From c2e31ff01b6e088cf1ffe61f1d0bc2ecc89c4a65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 16:21:29 +0300 Subject: [PATCH 01/14] Common Sandbox Programs Detection --- .../ComodoDetection/comodocheck.go | 82 +++++++++ .../DeepFreezeDetection/deepfreezecheck.go | 111 +++++++++++++ .../SandboxieDetection/sandboxiecheck.go | 112 +++++++++++++ .../shadowdefendercheck.go | 157 ++++++++++++++++++ main.go | 29 ++++ 5 files changed, 491 insertions(+) create mode 100644 AntiVirtualization/ComodoDetection/comodocheck.go create mode 100644 AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go create mode 100644 AntiVirtualization/SandboxieDetection/sandboxiecheck.go create mode 100644 AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go diff --git a/AntiVirtualization/ComodoDetection/comodocheck.go b/AntiVirtualization/ComodoDetection/comodocheck.go new file mode 100644 index 0000000..909450a --- /dev/null +++ b/AntiVirtualization/ComodoDetection/comodocheck.go @@ -0,0 +1,82 @@ +package ComodoAntivirusDetection + +import ( + "fmt" + "os" + "golang.org/x/sys/windows/registry" + "syscall" + "os/exec" + "strings" +) + +// DetectComodoAntivirus checks if Comodo Antivirus is installed or present. +func DetectComodoAntivirus() bool { + // Check for the installation paths + comodoPaths := []string{ + "C:\\Program Files\\COMODO\\COMODO Internet Security\\", + "C:\\Program Files (x86)\\COMODO\\COMODO Internet Security\\", + } + + for _, path := range comodoPaths { + if pathExists(path) { + return true + } + } + + // Check for the Comodo Antivirus driver + driverPath := "C:\\Windows\\System32\\drivers\\cmdguard.sys" + if pathExists(driverPath) { + return true + } + + // Check for Comodo Antivirus registry key + if checkComodoRegistry() { + return true + } + + // Check for Comodo Antivirus service via WMIC + if checkComodoService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkComodoRegistry checks for Comodo Antivirus in the registry key. +func checkComodoRegistry() bool { + comodoKey := `SOFTWARE\COMODO\CIS` + return registryKeyExists(registry.LOCAL_MACHINE, comodoKey) +} + +// checkComodoService checks for the Comodo Antivirus service via WMIC. +func checkComodoService() bool { + serviceName := "cmdagent" + return serviceExists(serviceName) +} + +// serviceExists checks if a service exists using WMIC. +func serviceExists(serviceName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("Name='%s'", serviceName), "get", "Name") + + // Hide the console window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + return err == nil && strings.TrimSpace(string(output)) != "" +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go b/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go new file mode 100644 index 0000000..47ef6ba --- /dev/null +++ b/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go @@ -0,0 +1,111 @@ +package DeepFreezeDetection + +import ( + "fmt" + "os" + "golang.org/x/sys/windows/registry" + "syscall" + "os/exec" + "strings" +) + +// DetectDeepFreeze checks if Deep Freeze is installed or present. +func DetectDeepFreeze() bool { + // Check for the installation paths + deepFreezePaths := []string{ + "C:\\Program Files\\Faronics\\Deep Freeze\\", + "C:\\Program Files (x86)\\Faronics\\Deep Freeze\\", + } + + for _, path := range deepFreezePaths { + if pathExists(path) { + return true + } + } + + // Check for the Deep Freeze driver + driverPath := "C:\\Persi0.sys" + if pathExists(driverPath) { + return true + } + + // Check for Deep Freeze registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib + if checkHelpDirRegistry() { + return true + } + + // Check for Autorecover MOFs containing "Faronics" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM + if checkAutoRecoverMOFs() { + return true + } + + // Check for Deep Freeze service via WMIC + if checkDeepFreezeService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkHelpDirRegistry checks for Deep Freeze in the HELPDIR registry key. +func checkHelpDirRegistry() bool { + helpDirKey := `SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\HELPDIR` + return registryKeyExists(registry.LOCAL_MACHINE, helpDirKey) +} + +// checkAutoRecoverMOFs checks for Autorecover MOFs containing "Faronics". +func checkAutoRecoverMOFs() bool { + cimomKey := `SOFTWARE\Microsoft\Wbem\CIMOM` + key, err := registry.OpenKey(registry.LOCAL_MACHINE, cimomKey, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + // Get the "Autorecover MOFs" value + mofs, _, err := key.GetStringsValue("Autorecover MOFs") + if err != nil { + return false + } + + // Check if any of the MOF paths contain the "Faronics" keyword + for _, mof := range mofs { + if strings.Contains(strings.ToLower(mof), "faronics") { + return true + } + } + return false +} + +// checkDeepFreezeService checks for the Deep Freeze service via WMIC. +func checkDeepFreezeService() bool { + serviceName := "DFServ" + return serviceExists(serviceName) +} + +// serviceExists checks if a service exists using WMIC. +func serviceExists(serviceName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("Name='%s'", serviceName), "get", "Name") + + // Hide the console window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + return err == nil && strings.TrimSpace(string(output)) != "" +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go new file mode 100644 index 0000000..874bb2b --- /dev/null +++ b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go @@ -0,0 +1,112 @@ +package SandboxieDetection + +import ( + "log" + "os" + "os/exec" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" +) + +// DetectSandboxie checks if Sandboxie is installed or present. +func DetectSandboxie() bool { + // Check for the installation paths + sandboxiePaths := []string{ + "C:\\Program Files\\Sandboxie\\", + "C:\\Program Files (x86)\\Sandboxie\\", + } + + for _, path := range sandboxiePaths { + if pathExists(path) { + return true + } + } + + // Check for the existence of the Sandboxie service + serviceName := "SbieSvc" // Sandboxie service name + if isServiceExisting(serviceName) { + return true + } + + // Check for Sandboxie registry keys + if checkSandboxieRegistry() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// isServiceExisting checks if a service exists using WMIC. +func isServiceExisting(serviceName string) bool { + // Use WMIC to check if the service exists + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("name='%s'", serviceName), "get", "name") + + // Set to hide the command window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + log.Printf("Error executing WMIC command: %v\n", err) + return false + } + + // Check if the output contains the service name + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(serviceName)) +} + +// checkSandboxieRegistry checks for the presence of various Sandboxie-related registry keys. +func checkSandboxieRegistry() bool { + // Check if Sandboxie is listed in the uninstall registry key + uninstallKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie` + if registryKeyExists(registry.LOCAL_MACHINE, uninstallKey) { + return true + } + + // Check for the auto-run Sandman entry in HKCU + autorunKey := `Software\Microsoft\Windows\CurrentVersion\Run` + if registryValueExists(registry.CURRENT_USER, autorunKey, "SandboxiePlus_AutoRun") { + return true + } + + // Check for the shell integration for running files/folders sandboxed + sandboxedKey := `Software\Classes\*\shell\sandbox` + if registryKeyExists(registry.CURRENT_USER, sandboxedKey) { + return true + } + + folderSandboxedKey := `Software\Classes\Folder\shell\sandbox` + if registryKeyExists(registry.CURRENT_USER, folderSandboxedKey) { + return true + } + + return false +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} + +// registryValueExists checks if a registry key has a specific value. +func registryValueExists(root registry.Key, path, valueName string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + _, _, err = key.GetStringValue(valueName) + return err == nil +} diff --git a/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go new file mode 100644 index 0000000..eb266f2 --- /dev/null +++ b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go @@ -0,0 +1,157 @@ +package ShadowDefenderDetection + +import ( + "bufio" + "fmt" + "log" + "os" + "os/exec" + "path/filepath" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" +) + +// DetectShadowDefender checks if Shadow Defender is installed or present. +func DetectShadowDefender() bool { + // Check for the installation paths + shadowDefenderPaths := []string{ + "C:\\Program Files\\Shadow Defender\\", + "C:\\Program Files (x86)\\Shadow Defender\\", + } + + for _, path := range shadowDefenderPaths { + if pathExists(path) { + return true + } + } + + // Check for Shadow Defender registry keys + if checkShadowDefenderRegistry() || checkCLSIDRegistry() || checkTypeLibRegistry() || + checkUninstallRegistry() || checkSoftwareRegistry() || checkServicesRegistry() || + checkDiskptRegistry() || checkUserDatFiles() || checkShadowDefenderService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkShadowDefenderRegistry checks for the presence of the Shadow Defender-related registry key. +func checkShadowDefenderRegistry() bool { + runKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` + return registryValueExists(registry.LOCAL_MACHINE, runKey, "Shadow Defender") +} + +// checkCLSIDRegistry checks for the CLSID key associated with Shadow Defender. +func checkCLSIDRegistry() bool { + clsidKey := `CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}` + return registryKeyExists(registry.CLASSES_ROOT, clsidKey) +} + +// checkTypeLibRegistry checks for the specific TypeLib entry associated with Shadow Defender. +func checkTypeLibRegistry() bool { + typeLibKey := `TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\0\win64` + return registryKeyExists(registry.CLASSES_ROOT, typeLibKey) +} + +// checkUninstallRegistry checks for the specific Uninstall entry associated with Shadow Defender. +func checkUninstallRegistry() bool { + uninstallKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{93A07A0D-454E-43d1-86A9-5DE9C5F4411A}` + return registryKeyExists(registry.LOCAL_MACHINE, uninstallKey) +} + +// checkSoftwareRegistry checks for the presence of the Shadow Defender software registry key. +func checkSoftwareRegistry() bool { + softwareKey := `SOFTWARE\Shadow Defender` + return registryKeyExists(registry.LOCAL_MACHINE, softwareKey) +} + +// checkServicesRegistry checks for the specific services key associated with Shadow Defender. +func checkServicesRegistry() bool { + servicesKey := `SYSTEM\ControlSet001\Services\{0CBD4F48-3751-475D-BE88-4F271385B672}` + return registryKeyExists(registry.LOCAL_MACHINE, servicesKey) +} + +// checkDiskptRegistry checks for the specific diskpt service key associated with Shadow Defender. +func checkDiskptRegistry() bool { + diskptKey := `SYSTEM\ControlSet001\Services\diskpt` + return registryKeyExists(registry.LOCAL_MACHINE, diskptKey) +} + +// checkUserDatFiles checks if the user.dat files contain the keyword "Shadow Defender". +func checkUserDatFiles() bool { + userDir := os.Getenv("USERPROFILE") + shadowDefenderUserDataPaths := []string{ + filepath.Join(userDir, "Shadow Defender", "user.dat"), + filepath.Join("C:\\Users\\*", "Shadow Defender", "user.dat"), + } + + for _, userDataPath := range shadowDefenderUserDataPaths { + if fileContainsKeyword(userDataPath, "Shadow Defender") { + return true + } + } + return false +} + +// checkShadowDefenderService checks for the existence of the Shadow Defender Service using WMIC. +func checkShadowDefenderService() bool { + serviceDisplayName := "Shadow Defender Service" + return serviceExists(serviceDisplayName) +} + +// serviceExists checks if a service exists using WMIC. +func serviceExists(displayName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("DisplayName='%s'", displayName), "get", "Name") + + // Hide the console window + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + return err == nil && strings.TrimSpace(string(output)) != "" +} + +// fileContainsKeyword checks if a file contains a specific keyword. +func fileContainsKeyword(filePath, keyword string) bool { + file, err := os.Open(filePath) + if err != nil { + return false + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + if strings.Contains(scanner.Text(), keyword) { + return true + } + } + return false +} + +// registryValueExists checks if a registry key has a specific value. +func registryValueExists(root registry.Key, path, valueName string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + _, _, err = key.GetStringValue(valueName) + return err == nil +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/main.go b/main.go index cdb0493..49c67c7 100644 --- a/main.go +++ b/main.go @@ -23,6 +23,10 @@ import ( "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" ) func ThunderKitty() { @@ -83,6 +87,31 @@ func ThunderKitty() { os.Exit(-1) } + + // Comodo Antivirus detection + if comodoDetected := ComodoDetection.DetectComodoAntivirus(); comodoDetected { + log.Println("[DEBUG] Comodo Antivirus detected") + os.Exit(-1) + } + + // Shadow Defender detection + if shadowDefenderDetected := ShadowDefenderDetection.DetectShadowDefender(); shadowDefenderDetected { + log.Println("[DEBUG] Shadow Defender detected") + os.Exit(-1) + } + + // Sandboxie detection + if sandboxieDetected := SandboxieDetection.DetectSandboxie(); sandboxieDetected { + log.Println("[DEBUG] Sandboxie detected") + os.Exit(-1) + } + + // Deep Freeze detection + if deepFreezeDetected := DeepFreezeDetection.DetectDeepFreeze(); deepFreezeDetected { + log.Println("[DEBUG] Deep Freeze detected") + os.Exit(-1) + } + CheckBlacklistedWindowsNames.CheckBlacklistedWindows() // Other AntiDebug checks From 6a90f0d7cfd07733dfa14efcd9b06cbc10f6ba8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 16:37:23 +0300 Subject: [PATCH 02/14] WhiteSpace removed --- main.go | 1 - 1 file changed, 1 deletion(-) diff --git a/main.go b/main.go index 49c67c7..5a89e87 100644 --- a/main.go +++ b/main.go @@ -87,7 +87,6 @@ func ThunderKitty() { os.Exit(-1) } - // Comodo Antivirus detection if comodoDetected := ComodoDetection.DetectComodoAntivirus(); comodoDetected { log.Println("[DEBUG] Comodo Antivirus detected") From be2b43485a2abd9a9e34ceba06b0a0631fbbb251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 16:41:39 +0300 Subject: [PATCH 03/14] Some important fixes --- AntiVirtualization/SandboxieDetection/sandboxiecheck.go | 3 +-- .../ShadowDefenderDetection/shadowdefendercheck.go | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go index 874bb2b..8045e5a 100644 --- a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go +++ b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go @@ -1,7 +1,7 @@ package SandboxieDetection import ( - "log" + "fmt" "os" "os/exec" "strings" @@ -53,7 +53,6 @@ func isServiceExisting(serviceName string) bool { output, err := cmd.Output() if err != nil { - log.Printf("Error executing WMIC command: %v\n", err) return false } diff --git a/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go index eb266f2..7998d8f 100644 --- a/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go +++ b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go @@ -3,7 +3,6 @@ package ShadowDefenderDetection import ( "bufio" "fmt" - "log" "os" "os/exec" "path/filepath" From 983e986de89bad82a923aadc40d6cf929c9a4351 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:01:44 +0300 Subject: [PATCH 04/14] More fixes --- .../SandboxieDetection/sandboxiecheck.go | 3 ++- AntiVirtualization/USBCheck/USBCheck.go | 12 +++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go index 8045e5a..426760a 100644 --- a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go +++ b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go @@ -53,7 +53,8 @@ func isServiceExisting(serviceName string) bool { output, err := cmd.Output() if err != nil { - return false + log.Printf("Error executing WMIC command: %v\n", err) + // Continue execution without returning false } // Check if the output contains the service name diff --git a/AntiVirtualization/USBCheck/USBCheck.go b/AntiVirtualization/USBCheck/USBCheck.go index 07861eb..fff1c0c 100644 --- a/AntiVirtualization/USBCheck/USBCheck.go +++ b/AntiVirtualization/USBCheck/USBCheck.go @@ -6,6 +6,7 @@ import ( "strings" "syscall" ) + // yes this detects https://tria.ge lol // PluggedIn checks if USB devices were ever plugged in and returns true if found. func PluggedIn() (bool, error) { @@ -13,18 +14,19 @@ func PluggedIn() (bool, error) { usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} outputusb, err1 := usbcheckcmd.CombinedOutput() - if err != nil { - log.Printf("Debug Check: Error running reg query command: %v", err) - usbcheckcmd := exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR") + if err1 != nil { + log.Printf("Debug Check: Error running reg query command: %v", err1) + usbcheckcmd = exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR") usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} outputusb, err2 := usbcheckcmd.CombinedOutput() if err2 != nil { - log.Printf("Debug Check: Error running reg query command: %v", err) - return false, err + log.Printf("Debug Check: Error running reg query command: %v", err2) + return false, err2 } } + // Use outputusb to check if any USB devices were found usblines := strings.Split(string(outputusb), "\n") pluggedusb := 0 for _, line := range usblines { From 3de8656faeadc54e823e166f0c22ba01559ed721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:06:11 +0300 Subject: [PATCH 05/14] I forgot to add log sorry --- AntiVirtualization/SandboxieDetection/sandboxiecheck.go | 1 + 1 file changed, 1 insertion(+) diff --git a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go index 426760a..2a8d8f7 100644 --- a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go +++ b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go @@ -1,6 +1,7 @@ package SandboxieDetection import ( + "log" "fmt" "os" "os/exec" From 0c315e102c1505d1d1a45ae44c628ba2015f6333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:10:24 +0300 Subject: [PATCH 06/14] Update USBCheck.go --- AntiVirtualization/USBCheck/USBCheck.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/AntiVirtualization/USBCheck/USBCheck.go b/AntiVirtualization/USBCheck/USBCheck.go index fff1c0c..cc39585 100644 --- a/AntiVirtualization/USBCheck/USBCheck.go +++ b/AntiVirtualization/USBCheck/USBCheck.go @@ -19,10 +19,10 @@ func PluggedIn() (bool, error) { usbcheckcmd = exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR") usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} - outputusb, err2 := usbcheckcmd.CombinedOutput() - if err2 != nil { - log.Printf("Debug Check: Error running reg query command: %v", err2) - return false, err2 + outputusb, err1 = usbcheckcmd.CombinedOutput() // Reuse outputusb to avoid redeclaring it + if err1 != nil { + log.Printf("Debug Check: Error running reg query command: %v", err1) + return false, err1 } } From 30653fe82db87ad0efc3a543cdf0d6328a65b022 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:11:53 +0300 Subject: [PATCH 07/14] Update main.go --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 5a89e87..f859420 100644 --- a/main.go +++ b/main.go @@ -88,7 +88,7 @@ func ThunderKitty() { } // Comodo Antivirus detection - if comodoDetected := ComodoDetection.DetectComodoAntivirus(); comodoDetected { + if comodoDetected := ComodoAntivirusDetection.DetectComodoAntivirus(); comodoDetected { log.Println("[DEBUG] Comodo Antivirus detected") os.Exit(-1) } From 4d8b91f7eabf707596a9ad6faefc1d34ff712798 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:14:48 +0300 Subject: [PATCH 08/14] Very small name change --- .../comodocheck.go | 0 main.go | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename AntiVirtualization/{ComodoDetection => ComodoAntivirusDetection}/comodocheck.go (100%) diff --git a/AntiVirtualization/ComodoDetection/comodocheck.go b/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go similarity index 100% rename from AntiVirtualization/ComodoDetection/comodocheck.go rename to AntiVirtualization/ComodoAntivirusDetection/comodocheck.go diff --git a/main.go b/main.go index f859420..f33c085 100644 --- a/main.go +++ b/main.go @@ -23,7 +23,7 @@ import ( "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoAntivirusDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" From e4fd7e8d28fc0048c69722862fc329c39b12944c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:54:26 +0300 Subject: [PATCH 09/14] It should be small --- Install.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Install.bat b/Install.bat index 3d1597b..3912bc4 100644 --- a/Install.bat +++ b/Install.bat @@ -1,4 +1,4 @@ -@Echo off +@echo off title DOWNLOADING MODULES go mod init GoDefender go get github.com/EvilBytecode/GoDefender From f7caea5cf344bcb57cf7c366cb7555e449a4f66b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 19:41:25 +0300 Subject: [PATCH 10/14] VM Check HyperV General --- .../HyperVDetection/hypervdetection.go | 59 +++++++++++++++++++ .../VMPlatformDetection/vmplatformcheck.go | 54 +++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 AntiVirtualization/HyperVDetection/hypervdetection.go create mode 100644 AntiVirtualization/VMPlatformDetection/vmplatformcheck.go diff --git a/AntiVirtualization/HyperVDetection/hypervdetection.go b/AntiVirtualization/HyperVDetection/hypervdetection.go new file mode 100644 index 0000000..9ec5d17 --- /dev/null +++ b/AntiVirtualization/HyperVDetection/hypervdetection.go @@ -0,0 +1,59 @@ +package HyperVCheck + +import ( + "os/exec" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" +) + +// DetectHyperV checks if Hyper-V is installed using registry, service, and process checks. +func DetectHyperV() (bool, error) { + // 1. Check Registry for Hyper-V + key, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization`, registry.QUERY_VALUE) + if err == nil { + defer key.Close() + enabled, _, err := key.GetIntegerValue("Enabled") + if err == nil && enabled == 1 { + return true, nil + } + } + + // 2. Check if Hyper-V services are running (vmms and vmbus) + if isServiceExisting("vmms") || isServiceExisting("vmbus") { + return true, nil + } + + // 3. Check if Hyper-V processes are running (vmms.exe and vmbus.sys) + if isProcessRunning("vmms.exe") || isProcessRunning("vmbus.sys") { + return true, nil + } + + return false, nil +} + +// isServiceExisting checks if a specific service exists and is running +func isServiceExisting(serviceName string) bool { + cmd := exec.Command("wmic", "service", "where", fmt.Sprintf("name='%s'", serviceName), "get", "name") + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + return false + } + + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(serviceName)) +} + +// isProcessRunning checks if a specific process is running +func isProcessRunning(processName string) bool { + cmd := exec.Command("tasklist") + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + return false + } + + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(processName)) +} diff --git a/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go b/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go new file mode 100644 index 0000000..2d0b043 --- /dev/null +++ b/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go @@ -0,0 +1,54 @@ +package VMPlatformCheck + +import ( + "os/exec" + "strings" + "syscall" +) + +// DetectVMPlatform checks if the system is running on a VMware, Hyper-V, or other virtualization platform. +func DetectVMPlatform() (bool, error) { + // Check the hardware serial number + serialCmd := exec.Command("wmic", "bios", "get", "serialnumber") + serialCmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + serialOutput, err := serialCmd.Output() + if err != nil { + return false, err + } + + // Check the model + modelCmd := exec.Command("wmic", "computersystem", "get", "model") + modelCmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + modelOutput, err := modelCmd.Output() + if err != nil { + return false, err + } + + // Check the manufacturer + manufacturerCmd := exec.Command("wmic", "computersystem", "get", "manufacturer") + manufacturerCmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + manufacturerOutput, err := manufacturerCmd.Output() + if err != nil { + return false, err + } + + // Convert outputs to lowercase for easy comparison + serialLower := strings.ToLower(strings.TrimSpace(string(serialOutput))) + modelLower := strings.ToLower(strings.TrimSpace(string(modelOutput))) + manufacturerLower := strings.ToLower(strings.TrimSpace(string(manufacturerOutput))) + + // Check if the serial number is "0" + if serialLower == "0" { + return true, nil + } + + // Detect if any of the values indicate a virtual machine (e.g., VMware, VirtualBox, Hyper-V, etc.) + if strings.Contains(modelLower, "vmware") || strings.Contains(modelLower, "virtual") || + strings.Contains(manufacturerLower, "vmware") || strings.Contains(manufacturerLower, "microsoft") || + strings.Contains(serialLower, "vmware") || strings.Contains(manufacturerLower, "innotek") || + strings.Contains(modelLower, "virtualbox") { + return true, nil + } + + return false, nil +} From 2d7aec4b4ff6fe1c41b9e5669c9c8ba689d4e1d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emirhan=20U=C3=A7an?= <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Fri, 11 Oct 2024 20:01:26 +0300 Subject: [PATCH 11/14] Update main.go --- main.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/main.go b/main.go index f33c085..e34945b 100644 --- a/main.go +++ b/main.go @@ -27,6 +27,8 @@ import ( "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformCheck" ) func ThunderKitty() { @@ -87,6 +89,18 @@ func ThunderKitty() { os.Exit(-1) } + // Hyper-V detection + if hypervDetected, _ := HyperVCheck.DetectHyperV(); hypervDetected { + log.Println("[DEBUG] Hyper-V detected") + os.Exit(-1) + } + + // VMPlatform detection + if vmPlatformDetected, _ := VMPlatformCheck.DetectVMPlatform(); vmPlatformDetected { + log.Println("[DEBUG] VM Platform detected") + os.Exit(-1) + } + // Comodo Antivirus detection if comodoDetected := ComodoAntivirusDetection.DetectComodoAntivirus(); comodoDetected { log.Println("[DEBUG] Comodo Antivirus detected") From aba940cc36bbc83344f583d8988d54474ce7e5c2 Mon Sep 17 00:00:00 2001 From: HydraDragonAntivirus <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Mon, 28 Oct 2024 21:01:25 +0300 Subject: [PATCH 12/14] Renaming --- main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index e34945b..a784ba8 100644 --- a/main.go +++ b/main.go @@ -27,8 +27,8 @@ import ( "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVCheck" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformDetection" ) func ThunderKitty() { From 73cfad0c22f6b38580c47696cf9a2c730ce60976 Mon Sep 17 00:00:00 2001 From: HydraDragonAntivirus <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Mon, 28 Oct 2024 21:04:24 +0300 Subject: [PATCH 13/14] I forgot to add fmt --- AntiVirtualization/HyperVDetection/hypervdetection.go | 1 + 1 file changed, 1 insertion(+) diff --git a/AntiVirtualization/HyperVDetection/hypervdetection.go b/AntiVirtualization/HyperVDetection/hypervdetection.go index 9ec5d17..c0b2436 100644 --- a/AntiVirtualization/HyperVDetection/hypervdetection.go +++ b/AntiVirtualization/HyperVDetection/hypervdetection.go @@ -1,6 +1,7 @@ package HyperVCheck import ( + "fmt" "os/exec" "strings" "syscall" From bdc94e7241bd7d57862dfa8ff1685a89f5ad72da Mon Sep 17 00:00:00 2001 From: HydraDragonAntivirus <142328963+HydraDragonAntivirus@users.noreply.github.com> Date: Wed, 18 Dec 2024 15:34:39 +0300 Subject: [PATCH 14/14] AnyRun Detection --- .../ProcessDetection/ProcessDetection.go | 1 - .../AnyRunDetection/anyruncheck.go | 27 ++++++++ main.go | 69 +++++++++++-------- 3 files changed, 66 insertions(+), 31 deletions(-) create mode 100644 AntiVirtualization/AnyRunDetection/anyruncheck.go diff --git a/AntiDebug/ProcessDetection/ProcessDetection.go b/AntiDebug/ProcessDetection/ProcessDetection.go index c177726..305642b 100644 --- a/AntiDebug/ProcessDetection/ProcessDetection.go +++ b/AntiDebug/ProcessDetection/ProcessDetection.go @@ -2,7 +2,6 @@ package BadProcesses import ( "bytes" - "log" "os/exec" "strings" ) diff --git a/AntiVirtualization/AnyRunDetection/anyruncheck.go b/AntiVirtualization/AnyRunDetection/anyruncheck.go new file mode 100644 index 0000000..b11959d --- /dev/null +++ b/AntiVirtualization/AnyRunDetection/anyruncheck.go @@ -0,0 +1,27 @@ +package AnyRunDetection + +import ( + "log" + "net" + "strings" +) + +// AnyRunDetection checks for the "52-54-00" MAC address prefix and returns true if found. +func AnyRunDetection() (bool, error) { + // Retrieve all network interfaces + interfaces, err := net.Interfaces() + if err != nil { + log.Printf("Error getting network interfaces: %v", err) + return false, err + } + + // Loop through each interface and check the MAC address + for _, iface := range interfaces { + macAddress := iface.HardwareAddr.String() // Fetch the MAC address + if strings.HasPrefix(strings.ToUpper(strings.ReplaceAll(macAddress, "-", ":")), "52:54:00") { + return true, nil + } + } + + return false, nil +} diff --git a/main.go b/main.go index a784ba8..97674e2 100644 --- a/main.go +++ b/main.go @@ -3,6 +3,7 @@ package AntiDebugVMAnalysis import ( "log" "os" + // AntiDebug "github.com/EvilBytecode/GoDefender/AntiDebug/CheckBlacklistedWindowsNames" "github.com/EvilBytecode/GoDefender/AntiDebug/InternetCheck" @@ -10,25 +11,27 @@ import ( "github.com/EvilBytecode/GoDefender/AntiDebug/ParentAntiDebug" "github.com/EvilBytecode/GoDefender/AntiDebug/RemoteDebugger" "github.com/EvilBytecode/GoDefender/AntiDebug/RunningProcesses" - "github.com/EvilBytecode/GoDefender/AntiDebug/UserAntiAntiDebug" + HooksDetection "github.com/EvilBytecode/GoDefender/AntiDebug/UserAntiAntiDebug" "github.com/EvilBytecode/GoDefender/AntiDebug/pcuptime" + // AntiVirtualization + "github.com/EvilBytecode/GoDefender/AntiVirtualization/AnyRunDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoAntivirusDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" + HyperVCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/KVMCheck" "github.com/EvilBytecode/GoDefender/AntiVirtualization/MonitorMetrics" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/TriageDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/USBCheck" "github.com/EvilBytecode/GoDefender/AntiVirtualization/UsernameCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" + VMPlatformCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMWareDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/VirtualboxDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoAntivirusDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformDetection" ) func ThunderKitty() { @@ -70,6 +73,12 @@ func ThunderKitty() { os.Exit(-1) } + // Check if the AnyRun environment is detected + if anyRunDetected, _ := AnyRunDetection.AnyRunDetection(); anyRunDetected { + log.Println("[DEBUG] AnyRun detected") + os.Exit(-1) // Exit the program with an error code + } + if isScreenSmall, _ := MonitorMetrics.IsScreenSmall(); isScreenSmall { log.Println("[DEBUG] Screen size is small") os.Exit(-1) @@ -101,29 +110,29 @@ func ThunderKitty() { os.Exit(-1) } - // Comodo Antivirus detection - if comodoDetected := ComodoAntivirusDetection.DetectComodoAntivirus(); comodoDetected { - log.Println("[DEBUG] Comodo Antivirus detected") - os.Exit(-1) - } + // Comodo Antivirus detection + if comodoDetected := ComodoAntivirusDetection.DetectComodoAntivirus(); comodoDetected { + log.Println("[DEBUG] Comodo Antivirus detected") + os.Exit(-1) + } - // Shadow Defender detection - if shadowDefenderDetected := ShadowDefenderDetection.DetectShadowDefender(); shadowDefenderDetected { - log.Println("[DEBUG] Shadow Defender detected") - os.Exit(-1) - } + // Shadow Defender detection + if shadowDefenderDetected := ShadowDefenderDetection.DetectShadowDefender(); shadowDefenderDetected { + log.Println("[DEBUG] Shadow Defender detected") + os.Exit(-1) + } - // Sandboxie detection - if sandboxieDetected := SandboxieDetection.DetectSandboxie(); sandboxieDetected { - log.Println("[DEBUG] Sandboxie detected") - os.Exit(-1) - } + // Sandboxie detection + if sandboxieDetected := SandboxieDetection.DetectSandboxie(); sandboxieDetected { + log.Println("[DEBUG] Sandboxie detected") + os.Exit(-1) + } - // Deep Freeze detection - if deepFreezeDetected := DeepFreezeDetection.DetectDeepFreeze(); deepFreezeDetected { - log.Println("[DEBUG] Deep Freeze detected") - os.Exit(-1) - } + // Deep Freeze detection + if deepFreezeDetected := DeepFreezeDetection.DetectDeepFreeze(); deepFreezeDetected { + log.Println("[DEBUG] Deep Freeze detected") + os.Exit(-1) + } CheckBlacklistedWindowsNames.CheckBlacklistedWindows()