GET /api/techniques/32/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "Checking Installed Software",
    "category": [
        "https://search.unprotect.it/api/categories/1/"
    ],
    "description": "By determining which software are installed the sandbox can be detected (e.g: Python, Tracer, Debugging Tools, Vmware tools...).",
    "resources": "https://www.theguardian.com/technology/blog/2011/nov/08/sandboxing-malware-failure",
    "tags": "",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/32/",
            "description": "This code snippet will browse the registry to check installed software.",
            "plain_code": "#include <iostream>\r\n#include <windows.h>\r\n\r\nbool EnumInstalledSoftware(void)\r\n{\r\n    HKEY hUninstKey = NULL;\r\n    HKEY hAppKey = NULL;\r\n    WCHAR sAppKeyName[1024];\r\n    WCHAR sSubKey[1024];\r\n    WCHAR sDisplayName[1024];\r\n    WCHAR *sRoot = L\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\";\r\n    long lResult = ERROR_SUCCESS;\r\n    DWORD dwType = KEY_ALL_ACCESS;\r\n    DWORD dwBufferSize = 0;\r\n\r\n    if(RegOpenKeyExW(HKEY_LOCAL_MACHINE, sRoot, 0, KEY_READ, &hUninstKey) != ERROR_SUCCESS)\r\n    {\r\n        return false;\r\n    }\r\n\r\n    for(DWORD dwIndex = 0; lResult == ERROR_SUCCESS; dwIndex++)\r\n    {\r\n        dwBufferSize = sizeof(sAppKeyName);\r\n        if((lResult = RegEnumKeyExW(hUninstKey, dwIndex, sAppKeyName,\r\n            &dwBufferSize, NULL, NULL, NULL, NULL)) == ERROR_SUCCESS)\r\n        {\r\n            //printf(sSubKey, L\"%s\\\\%s\", sRoot, sAppKeyName);\r\n            if(RegOpenKeyExW(HKEY_LOCAL_MACHINE, sSubKey, 0, KEY_READ, &hAppKey) != ERROR_SUCCESS)\r\n            {\r\n                RegCloseKey(hAppKey);\r\n                RegCloseKey(hUninstKey);\r\n                return false;\r\n            }\r\n\r\n            dwBufferSize = sizeof(sDisplayName);\r\n            if(RegQueryValueExW(hAppKey, L\"DisplayName\", NULL,\r\n                &dwType, (unsigned char*)sDisplayName, &dwBufferSize) == ERROR_SUCCESS)\r\n            {\r\n                wprintf(L\"%s\\n\", sDisplayName);\r\n            }\r\n\r\n            RegCloseKey(hAppKey);\r\n        }\r\n    }\r\n\r\n    RegCloseKey(hUninstKey);\r\n\r\n    return true;\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_Check_installed_software",
            "rule": "import \"pe\"\r\n\r\nrule check_installed_software {\r\n    meta:\r\n        description = \"Detect check installed software through registry\"\r\n        author = \"Thomas Roccia | @fr0gger_\"\r\n    strings:\r\n        $s1 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\" wide\r\n\r\n    condition:\r\n       uint16(0) == 0x5A4D and $s1 or\r\n       pe.imports(\"Advapi32.dll\", \"RegQueryValueEx\")\r\n}"
        }
    ]
}