driverPath) { + return true + } + + // Check for Deep Freeze registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib + if checkHelpDirRegistry() { + return true + } + + // Check for Autorecover MOFs containing "Faronics" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM + if checkAutoRecoverMOFs() { + return true + } + + // Check for Deep Freeze service via WMIC + if checkDeepFreezeService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkHelpDirRegistry checks for Deep Freeze in the HELPDIR registry key. +func checkHelpDirRegistry() bool { + helpDirKey := `SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\HELPDIR` + return registryKeyExists(registry.LOCAL_MACHINE, helpDirKey) +} + +// checkAutoRecoverMOFs checks for Autorecover MOFs containing "Faronics". +func checkAutoRecoverMOFs() bool { + cimomKey := `SOFTWARE\Microsoft\Wbem\CIMOM` + key, err := registry.OpenKey(registry.LOCAL_MACHINE, cimomKey, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + // Get the "Autorecover MOFs" value + mofs, _, err := key.GetStringsValue("Autorecover MOFs") + if err != nil { + return false + } + + // Check if any of the MOF paths contain the "Faronics" keyword + for _, mof := range mofs { + if strings.Contains(strings.ToLower(mof), "faronics") { + return true + } + } + return false +} + +// checkDeepFreezeService checks for the Deep Freeze service via WMIC. +func checkDeepFreezeService() bool { + serviceName := "DFServ" + return serviceExists(serviceName) +} + +// serviceExists checks if a service exists using WMIC. +func serviceExists(serviceName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("Name='%s'", serviceName), "get", "Name") + + // Hide the console window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + return err == nil && strings.TrimSpace(string(output)) != "" +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/HyperVDetection/hypervdetection.go b/AntiVirtualization/HyperVDetection/hypervdetection.go new file mode 100644 index 0000000..c0b2436 --- /dev/null +++ b/AntiVirtualization/HyperVDetection/hypervdetection.go @@ -0,0 +1,60 @@ +package HyperVCheck + +import ( + "fmt" + "os/exec" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" +) + +// DetectHyperV checks if Hyper-V is installed using registry, service, and process checks. +func DetectHyperV() (bool, error) { + // 1. Check Registry for Hyper-V + key, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization`, registry.QUERY_VALUE) + if err == nil { + defer key.Close() + enabled, _, err := key.GetIntegerValue("Enabled") + if err == nil && enabled == 1 { + return true, nil + } + } + + // 2. Check if Hyper-V services are running (vmms and vmbus) + if isServiceExisting("vmms") || isServiceExisting("vmbus") { + return true, nil + } + + // 3. Check if Hyper-V processes are running (vmms.exe and vmbus.sys) + if isProcessRunning("vmms.exe") || isProcessRunning("vmbus.sys") { + return true, nil + } + + return false, nil +} + +// isServiceExisting checks if a specific service exists and is running +func isServiceExisting(serviceName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("name='%s'", serviceName), "get", "name") + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + return false + } + + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(serviceName)) +} + +// isProcessRunning checks if a specific process is running +func isProcessRunning(processName string) bool { + cmd := exec.Command("tasklist") + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + return false + } + + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(processName)) +} diff --git a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go new file mode 100644 index 0000000..2a8d8f7 --- /dev/null +++ b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go @@ -0,0 +1,113 @@ +package SandboxieDetection + +import ( + "log" + "fmt" + "os" + "os/exec" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" +) + +// DetectSandboxie checks if Sandboxie is installed or present. +func DetectSandboxie() bool { + // Check for the installation paths + sandboxiePaths := []string{ + "C:\\Program Files\\Sandboxie\\", + "C:\\Program Files (x86)\\Sandboxie\\", + } + + for _, path := range sandboxiePaths { + if pathExists(path) { + return true + } + } + + // Check for the existence of the Sandboxie service + serviceName := "SbieSvc" // Sandboxie service name + if isServiceExisting(serviceName) { + return true + } + + // Check for Sandboxie registry keys + if checkSandboxieRegistry() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// isServiceExisting checks if a service exists using WMIC. +func isServiceExisting(serviceName string) bool { + // Use WMIC to check if the service exists + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("name='%s'", serviceName), "get", "name") + + // Set to hide the command window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + log.Printf("Error executing WMIC command: %v\n", err) + // Continue execution without returning false + } + + // Check if the output contains the service name + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(serviceName)) +} + +// checkSandboxieRegistry checks for the presence of various Sandboxie-related registry keys. +func checkSandboxieRegistry() bool { + // Check if Sandboxie is listed in the uninstall registry key + uninstallKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie` + if registryKeyExists(registry.LOCAL_MACHINE, uninstallKey) { + return true + } + + // Check for the auto-run Sandman entry in HKCU + autorunKey := `Software\Microsoft\Windows\CurrentVersion\Run` + if registryValueExists(registry.CURRENT_USER, autorunKey, "SandboxiePlus_AutoRun") { + return true + } + + // Check for the shell integration for running files/folders sandboxed + sandboxedKey := `Software\Classes\*\shell\sandbox` + if registryKeyExists(registry.CURRENT_USER, sandboxedKey) { + return true + } + + folderSandboxedKey := `Software\Classes\Folder\shell\sandbox` + if registryKeyExists(registry.CURRENT_USER, folderSandboxedKey) { + return true + } + + return false +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} + +// registryValueExists checks if a registry key has a specific value. +func registryValueExists(root registry.Key, path, valueName string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + _, _, err = key.GetStringValue(valueName) + return err == nil +} diff --git a/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go new file mode 100644 index 0000000..7998d8f --- /dev/null +++ b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go @@ -0,0 +1,156 @@ +package ShadowDefenderDetection + +import ( + "bufio" + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" +) + +// DetectShadowDefender checks if Shadow Defender is installed or present. +func DetectShadowDefender() bool { + // Check for the installation paths + shadowDefenderPaths := []string{ + "C:\\Program Files\\Shadow Defender\\", + "C:\\Program Files (x86)\\Shadow Defender\\", + } + + for _, path := range shadowDefenderPaths { + if pathExists(path) { + return true + } + } + + // Check for Shadow Defender registry keys + if checkShadowDefenderRegistry() || checkCLSIDRegistry() || checkTypeLibRegistry() || + checkUninstallRegistry() || checkSoftwareRegistry() || checkServicesRegistry() || + checkDiskptRegistry() || checkUserDatFiles() || checkShadowDefenderService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkShadowDefenderRegistry checks for the presence of the Shadow Defender-related registry key. +func checkShadowDefenderRegistry() bool { + runKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` + return registryValueExists(registry.LOCAL_MACHINE, runKey, "Shadow Defender") +} + +// checkCLSIDRegistry checks for the CLSID key associated with Shadow Defender. +func checkCLSIDRegistry() bool { + clsidKey := `CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}` + return registryKeyExists(registry.CLASSES_ROOT, clsidKey) +} + +// checkTypeLibRegistry checks for the specific TypeLib entry associated with Shadow Defender. +func checkTypeLibRegistry() bool { + typeLibKey := `TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\0\win64` + return registryKeyExists(registry.CLASSES_ROOT, typeLibKey) +} + +// checkUninstallRegistry checks for the specific Uninstall entry associated with Shadow Defender. +func checkUninstallRegistry() bool { + uninstallKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{93A07A0D-454E-43d1-86A9-5DE9C5F4411A}` + return registryKeyExists(registry.LOCAL_MACHINE, uninstallKey) +} + +// checkSoftwareRegistry checks for the presence of the Shadow Defender software registry key. +func checkSoftwareRegistry() bool { + softwareKey := `SOFTWARE\Shadow Defender` + return registryKeyExists(registry.LOCAL_MACHINE, softwareKey) +} + +// checkServicesRegistry checks for the specific services key associated with Shadow Defender. +func checkServicesRegistry() bool { + servicesKey := `SYSTEM\ControlSet001\Services\{0CBD4F48-3751-475D-BE88-4F271385B672}` + return registryKeyExists(registry.LOCAL_MACHINE, servicesKey) +} + +// checkDiskptRegistry checks for the specific diskpt service key associated with Shadow Defender. +func checkDiskptRegistry() bool { + diskptKey := `SYSTEM\ControlSet001\Services\diskpt` + return registryKeyExists(registry.LOCAL_MACHINE, diskptKey) +} + +// checkUserDatFiles checks if the user.dat files contain the keyword "Shadow Defender". +func checkUserDatFiles() bool { + userDir := os.Getenv("USERPROFILE") + shadowDefenderUserDataPaths := []string{ + filepath.Join(userDir, "Shadow Defender", "user.dat"), + filepath.Join("C:\\Users\\*", "Shadow Defender", "user.dat"), + } + + for _, userDataPath := range shadowDefenderUserDataPaths { + if fileContainsKeyword(userDataPath, "Shadow Defender") { + return true + } + } + return false +} + +// checkShadowDefenderService checks for the existence of the Shadow Defender Service using WMIC. +func checkShadowDefenderService() bool { + serviceDisplayName := "Shadow Defender Service" + return serviceExists(serviceDisplayName) +} + +// serviceExists checks if a service exists using WMIC. +func serviceExists(displayName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("DisplayName='%s'", displayName), "get", "Name") + + // Hide the console window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + return err == nil && strings.TrimSpace(string(output)) != "" +} + +// fileContainsKeyword checks if a file contains a specific keyword. +func fileContainsKeyword(filePath, keyword string) bool { + file, err := os.Open(filePath) + if err != nil { + return false + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + if strings.Contains(scanner.Text(), keyword) { + return true + } + } + return false +} + +// registryValueExists checks if a registry key has a specific value. +func registryValueExists(root registry.Key, path, valueName string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + _, _, err = key.GetStringValue(valueName) + return err == nil +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/USBCheck/USBCheck.go b/AntiVirtualization/USBCheck/USBCheck.go index 07861eb..cc39585 100644 --- a/AntiVirtualization/USBCheck/USBCheck.go +++ b/AntiVirtualization/USBCheck/USBCheck.go @@ -6,6 +6,7 @@ import ( "strings" "syscall" ) + // yes this detects https://tria.ge lol // PluggedIn checks if USB devices were ever plugged in and returns true if found. func PluggedIn() (bool, error) { @@ -13,18 +14,19 @@ func PluggedIn() (bool, error) { usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} outputusb, err1 := usbcheckcmd.CombinedOutput() - if err != nil { - log.Printf("Debug Check: Error running reg query command: %v", err) - usbcheckcmd := exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR") + if err1 != nil { + log.Printf("Debug Check: Error running reg query command: %v", err1) + usbcheckcmd = exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR") usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} - outputusb, err2 := usbcheckcmd.CombinedOutput() - if err2 != nil { - log.Printf("Debug Check: Error running reg query command: %v", err) - return false, err + outputusb, err1 = usbcheckcmd.CombinedOutput() // Reuse outputusb to avoid redeclaring it + if err1 != nil { + log.Printf("Debug Check: Error running reg query command: %v", err1) + return false, err1 } } + // Use outputusb to check if any USB devices were found usblines := strings.Split(string(outputusb), "\n") pluggedusb := 0 for _, line := range usblines { diff --git a/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go b/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go new file mode 100644 index 0000000..2d0b043 --- /dev/null +++ b/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go @@ -0,0 +1,54 @@ +package VMPlatformCheck + +import ( + "os/exec" + "strings" + "syscall" +) + +// DetectVMPlatform checks if the system is running on a VMware, Hyper-V, or other virtualization platform. +func DetectVMPlatform() (bool, error) { + // Check the hardware serial number + serialCmd := exec.Command("wmic", "bios", "get", "serialnumber") + serialCmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + serialOutput, err := serialCmd.Output() + if err != nil { + return false, err + } + + // Check the model + modelCmd := exec.Command("wmic", "computersystem", "get", "model") + modelCmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + modelOutput, err := modelCmd.Output() + if err != nil { + return false, err + } + + // Check the manufacturer + manufacturerCmd := exec.Command("wmic", "computersystem", "get", "manufacturer") + manufacturerCmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + manufacturerOutput, err := manufacturerCmd.Output() + if err != nil { + return false, err + } + + // Convert outputs to lowercase for easy comparison + serialLower := strings.ToLower(strings.TrimSpace(string(serialOutput))) + modelLower := strings.ToLower(strings.TrimSpace(string(modelOutput))) + manufacturerLower := strings.ToLower(strings.TrimSpace(string(manufacturerOutput))) + + // Check if the serial number is "0" + if serialLower == "0" { + return true, nil + } + + // Detect if any of the values indicate a virtual machine (e.g., VMware, VirtualBox, Hyper-V, etc.) + if strings.Contains(modelLower, "vmware") || strings.Contains(modelLower, "virtual") || + strings.Contains(manufacturerLower, "vmware") || strings.Contains(manufacturerLower, "microsoft") || + strings.Contains(serialLower, "vmware") || strings.Contains(manufacturerLower, "innotek") || + strings.Contains(modelLower, "virtualbox") { + return true, nil + } + + return false, nil +} diff --git a/Install.bat b/Install.bat index 3d1597b..3912bc4 100644 --- a/Install.bat +++ b/Install.bat @@ -1,4 +1,4 @@ -@Echo off +@echo off title DOWNLOADING MODULES go mod init GoDefender go get github.com/EvilBytecode/GoDefender diff --git a/main.go b/main.go index cdb0493..97674e2 100644 --- a/main.go +++ b/main.go @@ -3,6 +3,7 @@ package AntiDebugVMAnalysis import ( "log" "os" + // AntiDebug "github.com/EvilBytecode/GoDefender/AntiDebug/CheckBlacklistedWindowsNames" "github.com/EvilBytecode/GoDefender/AntiDebug/InternetCheck" @@ -10,19 +11,27 @@ import ( "github.com/EvilBytecode/GoDefender/AntiDebug/ParentAntiDebug" "github.com/EvilBytecode/GoDefender/AntiDebug/RemoteDebugger" "github.com/EvilBytecode/GoDefender/AntiDebug/RunningProcesses" - "github.com/EvilBytecode/GoDefender/AntiDebug/UserAntiAntiDebug" + HooksDetection "github.com/EvilBytecode/GoDefender/AntiDebug/UserAntiAntiDebug" "github.com/EvilBytecode/GoDefender/AntiDebug/pcuptime" + // AntiVirtualization + "github.com/EvilBytecode/GoDefender/AntiVirtualization/AnyRunDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoAntivirusDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" + HyperVCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/KVMCheck" "github.com/EvilBytecode/GoDefender/AntiVirtualization/MonitorMetrics" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/TriageDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/USBCheck" "github.com/EvilBytecode/GoDefender/AntiVirtualization/UsernameCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" + VMPlatformCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMWareDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/VirtualboxDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" ) func ThunderKitty() { @@ -64,6 +73,12 @@ func ThunderKitty() { os.Exit(-1) } + // Check if the AnyRun environment is detected + if anyRunDetected, _ := AnyRunDetection.AnyRunDetection(); anyRunDetected { + log.Println("[DEBUG] AnyRun detected") + os.Exit(-1) // Exit the program with an error code + } + if isScreenSmall, _ := MonitorMetrics.IsScreenSmall(); isScreenSmall { log.Println("[DEBUG] Screen size is small") os.Exit(-1) @@ -83,6 +98,42 @@ func ThunderKitty() { os.Exit(-1) } + // Hyper-V detection + if hypervDetected, _ := HyperVCheck.DetectHyperV(); hypervDetected { + log.Println("[DEBUG] Hyper-V detected") + os.Exit(-1) + } + + // VMPlatform detection + if vmPlatformDetected, _ := VMPlatformCheck.DetectVMPlatform(); vmPlatformDetected { + log.Println("[DEBUG] VM Platform detected") + os.Exit(-1) + } + + // Comodo Antivirus detection + if comodoDetected := ComodoAntivirusDetection.DetectComodoAntivirus(); comodoDetected { + log.Println("[DEBUG] Comodo Antivirus detected") + os.Exit(-1) + } + + // Shadow Defender detection + if shadowDefenderDetected := ShadowDefenderDetection.DetectShadowDefender(); shadowDefenderDetected { + log.Println("[DEBUG] Shadow Defender detected") + os.Exit(-1) + } + + // Sandboxie detection + if sandboxieDetected := SandboxieDetection.DetectSandboxie(); sandboxieDetected { + log.Println("[DEBUG] Sandboxie detected") + os.Exit(-1) + } + + // Deep Freeze detection + if deepFreezeDetected := DeepFreezeDetection.DetectDeepFreeze(); deepFreezeDetected { + log.Println("[DEBUG] Deep Freeze detected") + os.Exit(-1) + } + CheckBlacklistedWindowsNames.CheckBlacklistedWindows() // Other AntiDebug checks