Checking Installed Software
By determining which software are installed the sandbox can be detected (e.g: Python, Tracer, Debugging Tools, Vmware tools…).
Code Snippets
#include <iostream>
#include <windows.h>
bool EnumInstalledSoftware(void)
{
HKEY hUninstKey = NULL;
HKEY hAppKey = NULL;
WCHAR sAppKeyName[1024];
WCHAR sSubKey[1024];
WCHAR sDisplayName[1024];
WCHAR *sRoot = L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
long lResult = ERROR_SUCCESS;
DWORD dwType = KEY_ALL_ACCESS;
DWORD dwBufferSize = 0;
if(RegOpenKeyExW(HKEY_LOCAL_MACHINE, sRoot, 0, KEY_READ, &hUninstKey) != ERROR_SUCCESS)
{
return false;
}
for(DWORD dwIndex = 0; lResult == ERROR_SUCCESS; dwIndex++)
{
dwBufferSize = sizeof(sAppKeyName);
if((lResult = RegEnumKeyExW(hUninstKey, dwIndex, sAppKeyName,
&dwBufferSize, NULL, NULL, NULL, NULL)) == ERROR_SUCCESS)
{
//printf(sSubKey, L"%s\\%s", sRoot, sAppKeyName);
if(RegOpenKeyExW(HKEY_LOCAL_MACHINE, sSubKey, 0, KEY_READ, &hAppKey) != ERROR_SUCCESS)
{
RegCloseKey(hAppKey);
RegCloseKey(hUninstKey);
return false;
}
dwBufferSize = sizeof(sDisplayName);
if(RegQueryValueExW(hAppKey, L"DisplayName", NULL,
&dwType, (unsigned char*)sDisplayName, &dwBufferSize) == ERROR_SUCCESS)
{
wprintf(L"%s\n", sDisplayName);
}
RegCloseKey(hAppKey);
}
}
RegCloseKey(hUninstKey);
return true;
}Detection Rules
import "pe"
rule check_installed_software {
meta:
description = "Detect check installed software through registry"
author = "Thomas Roccia | @fr0gger_"
strings:
$s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide
condition:
uint16(0) == 0x5A4D and $s1 or
pe.imports("Advapi32.dll", "RegQueryValueEx")
}