{"id":13539529,"url":"https://github.com/arvanaghi/checkplease","last_synced_at":"2025-10-10T09:01:46.009Z","repository":{"id":37451265,"uuid":"84882112","full_name":"Arvanaghi/CheckPlease","owner":"Arvanaghi","description":"Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.","archived":false,"fork":false,"pushed_at":"2021-06-01T15:06:44.000Z","size":230,"stargazers_count":918,"open_issues_count":0,"forks_count":159,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-04-10T20:12:21.950Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://twitter.com/arvanaghi","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Arvanaghi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-03-13T22:51:30.000Z","updated_at":"2025-04-03T07:01:41.000Z","dependencies_parsed_at":"2022-07-09T09:30:22.241Z","dependency_job_id":null,"html_url":"https://github.com/Arvanaghi/CheckPlease","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Arvanaghi%2FCheckPlease","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Arvanaghi%2FCheckPlease/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Arvanaghi%2FCheckPlease/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Arvanaghi%2FCheckPlease/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Arvanaghi","download_url":"https://codeload.github.com/Arvanaghi/CheckPlease/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248618218,"owners_count":21134199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:27.275Z","updated_at":"2025-10-10T09:01:46.001Z","avatar_url":"https://github.com/Arvanaghi.png","language":"Go","readme":"# CheckPlease\n**Implant-Security Modules in PowerShell, Python, Go, Ruby, Perl, C, C#, VBS, and Rust.**\n\nWritten by Brandon Arvanaghi ([@arvanaghi](https://twitter.com/arvanaghi)) and Chris Truncer ([@christruncer](https://twitter.com/christruncer))\n\n[Slides](https://www.slideshare.net/BrandonArvanaghi/checkplease-payloadagnostic-implant-security) from BSides Las Vegas 2017.\n\nCheckPlease is the go-to repository for the newest implant security modules. Every module functions as a standalone \"check.\" All checks can be run with command-line arguments, like so:\n\n```\n\u003cmodule\u003e \u003coptional arguments\u003e\n```\n\nThis repository is for defenders to harden their sandboxes and AV tools, malware researchers to discover new techniques, and red teamers to get serious about their payloads. \n\nFor an explanation of every cheeck in this repository, see the [CheckPlease wiki](https://github.com/Arvanaghi/CheckPlease/wiki).\n\n## Examples \n\n**PowerShell**: Ensure user activity by making the user click a pop-up prompt before executing your payload:\n```\n.\\user_prompt.ps1 \"Security Update\" \"Your system has been updated successfully.\"\n```\n\u003cimg src=\"https://arvanaghi.com/hostedimages/userprompt.gif\" width=\"450\"\u003e\n\n**PowerShell**: Confirm that the parent process of your payload was WinWord.exe:\n\n```\nPS arvanaghi: .\\parent_process.ps1 WinWord\n```\n\u003cimg src=\"https://arvanaghi.com/hostedimages/parentprocess_ps.png\" width=\"450\"\u003e\n\n**Python**: Make the user click 6 times before executing your payload to ensure it is not being run in an automated environment:\n\n```\narvanaghi: python click_tracker.py 6\n```\n\n**Go**: Ensure the Registry on the target system is at least 60 MB in size:\n\n```\narvanaghi: go run registry_size.go 60 \n```\n\n**Ruby**: Only execute the payload if running as a specific user:\n\n```\narvanaghi: ruby username.rb \"Chris Truncer\"\n```\n\u003cimg src=\"https://arvanaghi.com/hostedimages/usernamerb.png\" width=\"450\"\u003e\n\n**Perl**: Make your payload execute on a certain date.\n\n```\narvanaghi: perl date_trigger.pl 09/20/2017\n```\n\nYou know how to run **C** and **C#** code.\n\n## Adding to your code\n\nTake the checks in the repository and add them to your own custom code. Add the checks you want into nested `if` statements. You can, and should, chain more than one together. If the system passes all your checks, your payload will execute. \n\n**Example:** ensuring the username is as expected, and the time zone is not UTC:\n\n```\nimport getpass\nimport time\n\nexpectedUserName = \" \".join(sys.argv[1:]).lower()\n\nif getpass.getuser().lower() == expectedUserName:\n  if time.tzname[0] != \"Coordinated Universal Time\" and time.tzname[1] != \"Coordinated Universal Time\":\n    # Your code goes here. If it passed all checks, it will run!\n```\n\n## Why every language?\n\nPayloads are more commonly being delivered in languages that are not C. In implementing in every language, we give sandbox and antivirus vendors a broader scope from which to detect. In your red teams, any payload you deliver can now be more targeted. \n\n## Contribute\n\nWe encourage contributions to this repository. To make it truly comprehensive, we want the newest techniques added to this repository as soon as possible. If you submit a merge request, I will get it tested within a week.  \n","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"b1161d6c4cb520d0cd574347cd18342e\"\u003e\u003c/a\u003e免杀\u0026\u0026躲避AV检测"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farvanaghi%2Fcheckplease","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farvanaghi%2Fcheckplease","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farvanaghi%2Fcheckplease/lists"}