How to detect sendboxed - virtualized environment from delphi application ?

program Project1;

uses
  Windows;

function IsInSandbox:boolean;
var
hOpen:    HKEY;
sBuff:    array[0..256] of char;
BuffSize: integer;
hMod:THandle;
begin
  Result := False;

  hMod:= GetModuleHandle('SbieDll.dll');  //Sandboxie
  if hMod <> 0 then Result := True;

  hMod:= GetModuleHandle('dbghelp.dll'); // Thread Expert
  if hMod <> 0 then Result := True;

  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar('Software\Microsoft\Windows\CurrentVersion'), 0, KEY_QUERY_VALUE, hOpen)) = ERROR_SUCCESS then
  begin
    BuffSize := SizeOf(sBuff);
    RegQueryValueEx(hOpen, PChar('ProductId'), nil, nil, @sBuff, @BuffSize);
    if sBuff = '55274-640-2673064-23950' then //Joe Box
      Result := True
    else if sBuff = '76487-644-3177037-23510' then //CW Sandbox
      Result := True
    else if sBuff = '76487-337-8429955-22614' then //Anubis
      Result := True
    else
      Result := False;
    RegCloseKey(hOpen);
  end;
end;

begin
if IsInSandbox = True then
MessageBox(0,pchar('Inside Sandbox'),NIL,0)
else
MessageBox(0,pchar('NOT Inside Sandbox'),NIL,0);
end.


----------------------------------

https://reverseengineering.stackexchange.com/questions/1686/how-to-detect-a-virtualized-environment

Here are some tricks for detecting VM's:

VirtualBox

• http://pastebin.com/RU6A2UuB (9 different methods, registry, dropped VBOX dlls, pipe names etc)
• http://pastebin.com/xhFABpPL (Machine provider name)
• http://pastebin.com/v8LnMiZs (Innotek trick)
• http://pastebin.com/fPY4MiYq (Bios Brand and Bios Version)
• http://pastebin.com/Geggzp4G (Bios Brand and Bios Version)
• http://pastebin.com/T0s5gVGW (Parsing SMBiosData searching for newly-introduced or bizarre type)
• http://pastebin.com/AjHWApes (Cadmus Mac Address Trick)
• http://pastebin.com/wh4NAP26 (VBoxSharedFolderFS Trick)
• http://pastebin.com/Nsv5B1yk (Resume Flag Trick)

VirtualPc

• http://pastebin.com/wuqcUaiE
• http://pastebin.com/VDDRcmdL
• http://pastebin.com/exAK5XQx (Reset Trick)
• http://pastebin.com/HVActZMC (CPUID Trick)

Hypervisor detection

• http://pastebin.com/2gv72r7d

https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/

5. Checking for Existence of Files Indicating a VM 
When these files are found to exist in the file system, this may indicate the existence of virtualization software. These can also be retrieved in multiple ways like: WMIC, Win API and CMD.

• VMware

C:\windows\System32\Drivers\Vmmouse.sys

C:\windows\System32\Drivers\vm3dgl.dll

C:\windows\System32\Drivers\vmdum.dll

C:\windows\System32\Drivers\vm3dver.dll

C:\windows\System32\Drivers\vmtray.dll

C:\windows\System32\Drivers\VMToolsHook.dll

C:\windows\System32\Drivers\vmmousever.dll

C:\windows\System32\Drivers\vmhgfs.dll

C:\windows\System32\Drivers\vmGuestLib.dll

C:\windows\System32\Drivers\VmGuestLibJava.dll

C:\windows\System32\Driversvmhgfs.dll

• VirtualBox

C:\windows\System32\Drivers\VBoxMouse.sys

C:\windows\System32\Drivers\VBoxGuest.sys

C:\windows\System32\Drivers\VBoxSF.sys

C:\windows\System32\Drivers\VBoxVideo.sys

C:\windows\System32\vboxdisp.dll

C:\windows\System32\vboxhook.dll

C:\windows\System32\vboxmrxnp.dll

C:\windows\System32\vboxogl.dll

C:\windows\System32\vboxoglarrayspu.dll

C:\windows\System32\vboxoglcrutil.dll

C:\windows\System32\vboxoglerrorspu.dll

C:\windows\System32\vboxoglfeedbackspu.dll

C:\windows\System32\vboxoglpackspu.dll

C:\windows\System32\vboxoglpassthroughspu.dll

C:\windows\System32\vboxservice.exe

C:\windows\System32\vboxtray.exe

C:\windows\System32\VBoxControl.exe

6. Checking for Running Services

Identifying whether one the following processes is running indicates a virtual environment.
These can also be retrieved in multiple ways WMIC, Win API and CMD
(wmic -> Service list, sc.exe /query) 

• VMTools
• Vmhgfs
• VMMEMCTL
• Vmmouse
• Vmrawdsk
• Vmusbmouse
• Vmvss
• Vmscsi
• Vmxnet
• vmx_svga
• Vmware Tools
• Vmware Physical Disk Helper Service

Conclusion
Malware authors eventually find virtual machine and sandbox evasion techniques that will work.

Organizations should:

1. Be aware of the evasion tactics so they can harden their environments
2. Use this knowledge to identify VM evasion tactics and improve malware detection
3. Look for advanced security approaches that are harder to identify and evade. IDS systems, for example, often use sandboxes to run and test suspicious code, however, advanced endpoint protection does not use sandboxes which are easy to identify and therefore these evasion tactics are not feasible.

As further reading, we recommend this SANS white paper detailing sandbox  evasion tactics.

Learn more about Cyberbit EDR Kernel-Based Endpoint Detection vs. Whitelisting

Use GetForegroundWindow API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep,” said the researchers.

To confirm user activity, a second variant of the packer checks for mouse cursor movement using GetCursorPos and Sleep APIs, while a third variant checks for system idle state using GetLastInputInfo and GetTickCount APIs.