(Golang) Virtualization/Sandbox Evasion: User Activity Based Checks by Edode
Created the Wednesday 26 April 2023. Updated 5 months, 3 weeks ago.
Description:
The provided code is designed to differentiate between a sandbox environment and a genuine user workspace by monitoring user clicks and idle time. It achieves this by incrementing a click count variable upon detecting a left or right click, and comparing the elapsed idle time to a predefined maximum threshold. If the total number of clicks is below a specified minimum or the idle time surpasses the maximum limit, the code identifies the environment as a sandbox. Otherwise, it recognizes the presence of a legitimate user.
Code
package main
import (
"fmt"
"syscall"
"time"
)
var (
user32 = syscall.NewLazyDLL("user32.dll")
getAsyncKeyState = user32.NewProc("GetAsyncKeyState")
)
func evadeClicksCount() {
// Increment variable when a click is detected
var clickCount int
// Set the minimal number of clicks to be detected
var minimalClickCount = 10
// Set the maximum idle time in seconds
var maxIdleTime = 120
var t time.Time = time.Now()
for clickCount <= minimalClickCount {
leftClick, _, _ := getAsyncKeyState.Call(uintptr(0x1))
rightClick, _, _ := getAsyncKeyState.Call(uintptr(0x2))
// Check if a click is detected
if leftClick%2 == 1 || rightClick%2 == 1 {
clickCount += 1
t = time.Now()
}
if int(time.Since(t).Seconds()) > maxIdleTime {
fmt.Println("Sandbox Detected !")
}
}
fmt.Println("Legitimate user detected !")
}
func main() {
evadeClicksCount()
}