[ANTI] AmISandboxied() - Saber si estamos siendo ejecutados dentro de Sandboxie

[Karcrack]

Code (vb) Select Expand

Option Explicit
'NTDLL
Private Declare Function RtlGetCurrentPeb Lib "NTDLL" () As Long
'MSVBVM60
Private Declare Sub GetMem4 Lib "MSVBVM60" (ByVal Addr As Long, ByRef RetVal As Long)

'---------------------------------------------------------------------------------------
' Procedure : AmISandboxied
' Author    : Karcrack
' Date      : 13/03/2011
' Purpose   : Know if we are running under Sandboxie
'---------------------------------------------------------------------------------------
'
Public Function AmISandboxied() As Boolean
    Dim lUPP        As Long         '&RTL_USER_PROCESS_PARAMETERS
    Dim lFlags      As Long         'RTL_USER_PROCESS_PARAMETERS.Flags
   
    Call GetMem4(RtlGetCurrentPeb() + &H10, lUPP)
    Call GetMem4(lUPP + &H8, lFlags)
    AmISandboxied = (lFlags <> 1)
End Function
Bien simple, por alguna razon desconocida PEB.RTL_USER_PROCESS_PARAMETERS.Flags es distinto cuando esta siendo ejecutado dentro de Sandboxie

[Karcrack]

Por si a alguien le interesa el código en ASM que utilicé en los tests:

Code (asm) Select Expand

Main:
        cdq
        mov     edx, [FS:edx+$30]
        mov     edx, [edx+$10]
        mov     edx, [edx+$08]
        dec     edx
        jnz     Sandboxie
        ;Codigo
Sandboxie:
        ret   

[ntaryl]

Nice  stuff Bro
+ rep from me 

[Karcrack]

Thank you ntaryl Glad you liked it

[philipjfry99]

Hi Karcrack, love ur work , this one works except for 7 64bit, do u know why ?

[Karcrack]

@philipjfry99:Maybe in 64bits the PEB structure differs, I can't reproduce the error now so I'll try
to fix it later.