#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <strsafe.h>
#include <tchar.h>
#include <psapi.h>

typedef FARPROC (CALLBACK *GETPROC)(HMODULE, LPCSTR);
typedef BOOL (CALLBACK *ENUMPM)(HANDLE, HMODULE *, DWORD, LPDWORD);

HMODULE
LoadDLL(LPCTSTR module)
{
	HMODULE hmod;
	TCHAR sys[MAX_PATH], cwd[MAX_PATH], dll[MAX_PATH], src[MAX_PATH], dst[MAX_PATH];
	GetSystemDirectory(sys, MAX_PATH);
	GetCurrentDirectory(MAX_PATH, cwd);
	StringCchPrintf(dll, MAX_PATH, TEXT("b0rked-%s"), module);
	StringCchPrintf(src, MAX_PATH, TEXT("%s\\%s"), sys, module);
	StringCchPrintf(dst, MAX_PATH, TEXT("%s\\%s"), cwd, dll);
	CopyFile(src, dst, FALSE);
	hmod = LoadLibrary(dll);
	return hmod;
}

int
main(void)
{
    DWORD num;
	HANDLE h;
	HMODULE mods[1024];
	TCHAR name[MAX_PATH];

	HMODULE kernel32 = LoadDLL(_T("kernel32.dll"));
	GETPROC _GetProcAddress = (GETPROC) GetProcAddress(kernel32, "GetProcAddress");

	HMODULE psapi = LoadDLL(_T("psapi.dll"));
	ENUMPM _EnumProcessModules = (ENUMPM) _GetProcAddress(psapi, "EnumProcessModules");

	h = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, GetCurrentProcessId());

	/* detect CWSandbox by scanning loaded modules for CWSMonitor.dll */
	if (_EnumProcessModules(h, mods, sizeof(mods), &num)) {
		for (unsigned int i = 0; i < (num / sizeof(HMODULE)); ++i) {
			if (GetModuleFileNameEx(h, mods[i], name, sizeof(name)/sizeof(TCHAR))) {
				if (wcsstr(name, _T("CWMonitor.dll")) != NULL) {
					/* CWSandbox detected! */
					printf("CWSandbox detected!\n");
					return 1;
				}
            }
        }
    }
    CloseHandle(h);

	/* CWSandbox not detected! */
	printf("CWSandbox not detected!\n");
	return 0;
}