While thinking about anti-VM and anti-sandbox tricks I had the idea of implementing a simple check for a valid windows license. The goal is basically check if we are running on a legit Windows operating system and if not, abort the execution.
Use case for this? Well, evade automated analysis systems that use unlicensed images of Windows.
Google-fu pointed me to this api: SLIsGenuineLocal().
So it takes three arguments… The first argument is a pointer to an SLID structure that specifies the application to check.
The second argument is a pointer to an SL_GENUINE_STATE enum that specifies the state of the installation.
The third argument is used to show a dialog box so I’ll leave it NULL.
The Proof-of-Concept program is really simple as it only checks if the current status is SL_GEN_STATE_IS_GENUINE and opens a message box with a message.