Skip to content

Commit

Permalink
New feature + comments
Browse files Browse the repository at this point in the history
Added any.run detection by detection machine guid. Check here https://app.any.run/tasks/a143d613-4e75-4cde-991a-6e096348bfec
Added comments for almost every method.
  • Loading branch information
LimerBoy authored Aug 8, 2024
1 parent 185be8e commit 03d9df1
Show file tree
Hide file tree
Showing 9 changed files with 326 additions and 63 deletions.
9 changes: 1 addition & 8 deletions AntiCrack-DotNet/AntiCrack-DotNet.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -54,17 +54,10 @@
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Management" />
<Reference Include="System.Security" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.ServiceProcess" />
<Reference Include="System.Windows.Forms" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="AntiDebug.cs" />
Expand Down
103 changes: 93 additions & 10 deletions AntiCrack-DotNet/AntiDebug.cs
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Threading;
using System.Windows.Forms;
using System.ServiceProcess;
using System.Runtime.CompilerServices;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace AntiCrack_DotNet
{
class AntiDebug
internal sealed class AntiDebug
{
#region WinApi

[DllImport("kernelbase.dll", SetLastError = true)]
private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags);

Expand Down Expand Up @@ -92,6 +89,12 @@ class AntiDebug
[DllImport("kernelbase.dll", SetLastError = true)]
private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType);

#endregion

/// <summary>
/// Attempts to close an invalid handle to detect debugger presence.
/// </summary>
/// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
public static bool NtCloseAntiDebug_InvalidHandle()
{
try
Expand All @@ -105,6 +108,10 @@ public static bool NtCloseAntiDebug_InvalidHandle()
}
}

/// <summary>
/// Attempts to close a protected handle to detect debugger presence.
/// </summary>
/// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
public static bool NtCloseAntiDebug_ProtectedHandle()
{
IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
Expand All @@ -125,18 +132,30 @@ public static bool NtCloseAntiDebug_ProtectedHandle()
return Result;
}

/// <summary>
/// Checks if a debugger is attached to the process.
/// </summary>
/// <returns>Returns true if a debugger is attached, otherwise false.</returns>
public static bool DebuggerIsAttached()
{
return Debugger.IsAttached;
}

/// <summary>
/// Checks if a debugger is present using the IsDebuggerPresent API.
/// </summary>
/// <returns>Returns true if a debugger is present, otherwise false.</returns>
public static bool IsDebuggerPresentCheck()
{
if (IsDebuggerPresent())
return true;
return false;
}

/// <summary>
/// Checks if the process has debug flags set using NtQueryInformationProcess.
/// </summary>
/// <returns>Returns true if debug flags are set, otherwise false.</returns>
public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
{
uint ProcessDebugFlags = 0;
Expand All @@ -146,6 +165,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
return false;
}

/// <summary>
/// Checks if the process has a debug port using NtQueryInformationProcess.
/// </summary>
/// <returns>Returns true if a debug port is detected, otherwise false.</returns>
public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
{
uint DebuggerPresent = 0;
Expand All @@ -158,6 +181,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
return false;
}

/// <summary>
/// Checks if the process has a debug object handle using NtQueryInformationProcess.
/// </summary>
/// <returns>Returns true if a debug object handle is detected, otherwise false.</returns>
public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
{
IntPtr hDebugObject = IntPtr.Zero;
Expand All @@ -170,6 +197,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
return false;
}

/// <summary>
/// Patches the DbgUiRemoteBreakin and DbgBreakPoint functions to prevent debugger attachment.
/// </summary>
/// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
public static string AntiDebugAttach()
{
IntPtr NtdllModule = GetModuleHandle("ntdll.dll");
Expand All @@ -184,6 +215,10 @@ public static string AntiDebugAttach()
return "Failed";
}

/// <summary>
/// Checks for the presence of known debugger windows.
/// </summary>
/// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
public static bool FindWindowAntiDebug()
{
Process[] GetProcesses = Process.GetProcesses();
Expand All @@ -202,6 +237,10 @@ public static bool FindWindowAntiDebug()
return false;
}

/// <summary>
/// Checks if the foreground window belongs to a known debugger.
/// </summary>
/// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
public static bool GetForegroundWindowAntiDebug()
{
string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
Expand All @@ -225,6 +264,10 @@ public static bool GetForegroundWindowAntiDebug()
return false;
}

/// <summary>
/// Hides threads from the debugger by setting the NtSetInformationThread.
/// </summary>
/// <returns>Returns "Success" if the threads were hidden successfully, otherwise "Failed".</returns>
public static string HideThreadsAntiDebug()
{
try
Expand Down Expand Up @@ -252,12 +295,21 @@ public static string HideThreadsAntiDebug()
}
}

/// <summary>
/// Uses GetTickCount to detect debugger presence.
/// </summary>
/// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
public static bool GetTickCountAntiDebug()
{
uint Start = GetTickCount();
Thread.Sleep(0x10);
return (GetTickCount() - Start) > 0x10;
}

/// <summary>
/// Uses OutputDebugString to detect debugger presence.
/// </summary>
/// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
public static bool OutputDebugStringAntiDebug()
{
Debugger.Log(0, null, "just testing some stuff...");
Expand All @@ -266,11 +318,18 @@ public static bool OutputDebugStringAntiDebug()
return false;
}

/// <summary>
/// Exploits a format string vulnerability in OllyDbg.
/// </summary>
public static void OllyDbgFormatStringExploit()
{
Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
}

/// <summary>
/// Triggers a debug break to detect debugger presence.
/// </summary>
/// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
public static bool DebugBreakAntiDebug()
{
try
Expand All @@ -286,6 +345,10 @@ public static bool DebugBreakAntiDebug()

private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L;

/// <summary>
/// Detects hardware breakpoints by checking debug registers.
/// </summary>
/// <returns>Returns true if hardware breakpoints are detected, otherwise false.</returns>
public static bool HardwareRegistersBreakpointsDetection()
{
Structs.CONTEXT Context = new Structs.CONTEXT();
Expand All @@ -302,6 +365,12 @@ public static bool HardwareRegistersBreakpointsDetection()
NtClose(CurrentThread);
return false;
}

/// <summary>
/// Cleans the specified path by removing null characters.
/// </summary>
/// <param name="Path">The path to clean.</param>
/// <returns>The cleaned path.</returns>
private static string CleanPath(string Path)
{
string CleanedPath = null;
Expand All @@ -315,6 +384,10 @@ private static string CleanPath(string Path)
return CleanedPath;
}

/// <summary>
/// Checks if the parent process is a debugger by querying process information.
/// </summary>
/// <returns>Returns true if the parent process is a debugger, otherwise false.</returns>
public static bool ParentProcessAntiDebug()
{
try
Expand Down Expand Up @@ -348,6 +421,10 @@ public static bool ParentProcessAntiDebug()
return false;
}

/// <summary>
/// Uses NtSetDebugFilterState to prevent debugging.
/// </summary>
/// <returns>Returns true if the filter state was set successfully, otherwise false.</returns>
public static bool NtSetDebugFilterStateAntiDebug()
{
if (NtSetDebugFilterState(0, 0, true) != 0)
Expand All @@ -356,6 +433,11 @@ public static bool NtSetDebugFilterStateAntiDebug()
}

delegate int ExecutionDelegate();

/// <summary>
/// Uses page guard to detect debugger presence by executing a function pointer.
/// </summary>
/// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
public static bool PageGuardAntiDebug()
{
Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO();
Expand Down Expand Up @@ -389,4 +471,5 @@ public static bool PageGuardAntiDebug()
return false;
}
}
}

}
37 changes: 29 additions & 8 deletions AntiCrack-DotNet/AntiDllInjection.cs
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
using System.Windows.Forms;
using static AntiCrack_DotNet.Structs;
using System.Runtime.InteropServices;

namespace AntiCrack_DotNet
{
class AntiDllInjection
internal sealed class AntiDllInjection
{

#region WinApi

[DllImport("kernelbase.dll", SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lib);

Expand All @@ -24,6 +21,13 @@ class AntiDllInjection
[DllImport("kernelbase.dll", SetLastError = true)]
public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size);

#endregion


/// <summary>
/// Patches the LoadLibraryA function to prevent DLL injection.
/// </summary>
/// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
public static string PatchLoadLibraryA()
{
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
Expand All @@ -35,6 +39,10 @@ public static string PatchLoadLibraryA()
return "Failed";
}

/// <summary>
/// Patches the LoadLibraryW function to prevent DLL injection.
/// </summary>
/// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
public static string PatchLoadLibraryW()
{
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
Expand All @@ -46,6 +54,10 @@ public static string PatchLoadLibraryW()
return "Failed";
}

/// <summary>
/// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries.
/// </summary>
/// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
public static string BinaryImageSignatureMitigationAntiDllInjection()
{
Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY();
Expand All @@ -55,6 +67,10 @@ public static string BinaryImageSignatureMitigationAntiDllInjection()
return "Failed";
}

/// <summary>
/// Checks if there are any injected libraries in the current process.
/// </summary>
/// <returns>Returns true if an injected library is detected, otherwise false.</returns>
public static bool IsInjectedLibrary()
{
bool IsMalicious = false;
Expand All @@ -71,6 +87,11 @@ public static bool IsInjectedLibrary()
}
return IsMalicious;
}

/// <summary>
/// Sets the DLL load policy to only allow Microsoft-signed DLLs to be loaded.
/// </summary>
/// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
public static string SetDllLoadPolicy()
{
Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
Expand Down
Loading

0 comments on commit 03d9df1

Please sign in to comment.