Merge pull request #6 from LimerBoy/main

Detect any.run
AdvDebug · Aug 8, 2024 · 38ef1a1 · 38ef1a1
2 parents 185be8e + 03d9df1
commit 38ef1a1
Show file tree

Hide file tree

Showing 9 changed files with 326 additions and 63 deletions.
diff --git a/AntiCrack-DotNet/AntiCrack-DotNet.csproj b/AntiCrack-DotNet/AntiCrack-DotNet.csproj
@@ -54,17 +54,10 @@
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="System" />
-    <Reference Include="System.Core" />
     <Reference Include="System.Management" />
-    <Reference Include="System.Security" />
+    <Reference Include="Microsoft.CSharp" />
     <Reference Include="System.ServiceProcess" />
     <Reference Include="System.Windows.Forms" />
-    <Reference Include="System.Xml.Linq" />
-    <Reference Include="System.Data.DataSetExtensions" />
-    <Reference Include="Microsoft.CSharp" />
-    <Reference Include="System.Data" />
-    <Reference Include="System.Net.Http" />
-    <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
     <Compile Include="AntiDebug.cs" />

diff --git a/AntiCrack-DotNet/AntiDebug.cs b/AntiCrack-DotNet/AntiDebug.cs
@@ -1,19 +1,16 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Runtime.InteropServices;
-using System.Diagnostics;
 using System.IO;
+using System.Text;
 using System.Threading;
-using System.Windows.Forms;
-using System.ServiceProcess;
-using System.Runtime.CompilerServices;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
 
 namespace AntiCrack_DotNet
 {
-    class AntiDebug
+    internal sealed class AntiDebug
     {
+        #region WinApi
+
         [DllImport("kernelbase.dll", SetLastError = true)]
         private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags);
 
@@ -92,6 +89,12 @@ class AntiDebug
         [DllImport("kernelbase.dll", SetLastError = true)]
         private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType);
 
+        #endregion
+
+        /// <summary>
+        /// Attempts to close an invalid handle to detect debugger presence.
+        /// </summary>
+        /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
         public static bool NtCloseAntiDebug_InvalidHandle()
         {
             try
@@ -105,6 +108,10 @@ public static bool NtCloseAntiDebug_InvalidHandle()
             }
         }
 
+        /// <summary>
+        /// Attempts to close a protected handle to detect debugger presence.
+        /// </summary>
+        /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
         public static bool NtCloseAntiDebug_ProtectedHandle()
         {
             IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
@@ -125,18 +132,30 @@ public static bool NtCloseAntiDebug_ProtectedHandle()
             return Result;
         }
 
+        /// <summary>
+        /// Checks if a debugger is attached to the process.
+        /// </summary>
+        /// <returns>Returns true if a debugger is attached, otherwise false.</returns>
         public static bool DebuggerIsAttached()
         {
             return Debugger.IsAttached;
         }
 
+        /// <summary>
+        /// Checks if a debugger is present using the IsDebuggerPresent API.
+        /// </summary>
+        /// <returns>Returns true if a debugger is present, otherwise false.</returns>
         public static bool IsDebuggerPresentCheck()
         {
             if (IsDebuggerPresent())
                 return true;
             return false;
         }
 
+        /// <summary>
+        /// Checks if the process has debug flags set using NtQueryInformationProcess.
+        /// </summary>
+        /// <returns>Returns true if debug flags are set, otherwise false.</returns>
         public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
         {
             uint ProcessDebugFlags = 0;
@@ -146,6 +165,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
             return false;
         }
 
+        /// <summary>
+        /// Checks if the process has a debug port using NtQueryInformationProcess.
+        /// </summary>
+        /// <returns>Returns true if a debug port is detected, otherwise false.</returns>
         public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
         {
             uint DebuggerPresent = 0;
@@ -158,6 +181,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
             return false;
         }
 
+        /// <summary>
+        /// Checks if the process has a debug object handle using NtQueryInformationProcess.
+        /// </summary>
+        /// <returns>Returns true if a debug object handle is detected, otherwise false.</returns>
         public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
         {
             IntPtr hDebugObject = IntPtr.Zero;
@@ -170,6 +197,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
             return false;
         }
 
+        /// <summary>
+        /// Patches the DbgUiRemoteBreakin and DbgBreakPoint functions to prevent debugger attachment.
+        /// </summary>
+        /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
         public static string AntiDebugAttach()
         {
             IntPtr NtdllModule = GetModuleHandle("ntdll.dll");
@@ -184,6 +215,10 @@ public static string AntiDebugAttach()
             return "Failed";
         }
 
+        /// <summary>
+        /// Checks for the presence of known debugger windows.
+        /// </summary>
+        /// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
         public static bool FindWindowAntiDebug()
         {
             Process[] GetProcesses = Process.GetProcesses();
@@ -202,6 +237,10 @@ public static bool FindWindowAntiDebug()
             return false;
         }
 
+        /// <summary>
+        /// Checks if the foreground window belongs to a known debugger.
+        /// </summary>
+        /// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
         public static bool GetForegroundWindowAntiDebug()
         {
             string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
@@ -225,6 +264,10 @@ public static bool GetForegroundWindowAntiDebug()
             return false;
         }
 
+        /// <summary>
+        /// Hides threads from the debugger by setting the NtSetInformationThread.
+        /// </summary>
+        /// <returns>Returns "Success" if the threads were hidden successfully, otherwise "Failed".</returns>
         public static string HideThreadsAntiDebug()
         {
             try
@@ -252,12 +295,21 @@ public static string HideThreadsAntiDebug()
             }
         }
 
+        /// <summary>
+        /// Uses GetTickCount to detect debugger presence.
+        /// </summary>
+        /// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
         public static bool GetTickCountAntiDebug()
         {
             uint Start = GetTickCount();
             Thread.Sleep(0x10);
             return (GetTickCount() - Start) > 0x10;
         }
+
+        /// <summary>
+        /// Uses OutputDebugString to detect debugger presence.
+        /// </summary>
+        /// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
         public static bool OutputDebugStringAntiDebug()
         {
             Debugger.Log(0, null, "just testing some stuff...");
@@ -266,11 +318,18 @@ public static bool OutputDebugStringAntiDebug()
             return false;
         }
 
+        /// <summary>
+        /// Exploits a format string vulnerability in OllyDbg.
+        /// </summary>
         public static void OllyDbgFormatStringExploit()
         {
             Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
         }
 
+        /// <summary>
+        /// Triggers a debug break to detect debugger presence.
+        /// </summary>
+        /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
         public static bool DebugBreakAntiDebug()
         {
             try
@@ -286,6 +345,10 @@ public static bool DebugBreakAntiDebug()
 
         private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L;
 
+        /// <summary>
+        /// Detects hardware breakpoints by checking debug registers.
+        /// </summary>
+        /// <returns>Returns true if hardware breakpoints are detected, otherwise false.</returns>
         public static bool HardwareRegistersBreakpointsDetection()
         {
             Structs.CONTEXT Context = new Structs.CONTEXT();
@@ -302,6 +365,12 @@ public static bool HardwareRegistersBreakpointsDetection()
             NtClose(CurrentThread);
             return false;
         }
+
+        /// <summary>
+        /// Cleans the specified path by removing null characters.
+        /// </summary>
+        /// <param name="Path">The path to clean.</param>
+        /// <returns>The cleaned path.</returns>
         private static string CleanPath(string Path)
         {
             string CleanedPath = null;
@@ -315,6 +384,10 @@ private static string CleanPath(string Path)
             return CleanedPath;
         }
 
+        /// <summary>
+        /// Checks if the parent process is a debugger by querying process information.
+        /// </summary>
+        /// <returns>Returns true if the parent process is a debugger, otherwise false.</returns>
         public static bool ParentProcessAntiDebug()
         {
             try
@@ -348,6 +421,10 @@ public static bool ParentProcessAntiDebug()
             return false;
         }
 
+        /// <summary>
+        /// Uses NtSetDebugFilterState to prevent debugging.
+        /// </summary>
+        /// <returns>Returns true if the filter state was set successfully, otherwise false.</returns>
         public static bool NtSetDebugFilterStateAntiDebug()
         {
             if (NtSetDebugFilterState(0, 0, true) != 0)
@@ -356,6 +433,11 @@ public static bool NtSetDebugFilterStateAntiDebug()
         }
 
         delegate int ExecutionDelegate();
+
+        /// <summary>
+        /// Uses page guard to detect debugger presence by executing a function pointer.
+        /// </summary>
+        /// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
         public static bool PageGuardAntiDebug()
         {
             Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO();
@@ -389,4 +471,5 @@ public static bool PageGuardAntiDebug()
             return false;
         }
     }
-}
+
+}
diff --git a/AntiCrack-DotNet/AntiDllInjection.cs b/AntiCrack-DotNet/AntiDllInjection.cs
@@ -1,17 +1,14 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Runtime.InteropServices;
 using System.Diagnostics;
-using System.IO;
-using System.Windows.Forms;
-using static AntiCrack_DotNet.Structs;
+using System.Runtime.InteropServices;
 
 namespace AntiCrack_DotNet
 {
-    class AntiDllInjection
+    internal sealed class AntiDllInjection
     {
+
+        #region WinApi
+
         [DllImport("kernelbase.dll", SetLastError = true)]
         private static extern IntPtr GetModuleHandle(string lib);
 
@@ -24,6 +21,13 @@ class AntiDllInjection
         [DllImport("kernelbase.dll", SetLastError = true)]
         public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size);
 
+        #endregion
+
+
+        /// <summary>
+        /// Patches the LoadLibraryA function to prevent DLL injection.
+        /// </summary>
+        /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
         public static string PatchLoadLibraryA()
         {
             IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
@@ -35,6 +39,10 @@ public static string PatchLoadLibraryA()
             return "Failed";
         }
 
+        /// <summary>
+        /// Patches the LoadLibraryW function to prevent DLL injection.
+        /// </summary>
+        /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
         public static string PatchLoadLibraryW()
         {
             IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
@@ -46,6 +54,10 @@ public static string PatchLoadLibraryW()
             return "Failed";
         }
 
+        /// <summary>
+        /// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries.
+        /// </summary>
+        /// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
         public static string BinaryImageSignatureMitigationAntiDllInjection()
         {
             Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY();
@@ -55,6 +67,10 @@ public static string BinaryImageSignatureMitigationAntiDllInjection()
             return "Failed";
         }
 
+        /// <summary>
+        /// Checks if there are any injected libraries in the current process.
+        /// </summary>
+        /// <returns>Returns true if an injected library is detected, otherwise false.</returns>
         public static bool IsInjectedLibrary()
         {
             bool IsMalicious = false;
@@ -71,6 +87,11 @@ public static bool IsInjectedLibrary()
             }
             return IsMalicious;
         }
+
+        /// <summary>
+        /// Sets the DLL load policy to only allow Microsoft-signed DLLs to be loaded.
+        /// </summary>
+        /// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
         public static string SetDllLoadPolicy()
         {
             Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY