diff --git a/AntiCrack-DotNet/AntiDebug.cs b/AntiCrack-DotNet/AntiDebug.cs index b6314cb..eb1109e 100644 --- a/AntiCrack-DotNet/AntiDebug.cs +++ b/AntiCrack-DotNet/AntiDebug.cs @@ -5,51 +5,53 @@ using System.Runtime.InteropServices; using System.Diagnostics; using System.IO; +using System.Threading; +using static System.Net.WebRequestMethods; +using System.Windows.Forms; +using System.ServiceProcess; +using System.Runtime.CompilerServices; namespace AntiCrack_DotNet { class AntiDebug { - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags); [DllImport("ntdll.dll", SetLastError = true)] private static extern bool NtClose(IntPtr Handle); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr CreateMutexA(IntPtr lpMutexAttributes, bool bInitialOwner, string lpName); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern bool IsDebuggerPresent(); - [DllImport("kernel32.dll", SetLastError = true)] - private static extern bool CheckRemoteDebuggerPresent(IntPtr Handle, ref bool CheckBool); - - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetModuleHandle(string lib); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); - [DllImport("kernel32.dll", SetLastError = true)] - private static extern bool WriteProcessMemory(SafeHandle ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool ReadProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, out byte[] Buffer, uint size, out int NumOfBytes); [DllImport("ntdll.dll", SetLastError = true)] private static extern uint NtSetInformationThread(IntPtr ThreadHandle, uint ThreadInformationClass, IntPtr ThreadInformation, int ThreadInformationLength); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr OpenThread(uint DesiredAccess, bool InheritHandle, int ThreadId); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern uint GetTickCount(); - [DllImport("kernel32.dll", SetLastError = true)] - private static extern void OutputDebugStringA(string Text); - - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetCurrentThread(); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern bool GetThreadContext(IntPtr hThread, ref Structs.CONTEXT Context); [DllImport("ntdll.dll", SetLastError = true)] @@ -61,7 +63,7 @@ class AntiDebug [DllImport("ntdll.dll", SetLastError = true)] private static extern uint NtQueryInformationProcess(SafeHandle hProcess, uint ProcessInfoClass, ref Structs.PROCESS_BASIC_INFORMATION ProcessInfo, uint nSize, uint ReturnLength); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern int QueryFullProcessImageNameA(SafeHandle hProcess, uint Flags, byte[] lpExeName, Int32[] lpdwSize); [DllImport("user32.dll", SetLastError = true)] @@ -73,6 +75,24 @@ class AntiDebug [DllImport("user32.dll", SetLastError = true)] private static extern int GetWindowTextA(IntPtr HWND, StringBuilder WindowText, int nMaxCount); + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtSetDebugFilterState(ulong ComponentId, uint Level, bool State); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern void GetSystemInfo(out Structs.SYSTEM_INFO lpSystemInfo); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern IntPtr memset(IntPtr Dst, int val, uint size); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize,uint dwFreeType); + public static bool NtCloseAntiDebug_InvalidHandle() { try @@ -91,15 +111,19 @@ public static bool NtCloseAntiDebug_ProtectedHandle() IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString()); uint HANDLE_FLAG_PROTECT_FROM_CLOSE = 0x00000002; SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); + bool Result = false; try { NtClose(hMutex); - return false; + Result = false; } catch { - return true; + Result = true; } + SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0); + NtClose(hMutex); + return Result; } public static bool DebuggerIsAttached() @@ -170,7 +194,10 @@ public static bool FindWindowAntiDebug() foreach (string BadWindows in BadWindowNames) { if (GetWindow.MainWindowTitle.ToLower().Contains(BadWindows)) + { + GetWindow.Close(); return true; + } } } return false; @@ -180,15 +207,20 @@ public static bool GetForegroundWindowAntiDebug() { string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" }; IntPtr HWND = GetForegroundWindow(); - int WindowLength = GetWindowTextLengthA(HWND); - if (WindowLength != 0) + if (HWND != IntPtr.Zero) { - StringBuilder WindowName = new StringBuilder(WindowLength + 1); - GetWindowTextA(HWND, WindowName, WindowLength + 1); - foreach (string BadWindows in BadWindowNames) + int WindowLength = GetWindowTextLengthA(HWND); + if (WindowLength != 0) { - if (WindowName.ToString().ToLower().Contains(BadWindows)) - return true; + StringBuilder WindowName = new StringBuilder(WindowLength + 1); + GetWindowTextA(HWND, WindowName, WindowLength + 1); + foreach (string BadWindows in BadWindowNames) + { + if (WindowName.ToString().ToLower().Contains(BadWindows)) + { + return true; + } + } } } return false; @@ -224,12 +256,12 @@ public static string HideThreadsAntiDebug() public static bool GetTickCountAntiDebug() { uint Start = GetTickCount(); + Thread.Sleep(0x10); return (GetTickCount() - Start) > 0x10; } - public static bool OutputDebugStringAntiDebug() { - OutputDebugStringA("just testing some stuff..."); + Debugger.Log(0, null, "just testing some stuff..."); if (Marshal.GetLastWin32Error() == 0) return true; return false; @@ -237,7 +269,7 @@ public static bool OutputDebugStringAntiDebug() public static void OllyDbgFormatStringExploit() { - OutputDebugStringA("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"); + Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"); } public static bool DebugBreakAntiDebug() @@ -259,16 +291,18 @@ public static bool HardwareRegistersBreakpointsDetection() { Structs.CONTEXT Context = new Structs.CONTEXT(); Context.ContextFlags = CONTEXT_DEBUG_REGISTERS; - if (GetThreadContext(GetCurrentThread(), ref Context)) + IntPtr CurrentThread = GetCurrentThread(); + if (GetThreadContext(CurrentThread, ref Context)) { if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr4 != 0x00 || Context.Dr5 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00)) { + NtClose(CurrentThread); return true; } } + NtClose(CurrentThread); return false; } - private static string CleanPath(string Path) { string CleanedPath = null; @@ -314,5 +348,46 @@ public static bool ParentProcessAntiDebug() catch{}; return false; } + + public static bool NtSetDebugFilterStateAntiDebug() + { + if (NtSetDebugFilterState(0, 0, true) != 0) + return false; + return true; + } + + delegate int ExecutionDelegate(); + public static bool PageGuardAntiDebug() + { + Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO(); + GetSystemInfo(out SysInfo); + uint MEM_COMMIT = 0x00001000; + uint MEM_RESERVE = 0x00002000; + uint PAGE_EXECUTE_READWRITE = 0x40; + uint PAGE_GUARD = 0x100; + uint MEM_RELEASE = 0x00008000; + IntPtr AllocatedSpace = VirtualAlloc(IntPtr.Zero, SysInfo.PageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (AllocatedSpace != IntPtr.Zero) + { + memset(AllocatedSpace, 1, 0xC3); + uint OldProtect = 0; + if(VirtualProtect(AllocatedSpace, SysInfo.PageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, out OldProtect)) + { + try + { + ExecutionDelegate IsDebugged = Marshal.GetDelegateForFunctionPointer(AllocatedSpace); + int Result = IsDebugged(); + } + catch + { + VirtualFree(AllocatedSpace, SysInfo.PageSize, MEM_RELEASE); + return false; + } + VirtualFree(AllocatedSpace, SysInfo.PageSize, MEM_RELEASE); + return true; + } + } + return false; + } } -} +} \ No newline at end of file diff --git a/AntiCrack-DotNet/AntiDllInjection.cs b/AntiCrack-DotNet/AntiDllInjection.cs index f401f4c..1b9eea1 100644 --- a/AntiCrack-DotNet/AntiDllInjection.cs +++ b/AntiCrack-DotNet/AntiDllInjection.cs @@ -4,21 +4,24 @@ using System.Text; using System.Runtime.InteropServices; using System.Diagnostics; +using System.IO; +using System.Windows.Forms; +using static AntiCrack_DotNet.Structs; namespace AntiCrack_DotNet { class AntiDllInjection { - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetModuleHandle(string lib); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); - [DllImport("kernel32.dll", SetLastError = true)] - private static extern bool WriteProcessMemory(IntPtr ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size); public static string PatchLoadLibraryA() @@ -26,7 +29,7 @@ public static string PatchLoadLibraryA() IntPtr KernelModule = GetModuleHandle("kernelbase.dll"); IntPtr LoadLibraryA = GetProcAddress(KernelModule, "LoadLibraryA"); byte[] HookedCode = { 0xC2, 0x04, 0x00 }; - bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, LoadLibraryA, HookedCode, 3, 0); + bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryA, HookedCode, 3, 0); if (Status) return "Success"; return "Failed"; @@ -37,7 +40,7 @@ public static string PatchLoadLibraryW() IntPtr KernelModule = GetModuleHandle("kernelbase.dll"); IntPtr LoadLibraryW = GetProcAddress(KernelModule, "LoadLibraryW"); byte[] HookedCode = { 0xC2, 0x04, 0x00 }; - bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, LoadLibraryW, HookedCode, 3, 0); + bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryW, HookedCode, 3, 0); if (Status) return "Success"; return "Failed"; @@ -51,5 +54,22 @@ public static string BinaryImageSignatureMitigationAntiDllInjection() return "Success"; return "Failed"; } + + public static bool IsInjectedLibrary() + { + bool IsMalicious = false; + string Windows = Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower(); + string ProgramData = Windows.Replace(@"\windows", @"\programdata"); + foreach (ProcessModule Module in Process.GetCurrentProcess().Modules) + { + string FileName = Module.FileName.ToLower(); + if (!FileName.StartsWith(Windows) && !FileName.StartsWith(ProgramData)) + IsMalicious = true; + + if (FileName.StartsWith(Environment.CurrentDirectory.ToLower())) //for compatibility + IsMalicious = false; + } + return IsMalicious; + } } } \ No newline at end of file diff --git a/AntiCrack-DotNet/AntiVirtualization.cs b/AntiCrack-DotNet/AntiVirtualization.cs index e0d0890..732f472 100644 --- a/AntiCrack-DotNet/AntiVirtualization.cs +++ b/AntiCrack-DotNet/AntiVirtualization.cs @@ -8,22 +8,30 @@ using System.ServiceProcess; using System.Text; using System.Threading; +using System.Windows.Forms; +using Microsoft.Win32.SafeHandles; namespace AntiCrack_DotNet { class AntiVirtualization { - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetModuleHandle(string lib); - [DllImport("kernel32.dll", SetLastError = true)] + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); - [DllImport("kernel32.dll", SetLastError = true)] - private static extern bool WriteProcessMemory(IntPtr ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); - [DllImport("kernel32.dll", SetLastError = true)] - private static extern bool IsProcessCritical(IntPtr Handle, ref bool BoolToCheck); + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern bool IsProcessCritical(SafeHandle hProcess, ref bool BoolToCheck); + + [DllImport("ucrtbase.dll", SetLastError = true)] + private static extern IntPtr fopen(string filename, string mode); + + [DllImport("ucrtbase.dll", SetLastError = true)] + private static extern int fclose(IntPtr filestream); public static bool IsSandboxiePresent() { @@ -124,7 +132,7 @@ public static bool CheckForHyperV() } return false; } - + public static bool CheckForBlacklistedNames() { string[] BadNames = { "Johnson", "Miller", "malware", "maltest", "CurrentUser", "Sandbox", "virus", "John Doe", "test user", "sand box", "WDAGUtilityAccount" }; @@ -151,7 +159,6 @@ public static bool BadVMFilesDetection() { foreach (string BadFileName in BadFileNames) { - if (File.Exists(System32File) && Path.GetFileName(System32File).ToLower() == BadFileName.ToLower()) { return true; @@ -195,7 +202,7 @@ public static bool BadVMProcessNames() } } } - catch{} + catch { } return false; } @@ -213,7 +220,7 @@ public static bool PortConnectionAntiVM() byte[] UnHookedCode = { 0xB8, 0x26, 0x00, 0x00, 0x00 }; IntPtr NtdllModule = GetModuleHandle("ntdll.dll"); IntPtr NtOpenProcess = GetProcAddress(NtdllModule, "NtOpenProcess"); - WriteProcessMemory(Process.GetCurrentProcess().Handle, NtOpenProcess, UnHookedCode, 5, 0); + WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, NtOpenProcess, UnHookedCode, 5, 0); try { Process[] GetProcesses = Process.GetProcesses(); @@ -222,7 +229,7 @@ public static bool PortConnectionAntiVM() bool DoingSomethingWithHandle = false; try { - IsProcessCritical(ProcessesHandle.Handle, ref DoingSomethingWithHandle); + IsProcessCritical(ProcessesHandle.SafeHandle, ref DoingSomethingWithHandle); } catch { @@ -236,5 +243,27 @@ public static bool PortConnectionAntiVM() } } } + + public static bool CheckDevices() + { + string[] Devices = { "\\\\.\\pipe\\cuckoo", "\\\\.\\HGFS", "\\\\.\\vmci", "\\\\.\\VBoxMiniRdrDN", "\\\\.\\VBoxGuest", "\\\\.\\pipe\\VBoxMiniRdDN", "\\\\.\\VBoxTrayIPC", "\\\\.\\pipe\\VBoxTrayIPC" }; + foreach (string Device in Devices) + { + try + { + IntPtr File = fopen(Device, "r"); + if (File != IntPtr.Zero) + { + fclose(File); + return true; + } + } + catch + { + continue; + } + } + return false; + } } } \ No newline at end of file diff --git a/AntiCrack-DotNet/HooksDetection.cs b/AntiCrack-DotNet/HooksDetection.cs index 31189ce..ac14a6d 100644 --- a/AntiCrack-DotNet/HooksDetection.cs +++ b/AntiCrack-DotNet/HooksDetection.cs @@ -3,6 +3,7 @@ using System.Linq; using System.Text; using System.Runtime.InteropServices; +using System.Diagnostics; namespace AntiCrack_DotNet { @@ -15,38 +16,48 @@ public class HooksDetection private static extern void RtlUnicodeStringToAnsiString(out Structs.ANSI_STRING DestinationString, Structs.UNICODE_STRING UnicodeString, bool AllocateDestinationString); [DllImport("ntdll.dll", SetLastError = true)] - private static extern uint LdrGetDllHandle([MarshalAs(UnmanagedType.LPWStr)] string DllPath, [MarshalAs(UnmanagedType.LPWStr)] string DllCharacteristics, Structs.UNICODE_STRING LibraryName, ref IntPtr DllHandle); + private static extern uint LdrGetDllHandleEx(ulong Flags, [MarshalAs(UnmanagedType.LPWStr)] string DllPath, [MarshalAs(UnmanagedType.LPWStr)] string DllCharacteristics, Structs.UNICODE_STRING LibraryName, ref IntPtr DllHandle); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern IntPtr GetModuleHandleA(string Library); + + [DllImport("kernelbase.dll", SetLastError = true)] + private static extern IntPtr GetProcAddress(IntPtr hModule, string Function); [DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Ansi)] - private static extern uint LdrGetProcedureAddress(IntPtr Module, Structs.ANSI_STRING ProcedureName, ushort ProcedureNumber, out IntPtr FunctionHandle); + private static extern uint LdrGetProcedureAddressForCaller(IntPtr Module, Structs.ANSI_STRING ProcedureName, ushort ProcedureNumber, out IntPtr FunctionHandle, ulong Flags, IntPtr CallBack); private static IntPtr LowLevelGetModuleHandle(string Library) { + if (IntPtr.Size == 4) + return GetModuleHandleA(Library); IntPtr hModule = IntPtr.Zero; Structs.UNICODE_STRING UnicodeString = new Structs.UNICODE_STRING(); RtlInitUnicodeString(out UnicodeString, Library); - LdrGetDllHandle(null, null, UnicodeString, ref hModule); + LdrGetDllHandleEx(0, null, null, UnicodeString, ref hModule); return hModule; } private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function) { + if (IntPtr.Size == 4) + return GetProcAddress(hModule, Function); IntPtr FunctionHandle = IntPtr.Zero; Structs.UNICODE_STRING UnicodeString = new Structs.UNICODE_STRING(); Structs.ANSI_STRING AnsiString = new Structs.ANSI_STRING(); RtlInitUnicodeString(out UnicodeString, Function); RtlUnicodeStringToAnsiString(out AnsiString, UnicodeString, true); - LdrGetProcedureAddress(hModule, AnsiString, 0, out FunctionHandle); + LdrGetProcedureAddressForCaller(hModule, AnsiString, 0, out FunctionHandle, 0, IntPtr.Zero); return FunctionHandle; } - public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() + public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions) { string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" }; - string[] KernelLibAntiDebugFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" }; - string[] NtdllAntiDebugFunctions = { "NtQueryInformationProcess", "NtSetInformationThread", "NtClose", "NtGetContextThread", "NtQuerySystemInformation" }; - string[] User32AntiDebugFunctions = { "FindWindowW", "FindWindowA", "FindWindowExW", "FindWindowExA", "GetForegroundWindow", "GetWindowTextLengthA", "GetWindowTextA", "BlockInput" }; - string[] Win32uAntiDebugFunctions = { "NtUserBlockInput", "NtUserFindWindowEx", "NtUserQueryWindow", "NtUserGetForegroundWindow" }; + string[] CommonKernelLibFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" }; + string[] CommonNtdllFunctions = { "NtQueryInformationProcess", "NtSetInformationThread", "NtClose", "NtGetContextThread", "NtQuerySystemInformation", "NtCreateFile", "NtCreateProcess", "NtCreateSection", "NtCreateThread", "NtYieldExecution", "NtCreateUserProcess" }; + string[] CommonUser32Functions = { "FindWindowW", "FindWindowA", "FindWindowExW", "FindWindowExA", "GetForegroundWindow", "GetWindowTextLengthA", "GetWindowTextA", "BlockInput", "CreateWindowExW", "CreateWindowExA" }; + string[] CommonWin32uFunctions = { "NtUserBlockInput", "NtUserFindWindowEx", "NtUserQueryWindow", "NtUserGetForegroundWindow" }; foreach (string Library in Libraries) { IntPtr hModule = LowLevelGetModuleHandle(Library); @@ -58,9 +69,9 @@ public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() { try { - foreach (string AntiDebugFunction in KernelLibAntiDebugFunctions) + foreach (string WinAPIFunction in CommonKernelLibFunctions) { - IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction); + IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction); byte[] FunctionBytes = new byte[1]; Marshal.Copy(Function, FunctionBytes, 0, 1); if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) @@ -79,9 +90,9 @@ public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() { try { - foreach (string AntiDebugFunction in KernelLibAntiDebugFunctions) + foreach (string WinAPIFunction in CommonKernelLibFunctions) { - IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction); + IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction); byte[] FunctionBytes = new byte[1]; Marshal.Copy(Function, FunctionBytes, 0, 1); if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) @@ -100,9 +111,9 @@ public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() { try { - foreach (string AntiDebugFunction in NtdllAntiDebugFunctions) + foreach (string WinAPIFunction in CommonNtdllFunctions) { - IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction); + IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction); byte[] FunctionBytes = new byte[1]; Marshal.Copy(Function, FunctionBytes, 0, 1); if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) @@ -121,9 +132,9 @@ public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() { try { - foreach (string AntiDebugFunction in User32AntiDebugFunctions) + foreach (string WinAPIFunction in CommonUser32Functions) { - IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction); + IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction); byte[] FunctionBytes = new byte[1]; Marshal.Copy(Function, FunctionBytes, 0, 1); if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) @@ -142,9 +153,9 @@ public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() { try { - foreach (string AntiDebugFunction in Win32uAntiDebugFunctions) + foreach (string WinAPIFunction in CommonWin32uFunctions) { - IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction); + IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction); byte[] FunctionBytes = new byte[1]; Marshal.Copy(Function, FunctionBytes, 0, 1); if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) @@ -162,6 +173,26 @@ public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() } } } + if (ModuleName != null && Functions != null) + { + try + { + foreach (string WinAPIFunction in Functions) + { + IntPtr hModule = LowLevelGetModuleHandle(ModuleName); + IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction); + byte[] FunctionBytes = new byte[1]; + Marshal.Copy(Function, FunctionBytes, 0, 1); + if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) + { + return true; + } + } + } + catch + { + } + } return false; } } diff --git a/AntiCrack-DotNet/OtherChecks.cs b/AntiCrack-DotNet/OtherChecks.cs index 8f92e6d..4d2411d 100644 --- a/AntiCrack-DotNet/OtherChecks.cs +++ b/AntiCrack-DotNet/OtherChecks.cs @@ -15,6 +15,9 @@ public class OtherChecks [DllImport("ntdll.dll", SetLastError = true)] private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_KERNEL_DEBUGGER_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength); + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_SECUREBOOT_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength); + private static uint SystemCodeIntegrityInformation = 0x67; public static bool IsUnsignedDriversAllowed() @@ -65,5 +68,22 @@ public static bool IsKernelDebuggingEnabled() } return false; } + + public static bool IsSecureBootEnabled() + { + uint SystemSecureBootInformation = 0x91; + Structs.SYSTEM_SECUREBOOT_INFORMATION SecureBoot = new Structs.SYSTEM_SECUREBOOT_INFORMATION(); + SecureBoot.SecureBootCapable = false; + SecureBoot.SecureBootEnabled = false; + uint ReturnLength = 0; + if (NtQuerySystemInformation(SystemSecureBootInformation, ref SecureBoot, (uint)Marshal.SizeOf(SecureBoot), out ReturnLength) >= 0) + { + if (!SecureBoot.SecureBootCapable) + return false; + if (!SecureBoot.SecureBootEnabled) + return true; + } + return false; + } } } \ No newline at end of file diff --git a/AntiCrack-DotNet/Program.cs b/AntiCrack-DotNet/Program.cs index ad24a7c..a0bb413 100644 --- a/AntiCrack-DotNet/Program.cs +++ b/AntiCrack-DotNet/Program.cs @@ -14,14 +14,14 @@ public static void DisplayCheckResult(string Text, bool Result) { Console.Write(Text); Console.ForegroundColor = ConsoleColor.DarkRed; - Console.Write("[Bad]" + "\n\n"); + Console.Write("[Bad]\n\n"); Console.ForegroundColor = ConsoleColor.White; } else { Console.Write(Text); Console.ForegroundColor = ConsoleColor.DarkGreen; - Console.Write("[Good]" + "\n\n"); + Console.Write("[Good]\n\n"); Console.ForegroundColor = ConsoleColor.White; } } @@ -32,21 +32,21 @@ public static void DisplayCheckResult(string Text, string Result) { Console.Write(Text); Console.ForegroundColor = ConsoleColor.DarkRed; - Console.Write(Result + "\n\n"); + Console.Write($"{Result}\n\n"); Console.ForegroundColor = ConsoleColor.White; } else if (Result == "Skipped") { Console.Write(Text); Console.ForegroundColor = ConsoleColor.DarkYellow; - Console.Write($"[{Result}]" + "\n\n"); + Console.Write($"[{Result}]\n\n"); Console.ForegroundColor = ConsoleColor.White; } else { Console.Write(Text); Console.ForegroundColor = ConsoleColor.DarkGreen; - Console.Write(Result + "\n\n"); + Console.Write($"{Result}\n\n"); Console.ForegroundColor = ConsoleColor.White; } } @@ -58,6 +58,8 @@ private static void ExecuteAntiDebuggingTricks() DisplayCheckResult("Debugger.IsAttached: ", AntiDebug.DebuggerIsAttached()); DisplayCheckResult("Hide Threads From Debugger..... ", AntiDebug.HideThreadsAntiDebug()); DisplayCheckResult("IsDebuggerPresent: ", AntiDebug.IsDebuggerPresentCheck()); + DisplayCheckResult("NtSetDebugFilterState Check: ", AntiDebug.NtSetDebugFilterStateAntiDebug()); + DisplayCheckResult("Page Guard Breakpoints Detection Check: ", AntiDebug.PageGuardAntiDebug()); DisplayCheckResult("NtQueryInformationProcess ProcessDebugFlags: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugFlags()); DisplayCheckResult("NtQueryInformationProcess ProcessDebugPort: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugPort()); DisplayCheckResult("NtQueryInformationProcess ProcessDebugObjectHandle: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugObjectHandle()); @@ -93,6 +95,7 @@ private static void ExecuteAntiVirtualizationTricks() DisplayCheckResult("Checking For Known Bad Process Names: ", AntiVirtualization.BadVMProcessNames()); DisplayCheckResult("Checking For Ports (useful to detect VMs which have no ports connected): ", AntiVirtualization.PortConnectionAntiVM()); Console.Write("Trying To Crash Sandboxie if Present......\n\n"); + DisplayCheckResult("Checking for devices created by VMs or Sandboxes: ", AntiVirtualization.CheckDevices()); AntiVirtualization.CrashingSandboxie(); Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); } @@ -100,9 +103,10 @@ private static void ExecuteAntiVirtualizationTricks() private static void ExecuteAntiDllInjectionTricks() { Console.WriteLine("----------------------------------Executing Anti Dll Injection Tricks---------------------------------------------------"); - DisplayCheckResult("Patching LoadLibraryA To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryA()); - DisplayCheckResult("Patching LoadLibraryW To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryW()); + DisplayCheckResult("Patching and Changing LoadLibraryA Page Protection To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryA()); + DisplayCheckResult("Patching and Changing LoadLibraryW Page Protection Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryW()); DisplayCheckResult("Taking Advantage of Binary Image Signature Mitigation Policy to Prevent Non-Microsoft Binaries From Being Injected..... ", AntiDllInjection.BinaryImageSignatureMitigationAntiDllInjection()); + DisplayCheckResult("Checking if any injected libraries are present (simple dlls path whitelist check): ", AntiDllInjection.IsInjectedLibrary()); Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); } @@ -112,19 +116,21 @@ private static void ExecuteOtherDetectionTricks() DisplayCheckResult("Detecting if Unsigned Drivers are Allowed to Load: ", OtherChecks.IsUnsignedDriversAllowed()); DisplayCheckResult("Detecting if Test-Signed Drivers are Allowed to Load: ", OtherChecks.IsTestSignedDriversAllowed()); DisplayCheckResult("Detecting if Kernel Debugging are Enabled on the System: ", OtherChecks.IsKernelDebuggingEnabled()); + DisplayCheckResult("Detecting if Secure Boot are Enabled on the System: ", OtherChecks.IsSecureBootEnabled()); Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); } private static void ExecuteHooksDetectionTricks() { Console.WriteLine("----------------------------------Executing Hooks Detection Tricks------------------------------------------------------"); - DisplayCheckResult("Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64): ", HooksDetection.DetectBadInstructionsOnCommonAntiDebuggingFunctions()); + DisplayCheckResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64): ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(null, null)); Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); } static void Main(string[] args) { Console.Title = "AntiCrack DotNet"; + Console.ForegroundColor = ConsoleColor.White; for (;;) { ExecuteAntiDebuggingTricks(); diff --git a/AntiCrack-DotNet/Structs.cs b/AntiCrack-DotNet/Structs.cs index f1abb6f..339b4a3 100644 --- a/AntiCrack-DotNet/Structs.cs +++ b/AntiCrack-DotNet/Structs.cs @@ -78,5 +78,28 @@ public struct ANSI_STRING public short MaximumLength; public string Buffer; } + + [StructLayout(LayoutKind.Sequential)] + public struct SYSTEM_SECUREBOOT_INFORMATION + { + public bool SecureBootEnabled; + public bool SecureBootCapable; + } + + [StructLayout(LayoutKind.Sequential)] + public struct SYSTEM_INFO + { + public ushort ProcessorArchitecture; + ushort Reserved; + public uint PageSize; + public IntPtr MinimumApplicationAddress; + public IntPtr MaximumApplicationAddress; + public IntPtr ActiveProcessorMask; + public uint AumberOfProcessors; + public uint ProcessorType; + public uint AllocationGranularity; + public ushort ProcessorLevel; + public ushort ProcessorRevision; + } } } \ No newline at end of file