While thinking about anti-VM and anti-sandbox tricks I had the idea of implementing a simple check for a valid windows license. The goal is basically check if we are running on a legit Windows operating system and if not, abort the execution.
Use case for this? Well, evade automated analysis systems that use unlicensed images of Windows.
Google-fu pointed me to this api: SLIsGenuineLocal().
The first argument is a pointer to an SLID structure that specifies the application to check, the second argument is a pointer to an SL_GENUINE_STATE enum that specifies the state of the installation, and the third can be NULL.
The proof-of-concept code is really simple as it only checks if the current status is SL_GEN_STATE_IS_GENUINE and opens a message box with a message.