GET /api/techniques/151/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "GetForegroundWindow",
    "category": [
        "https://search.unprotect.it/api/categories/1/"
    ],
    "description": "This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.\r\n\r\nIt accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by another call to GetForegroundWindow. If the foreground window has not changed, the malware assumes it is in a sandbox or analysis virtual machine and will continue this loop until the foreground window changes. If there is no change, the program will loop indefinitely or may make a call to ExitProcess.",
    "resources": "https://archive.f-secure.com/weblog/archives/00002810.html",
    "tags": "GetForegroundWindow",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/8/",
            "technique": "https://search.unprotect.it/api/techniques/151/",
            "description": "This technique is using the API `GetForegroundWindow`.",
            "plain_code": "#include <winuser.h> // Required import for GetForegroundWindow API\r\n \r\nint main()\r\n{\r\n \r\n    //Get a handle to user's current foreground window.\r\n    int foregroundWindowHandle1 = GetForegroundWindow(); \r\n \r\n    do {\r\n \r\n        //Sleep for .1 second.\r\n        Sleep(100); \r\n \r\n        //Get a handle to user's current foreground window again.\r\n        int foregroundWindowHandle2 = GetForegroundWindow(); \r\n \r\n        }\r\n \r\n    //While the handles to the current foreground windows are equal, continue to loop.\r\n    while (foregroundWindowHandle1 == foregroundWindowHandle2);\r\n \r\n    return 0;\r\n};"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_Detect_Possible_GetForegroundWindow_Evasion",
            "rule": "import \"pe\"\r\n \r\nrule UNPROTECT_Possible_GetForegroundWindow_Evasion\r\n{\r\n    meta:\r\n        description = \"Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports.\"\r\n        author = \"Kyle Cucci\"\r\n        date = \"2020-09-30\"\r\n \r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        pe.imports(\"user32.dll\", \"GetForegroundWindow\") and\r\n        pe.imports(\"kernel32.dll\", \"Sleep\")\r\n}"
        }
    ]
}