# Time accelerated checks

## Overview

> "Time accelerated checks" refer to a technique used in sandbox evasion where the malware program detects if it is being executed in a virtual environment, such as an antivirus sandbox, by analyzing the time interval between certain system events.
>
> In a typical sandbox environment, the execution of the malware program is isolated from the host system, which means that some system events may take longer to occur than they would on a real system. By analyzing the time interval between specific events, the malware can detect if it is running in a sandbox and evade detection.
>
> For example, a malware program may use a timer to measure the time interval between two specific system events, such as the creation of a file and its subsequent modification. If the time interval is shorter than a certain threshold, the malware assumes that it is running in a sandbox environment and terminates its malicious behavior to avoid detection.

## Code example

```csharp
[DllImport("ntdll.dll", SetLastError = true)]
public static extern uint NtQuerySystemTime(out long SystemTime);

[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);

[StructLayout(LayoutKind.Sequential)]

static void Main(string[] args)
{
    long systemTimeThen = 0;
    long systemTimeNow = 0;
    NtQuerySystemTime(out systemTimeThen);
    Sleep(2000);
    NtQuerySystemTime(out systemTimeNow);
    TimeSpan difference = DateTime.FromFileTime(systemTimeNow) - DateTime.FromFileTime(systemTimeThen);
    if (difference.TotalSeconds < 1.5)
    {
        Console.Writeline("Abandon ship !!");
        return;
    }
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/defence-evasion/anti-virus-evasion/evasion-and-bypassing-detection-within-c/sandbox-evasion/time-accelerated-checks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.