c0d3press

Option Explicit

'NTDLL
Private Declare Function RtlGetCurrentPeb Lib "NTDLL" () As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal pBuffer As Long, ByVal NumberOfBytesToWrite As Long, ByRef NumberOfBytesWritten As Long) As Long

'---------------------------------------------------------------------------------------
' Procedure : ImSandBoxed
' Author    : Karcrack
' Date      : 23/09/2009
' Purpose   : Know if being SandBoxed... Anubis & Sandboxie
' Credits   : Cobein, He made the 1st version...
'---------------------------------------------------------------------------------------
'
Public Function ImSandBoxed() As Boolean
    Dim lUPP        As Long                         'RTL_USER_PROCESS_PARAMETERS
    Dim lWndFlags   As Long                         'RTL_USER_PROCESS_PARAMETERS.WindowFlags

    lUPP = GetMemLng(RtlGetCurrentPeb + (&H4 * 4))
    lWndFlags = GetMemLng(lUPP + (&H4 * 26))
    ImSandBoxed = (lWndFlags <= 1)                  'WindowFlags;0 Anubis;1 Sandboxie
End Function

Private Function GetMemLng(ByVal lAddr As Long) As Long
    Call NtWriteVirtualMemory(-1, VarPtr(GetMemLng), lAddr, &H4, ByVal 0&)
End Function
 Continue reading →