Detection of sandboxes

Detect 5 different sandboxes

I used the same methods in my other post for the Anubis and sandboxie. I just added more detections for other similar sandboxes. one method uses the Registry to retrieve the product ID and check for Anubis, cwsandbox,
And joebox. the other checks the loaded modules for files loaded with sandboxie and threatexpert. the detection used for threatexpert shocould also detect some basic debuggers. it may be kind of sloppy because while finishing it up I was baked outta my mind.

'Detect 5 Different Sandboxes'Coded by stoopid'' Detects:'   -> Sandboxie : http://www.sandboxie.com/'   -> ThreatExpert : http://www.threatexpert.com/'   -> Anubis : http://anubis.iseclab.org/'   -> CWSandbox : http://www.cwsandbox.org/'   -> JoeBox : http://www.joebox.org/'Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long    Private Declare Function Module32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As MODULEENTRY32) As LongPrivate Declare Function Module32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As MODULEENTRY32) As LongPrivate Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function GetCurrentProcessId Lib "kernel32" () As LongPrivate Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As LongPrivate Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As LongPrivate Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As LongPrivate Type MODULEENTRY32    dwSize As Long    th32ModuleID As Long    th32ProcessID As Long    GlblcntUsage As Long    ProccntUsage As Long    modBaseAddr As Byte    modBaseSize As Long    hModule As Long    szModule As String * 256    szExePath As String * 1024End TypeConst HKEY_LOCAL_MACHINE = &H80000002Const REG_SZ = 1&Const KEY_ALL_ACCESS = &H3FConst TH32CS_SNAPMODULE = &H8Public Function IsInSandbox() As BooleanDim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As LongDim me32 As MODULEENTRY32Dim szBuffer As String * 128hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)me32.dwSize = Len(me32)Module32First hSnapShot, me32Do While Module32Next(hSnapShot, me32) <> 0    If InStr(1, LCase(me32.szModule), "sbiedll.dll") > 0 Then 'Sandboxie        IsInSandbox = True    ElseIf InStr(1, LCase(me32.szModule), "dbghelp.dll") > 0 Then 'ThreatExpert        IsInSandbox = True    End IfLoopCloseHandle (hSnapShot)If IsInSandbox = False Then    hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion", 0, KEY_ALL_ACCESS, hKey)    If hOpen = 0 Then        hQuery = RegQueryValueEx(hKey, "ProductId", 0, REG_SZ, szBuffer, 128)        If hQuery = 0 Then            If InStr(1, szBuffer, "76487-337-8429955-22614") > 0 Then 'Anubis                IsInSandbox = True            ElseIf InStr(1, szBuffer, "76487-644-3177037-23510") > 0 Then 'CWSandbox                IsInSandbox = True            ElseIf InStr(1, szBuffer, "55274-640-2673064-23950") > 0 Then 'JoeBox                IsInSandbox = True            End If        End If    End If    RegCloseKey (hKey)End IfEnd FunctionSub Main()If IsInSandbox = True Then    MsgBox "Is in Sandbox"Else    MsgBox "Not in Sandbox"End IfEnd Sub