Skip to content

Instantly share code, notes, and snippets.

@stypr
Created February 7, 2015 06:11
Show Gist options
  • Save stypr/766b826c95b0663b3225 to your computer and use it in GitHub Desktop.
Save stypr/766b826c95b0663b3225 to your computer and use it in GitHub Desktop.
Detect software-based Virtual Machine in VB6
Public Function VirtualMachineProtect() As Boolean
'VMs are easily detectable by registry and library checkup
On Error Resume Next
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)
me32.dwSize = Len(me32)
Module32First hSnapShot, me32
Do While Module32Next(hSnapShot, me32) <> 0
If InStr(1, LCase(me32.szModule), "sbiedll.dll") > 0 Then 'Sandboxie
VirtualMachineProtect = true
ElseIf InStr(1, LCase(me32.szModule), "dbghelp.dll") > 0 Then 'ThreatExpert
VirtualMachineProtect = true
End If
Loop
CloseHandle (hSnapShot)
If VirtualMachineProtect = False Then
hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, hKey)
If hOpen = 0 Then
hQuery = RegQueryValueEx(hKey, "ProductId", 0, REG_SZ, szBuffer, 128)
If hQuery = 0 Then
If InStr(1, szBuffer, "76487-337-8429955-22614") > 0 Then 'Anubis
VirtualMachineProtect = true
ElseIf InStr(1, szBuffer, "76487-644-3177037-23510") > 0 Then 'CWSandbox
VirtualMachineProtect = true
ElseIf InStr(1, szBuffer, "55274-640-2673064-23950") > 0 Then 'JoeBox
VirtualMachineProtect = true
End If
End If
End If
RegCloseKey (hKey)
End If
End Function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment