memory space check

README.md

@@ -83,6 +83,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 
 ### Human Interaction [Anti-Sandbox]
 - Mouse movement
+- Total Physical memory (GlobalMemoryStatusEx)
 - Mouse (Single click / Double click) (todo)
 - DialogBox (todo)
 - Scrolling (todo)

al-khaser/Al-khaser.cpp

@@ -52,6 +52,7 @@ int main(void)
 	exec_check(&disk_size_wmi, TEXT("Checking hard disk size using WMI: "));
 	exec_check(&setupdi_diskdrive, TEXT("Checking SetupDi_diskdrive: "));
 	exec_check(&mouse_movement, TEXT("Checking mouse movement: "));
+	exec_check(&memory_space, TEXT("Checking memory space using GlobalMemoryStatusEx: "));
 
 	///* VirtualBox Detection */
 	print_category(TEXT("VirtualBox Detection"));

al-khaser/Anti VM/Generic.cpp

@@ -340,4 +340,20 @@ BOOL mouse_movement() {
 
 	else 
 		return FALSE;
+}
+
+/*
+Check if the machine have enough memory space, usually VM get a small ammount,
+one reason if because several VMs are running on the same servers so they can run
+more tasks at the same time.
+*/
+BOOL memory_space()
+{
+	DWORDLONG ullMinRam = (1024LL * (1024LL * (1024LL * 1LL))); // 1GB
+	MEMORYSTATUSEX statex = {0};
+
+	statex.dwLength = sizeof(statex);
+	GlobalMemoryStatusEx(&statex);
+
+	return (statex.ullTotalPhys < ullMinRam) ? TRUE : FALSE;
 }

al-khaser/Anti VM/Generic.h

@@ -16,4 +16,5 @@ BOOL str_trick();
 BOOL number_cores_wmi();
 BOOL disk_size_wmi();
 BOOL setupdi_diskdrive();
-BOOL mouse_movement();
+BOOL mouse_movement();
+BOOL memory_space();