1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
//! # Antilysis
//!
//! Library to detect analysis on windows to protect your program from it.
//! Anti-VM, anti-sandbox, anti-analyzing.
use sysinfo::System;
/// Returns whether or not any sign of analysis environment is present.
/// Is true if processes() or sandbox() is true.
///
/// Use:
/// ```
/// use std::process;
///
/// if antilysis::detected(){
/// process::exit(0);
/// }
/// ```
pub fn detected() -> bool{
return processes() || sandbox();
}
/// Returns whether or not suspicious processes have been found. Includes analyzers (wireshark, process explorer, etc...) and VM guest processes.
///
/// Use:
/// ```
/// use std::process;
///
/// if antilysis::processes(){
/// process::exit(0);
/// }
/// ```
pub fn processes() -> bool{
let analyzers = vec![
"Wireshark.exe",
"procexp64.exe",
"procexp.exe",
"Procmon.exe",
"Procmon64.exe",
"pestudio.exe",
"KsDumper.exe",
"prl_cc.exe",
"prl_tools.exe",
"pe-sieve64.exe",
"hollows_hunter32.exe",
"Moneta64.exe",
"fakenet.exe"
];
let vms = vec![
"VBoxTray.exe",
"VBoxService.exe",
"VMwareUser.exe",
"vmtoolsd.exe",
"VMwareTray.exe",
"vmsrvc.exe",
"VGAuthService.exe"
];
let s = System::new_all();
for (_pid, process) in s.processes() {
if analyzers.contains(&process.name()) || vms.contains(&process.name()) {
return true;
}
}
return false;
}
/// Returns whether or not any common sandbox artifact is present.
///
/// Use:
/// ```
/// use std::process;
///
/// if antilysis::sandbox(){
/// process::exit(0);
/// }
/// ```
pub fn sandbox() -> bool{
let windows_version = System::os_version().unwrap().chars().next().unwrap();
if windows_version == '0' {
return true;
}
let host = System::host_name().unwrap().to_lowercase();
if host == "john-pc"{
return true;
}
return false;
}