A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #27442  by felony
 Thu Dec 17, 2015 8:00 am
Simple way to detect Comodo & Qiho 360 Total Security sandbox ;)
Code: Select all
#include "stdafx.h"
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <psapi.h>
#include <iostream>

int IsSandboxed(DWORD processID)
{
	HMODULE hMods[1024];
	HANDLE hProcess;
	DWORD cbNeeded;
	unsigned int i;

	hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,	FALSE, processID);

	if (hProcess == nullptr)
		return 1;

	if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
	{
		for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
		{
			TCHAR szModName[MAX_PATH];

			if (GetModuleFileNameEx(hProcess, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
				if ((wcsstr(szModName, L"cmdvrt32.dll") != nullptr) || (wcsstr(szModName, L"sxin.dll") != nullptr))
				{
					_tprintf(TEXT("Sandboxed ;)"));
					return 0;
				}
		}

		CloseHandle(hProcess);
		return 0;
	}
	return 0;
}

int main(void)
{
	IsSandboxed(GetCurrentProcessId());
	getchar();
	return 0;
}