Installed software

By determining which software are installed the sandbox can be detected (e.g: Python, Tracer, Debugging Tools, Vmware tools…).

Code Snippets

Unprotect

Description

This code snippet will browse the registry to check installed software.

#include <iostream>
#include <windows.h>

bool EnumInstalledSoftware(void)
{
    HKEY hUninstKey = NULL;
    HKEY hAppKey = NULL;
    WCHAR sAppKeyName[1024];
    WCHAR sSubKey[1024];
    WCHAR sDisplayName[1024];
    WCHAR *sRoot = L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
    long lResult = ERROR_SUCCESS;
    DWORD dwType = KEY_ALL_ACCESS;
    DWORD dwBufferSize = 0;

    if(RegOpenKeyExW(HKEY_LOCAL_MACHINE, sRoot, 0, KEY_READ, &hUninstKey) != ERROR_SUCCESS)
    {
        return false;
    }

    for(DWORD dwIndex = 0; lResult == ERROR_SUCCESS; dwIndex++)
    {
        dwBufferSize = sizeof(sAppKeyName);
        if((lResult = RegEnumKeyExW(hUninstKey, dwIndex, sAppKeyName,
            &dwBufferSize, NULL, NULL, NULL, NULL)) == ERROR_SUCCESS)
        {
            //printf(sSubKey, L"%s\\%s", sRoot, sAppKeyName);
            if(RegOpenKeyExW(HKEY_LOCAL_MACHINE, sSubKey, 0, KEY_READ, &hAppKey) != ERROR_SUCCESS)
            {
                RegCloseKey(hAppKey);
                RegCloseKey(hUninstKey);
                return false;
            }

            dwBufferSize = sizeof(sDisplayName);
            if(RegQueryValueExW(hAppKey, L"DisplayName", NULL,
                &dwType, (unsigned char*)sDisplayName, &dwBufferSize) == ERROR_SUCCESS)
            {
                wprintf(L"%s\n", sDisplayName);
            }

            RegCloseKey(hAppKey);
        }
    }

    RegCloseKey(hUninstKey);

    return true;
}

YARA Rules

import "pe"

rule check_installed_software {
    meta:
        description = "Detect check installed software through registry"
        author = "Thomas Roccia | @fr0gger_"
    strings:
        $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide

    condition:
       uint16(0) == 0x5A4D and $s1 or
       pe.imports("Advapi32.dll", "RegQueryValueEx")
}

Additional Resources

Subscribe to our Newsletter and don't miss important updates