反微步动态沙箱 - 桌面壁纸路径

特让他也让

玛卡巴卡，阿卡哇卡，米卡玛卡，呣

统计加载中...

公告

Welcome to my blog!

Learn More

634 字

3 分钟

反微步动态沙箱 - 桌面壁纸路径

2025-10-17

网络安全

Windows

/

反沙箱

/

Rust

统计加载中...

对比壁纸 Hash 值 (失败)#

最开始是想要通过对比壁纸 Hash 值来绕过微步沙箱的。主要用的是 SystemParametersInfoW 这个 API。

那么我们怎么显示数据呢？

网络请求
弹窗，看截图
保存本地文件为 <md5值>.txt

这里使用的是本地文件保存和弹窗，具体的代码如下

1
#![windows_subsystem = "windows"]
2
use std::fs;
3
use windows::core::PCWSTR;
4
use windows::Win32::UI::WindowsAndMessaging::{MessageBoxW, SPI_GETDESKWALLPAPER};
5
use windows::Win32::UI::WindowsAndMessaging::{
6
    SystemParametersInfoW, MESSAGEBOX_STYLE, SYSTEM_PARAMETERS_INFO_UPDATE_FLAGS,
7
};
8
const MAX_PATH: usize = 260;
9

10
fn get_wallpaper_path(length: u32, buffer: &mut Vec<u16>) -> String {
11
    println!("Getting wallpaper…");
12
    let get_utf16 = unsafe {
13
        SystemParametersInfoW(
14
            SPI_GETDESKWALLPAPER,
15
            length,
16
            Some(buffer.as_mut_ptr().cast()),
17
            SYSTEM_PARAMETERS_INFO_UPDATE_FLAGS(0),
18
        )
19
    };
20

21
    let wallpaper_path: String = match get_utf16 {
22
        Ok(T) => {
23
            let buffer = String::from_utf16_lossy(&buffer);
24
            buffer.replace("\0", "")
25
        }
26
        Err(E) => E.to_string(),
27
    };
28

29
    println!("Wallpaper: {}", wallpaper_path);
30
    wallpaper_path
31
}
32

33
fn create_wide_string(s: &str) -> Vec<u16> {
34
    s.encode_utf16().chain(std::iter::once(0)).collect()
35
}
36

37
fn show_message_box(text: &str, caption: &str) {
38
    let text_wide = create_wide_string(text);
39
    let caption_wide = create_wide_string(caption);
40

41
    unsafe {
42
        MessageBoxW(
43
            None,
44
            PCWSTR::from_raw(text_wide.as_ptr()),
45
            PCWSTR::from_raw(caption_wide.as_ptr()),
46
            MESSAGEBOX_STYLE(0),
47
        );
48
    }
49
}
50

51
fn get_md5(path: &str) -> String {
52
    let bytes = fs::read(path).unwrap();
53
    let md5_digest = md5::compute(bytes);
54
    let md5_str = format!("{:x}", md5_digest);
55
    println!("Get MD5: {}", md5_str);
56
    md5_str.to_string()
57
}
58

59
fn save_file(md5: &str) {
60
    let name = format!("{}.txt", md5);
61
    fs::write(&name, md5.as_bytes()).unwrap();
62
    println!("Saving md5 to {}", name);
63
}
64

65
fn main() {
66
    let mut buffer: Vec<u16> = vec![0; MAX_PATH];
67
    let buffer_length = buffer.len() as u32;
68
    let result = get_wallpaper_path(buffer_length, &mut buffer);
69
    let caption = "Wallpaper_Path";
70
    let path_md5 = get_md5(&result);
71
    save_file(path_md5.as_str());
72
    show_message_box(path_md5.as_str(), caption);
73
}

本地效果如下

上传到微步，效果如下

可以看到，“系统找不到指定的文件”，怀疑可能是 hook 住了 SystemParametersInfoW，不过我们也得到了它显示的路径：C:\Users\Administrator\Pictures\Saved Pictures\Desktop.jpg

直接检测路径 (可用)#

可以看到，这个路径不是默认的桌面壁纸路径，所以我们可以直接检测壁纸的路径，如果 SystemParametersInfoW 返回的路径为 C:\Users\Administrator\Pictures\Saved Pictures\Desktop.jpg，那么说明就进了微步沙箱。

如果不是这个路径，我们直接返回 panic!，或者弹一个窗口。

1
#![windows_subsystem = "windows"]
2
use windows::Win32::UI::WindowsAndMessaging::SystemParametersInfoW;
3
use windows::Win32::UI::WindowsAndMessaging::{
4
    MESSAGEBOX_STYLE, MessageBoxW, SPI_GETDESKWALLPAPER, SYSTEM_PARAMETERS_INFO_UPDATE_FLAGS,
5
};
6
use windows::core::PCWSTR;
7

8
fn get_wallpaper_path() -> String {
9
    let mut buffer: Vec<u16> = vec![0; 260];
10
    let result = unsafe {
11
        SystemParametersInfoW(
12
            SPI_GETDESKWALLPAPER,
13
            buffer.len() as u32,
14
            Some(buffer.as_mut_ptr().cast()),
15
            SYSTEM_PARAMETERS_INFO_UPDATE_FLAGS(0),
16
        )
17
    };
18

19
    let wallpaper_path: String = match result {
20
        Ok(()) => {
21
            let wallpaper_path = String::from_utf16(&buffer).unwrap();
22
            wallpaper_path
23
        }
24
        Err(e) => {
25
            let result = e.to_string();
26
            result
27
        }
28
    };
29

30
    let wallpaper_path = wallpaper_path.replace("\0", "");
31

32
    println!("Wallpaper: {}", wallpaper_path);
33
    wallpaper_path
34
}
35

36
fn compare_path(path: String) -> bool {
37
    if path == r"C:\Users\Administrator\Pictures\Saved Pictures\Desktop.jpg" {
38
        true
39
    } else {
40
        false
41
    }
42
}
43

44
struct MessageBox {
45
    title: String,
46
    message: String,
47
}
48

49
impl MessageBox {
50
    fn get_wide_string(str: &str) -> Vec<u16> {
51
        str.encode_utf16().chain(std::iter::once(0)).collect()
52
    }
53

54
    fn make_box(self) {
55
        let wide_title = Self::get_wide_string(self.title.as_str());
56
        let wide_message = Self::get_wide_string(self.message.as_str());
57

58
        let title = PCWSTR::from_raw(wide_title.as_ptr());
59
        let message = PCWSTR::from_raw(wide_message.as_ptr());
60

61
        unsafe { MessageBoxW(None, message, title, MESSAGEBOX_STYLE(0)) };
62
    }
63
}
64

65
fn make_request(url: &str) -> String {
66
    let res = reqwest::blocking::get(url).unwrap();
67
    let status = res.status();
68
    status.to_string()
69
}
70

71
fn main() {
72
    if compare_path(get_wallpaper_path()) {
73
        panic!()
74
    } else {
75
        let url = Box::new("https://x.threatbook.com/");
76

77
        let message_box = MessageBox {
78
            title: String::from("Success!"),
79
            message: make_request(url.as_ref()),
80
        };
81

82
        message_box.make_box();
83
    }
84
}