A C# Project which Contains some Anti-Cracking, anti memory injection techniques, etc. (also feel free to open an issue for adding additional anti-debugging features, etc)
-
GetForegroundWindow (looks for bad active window names to check if it's a known debugger)
-
Debugger.IsAttached
-
Hide Threads From Debugger
-
IsDebuggerPresent
-
NtSetDebugFilterState
-
Page Guard Breakpoints Detection
-
NtQueryInformationProcess: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle
-
NtClose: Invalid Handle, Protected Handle
-
Parent Process Checking (Checks if parent are explorer.exe or cmd.exe)
-
Detection of Hardware Breakpoints
-
FindWindow (looks for bad window names)
-
GetTickCount
-
OutputDebugString
-
Crashing Non-Managed Debuggers with a Debugger Breakpoint
-
OllyDbg Format String Exploit
-
Patching DbgUiRemoteBreakin and DbgBreakPoint (Anti-Debugger Attaching)
-
Detecting Any.run
-
Detecting Triage
-
Detecting Qemu.
-
Detecting Parallels.
-
Detecting Sandboxie
-
Detecting Comodo Container
-
Detecting Qihoo360 Sandbox
-
Detecting Cuckoo Sandbox
-
Detecting VirtualBox and VMware
-
Detecting HyperV
-
Detecting Emulation
-
Checking For Blacklisted Usernames
-
Detecting KVM
-
Detecting Wine
-
Checking For Known Bad VM File Locations
-
Checking For Known Bad Process Names
-
Checking For Ports on the system (useful if the VM or the sandbox have no ports connected)
-
Making Sandboxie Crash Your Application (no longer works)
-
Checking for devices created by VMs or Sandboxes
-
Patching LoadLibraryA
-
Patching LoadLibraryW
-
Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.
-
Checking if any injected libraries are present (simple dlls path whitelist check)
-
Detecting if Unsigned Drivers are Allowed to Load
-
Detecting if Test-Signed Drivers are Allowed to Load
-
Detecting if Kernel Debugging are Enabled on the System
-
Detecting if Secure Boot are Enabled on the System
-
Detecting if Virtualization-Based Security is Enabled.
-
Detecting if Memory Integrity Protection is Enabled.
-
Detecting if the current assembly has been invoked.
-
Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses and it detects user-mode anti anti-debuggers like scyllahide, and it can also detect some sandboxes which uses hooking to monitor application behaviour/activity (like Sandboxie/Sandboxie Plus, Hybrid Analysis, Cuckoo Sandbox, and a lot of other online malware analysis websites/applications).
-
Detecting CLR Functions Hooking (like harmony hooks).
This Project are created for educational purposes only, also this project are licensed under MIT License.