Introduction

While thinking about anti-VM and anti-sandbox tricks I had the idea of implementing a simple check for a valid windows license. The goal is basically check if we are running on a legit Windows operating system and if not, abort the execution.

Use case for this? Well, evade automated analysis systems that use unlicensed images of Windows.

Google-fu pointed me to this api: SLIsGenuineLocal().

The first argument is a pointer to an SLID structure that specifies the application to check, the second argument is a pointer to an SL_GENUINE_STATE enum that specifies the state of the installation, and the third can be NULL.

The proof-of-concept code is really simple as it only checks if the current status is SL_GEN_STATE_IS_GENUINE and opens a message box with a message.

Licensed Windows

Unlicensed Windows