GetForegroundWindow

Created the Thursday 01 October 2020. Updated 2 years ago.

This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.

It accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.

Description

This technique is using the API GetForegroundWindow.

#include <winuser.h> // Required import for GetForegroundWindow API
 
int main()
{
 
    //Get a handle to user's current foreground window.
    int foregroundWindowHandle1 = GetForegroundWindow(); 
 
    do {
 
        //Sleep for .1 second.
        Sleep(100); 
 
        //Get a handle to user's current foreground window again.
        int foregroundWindowHandle2 = GetForegroundWindow(); 
 
        }
 
    //While the handles to the current foreground windows are equal, continue to loop.
    while (foregroundWindowHandle1 == foregroundWindowHandle2);
 
    return 0;
};

Open Snippet

Additional Resources

External Links

News from the Lab Archive : January 2004 to September 2015