Skip to content

Commit 32bcb2e

Browse files
AdvDebugAdvDebug
authoredJul 24, 2022
Add files via upload
1 parent c538a85 commit 32bcb2e

File tree

2 files changed

+259
-0
lines changed

2 files changed

+259
-0
lines changed
 

‎AntiCrack-DotNet/HooksDetection.cs

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
using System;
2+
using System.Collections.Generic;
3+
using System.Linq;
4+
using System.Text;
5+
using System.Runtime.InteropServices;
6+
7+
namespace AntiCrack_DotNet
8+
{
9+
public class HooksDetection
10+
{
11+
[DllImport("kernel32.dll", SetLastError = true)]
12+
private static extern IntPtr GetModuleHandle(string LibraryName);
13+
14+
[DllImport("kernel32.dll", SetLastError = true)]
15+
private static extern IntPtr GetProcAddress(IntPtr Module, string Function);
16+
17+
public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions()
18+
{
19+
string[] Libraries = { "kernel32.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
20+
string[] Kernel32AntiDebugFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" };
21+
string[] NtdllAntiDebugFunctions = { "NtQueryInformationProcess", "NtSetInformationThread", "NtClose", "NtGetContextThread", "NtQuerySystemInformation" };
22+
string[] User32AntiDebugFunctions = { "FindWindowW", "FindWindowA", "FindWindowExW", "FindWindowExA", "GetForegroundWindow", "GetWindowTextLengthA", "GetWindowTextA", "BlockInput" };
23+
string[] Win32uAntiDebugFunctions = { "NtUserBlockInput", "NtUserFindWindowEx", "NtUserQueryWindow", "NtUserGetForegroundWindow" };
24+
foreach (string Library in Libraries)
25+
{
26+
IntPtr hModule = GetModuleHandle(Library);
27+
if (hModule != IntPtr.Zero)
28+
{
29+
switch (Library)
30+
{
31+
case "kernel32.dll":
32+
{
33+
try
34+
{
35+
foreach (string AntiDebugFunction in Kernel32AntiDebugFunctions)
36+
{
37+
IntPtr Function = GetProcAddress(hModule, AntiDebugFunction);
38+
byte[] FunctionBytes = new byte[1];
39+
Marshal.Copy(Function, FunctionBytes, 0, 1);
40+
if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
41+
{
42+
return true;
43+
}
44+
}
45+
}
46+
catch
47+
{
48+
continue;
49+
}
50+
}
51+
break;
52+
case "ntdll.dll":
53+
{
54+
try
55+
{
56+
foreach (string AntiDebugFunction in NtdllAntiDebugFunctions)
57+
{
58+
IntPtr Function = GetProcAddress(hModule, AntiDebugFunction);
59+
byte[] FunctionBytes = new byte[1];
60+
Marshal.Copy(Function, FunctionBytes, 0, 1);
61+
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
62+
{
63+
return true;
64+
}
65+
}
66+
}
67+
catch
68+
{
69+
continue;
70+
}
71+
}
72+
break;
73+
case "user32.dll":
74+
{
75+
try
76+
{
77+
foreach (string AntiDebugFunction in User32AntiDebugFunctions)
78+
{
79+
IntPtr Function = GetProcAddress(hModule, AntiDebugFunction);
80+
byte[] FunctionBytes = new byte[1];
81+
Marshal.Copy(Function, FunctionBytes, 0, 1);
82+
if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
83+
{
84+
return true;
85+
}
86+
}
87+
}
88+
catch
89+
{
90+
continue;
91+
}
92+
}
93+
break;
94+
case "win32u.dll":
95+
{
96+
try
97+
{
98+
foreach (string AntiDebugFunction in Win32uAntiDebugFunctions)
99+
{
100+
IntPtr Function = GetProcAddress(hModule, AntiDebugFunction);
101+
byte[] FunctionBytes = new byte[1];
102+
Marshal.Copy(Function, FunctionBytes, 0, 1);
103+
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
104+
{
105+
return true;
106+
}
107+
}
108+
}
109+
catch
110+
{
111+
continue;
112+
}
113+
}
114+
break;
115+
}
116+
}
117+
}
118+
return false;
119+
}
120+
}
121+
}

‎AntiCrack-DotNet/Program.cs

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
using System;
2+
using System.Collections.Generic;
3+
using System.Linq;
4+
using System.Text;
5+
using System.Diagnostics;
6+
7+
namespace AntiCrack_DotNet
8+
{
9+
class Program
10+
{
11+
public static void DisplayCheckResult(string Text, bool Result)
12+
{
13+
if (Result == true)
14+
{
15+
Console.Write(Text);
16+
Console.ForegroundColor = ConsoleColor.DarkRed;
17+
Console.Write("[Bad]" + "\n\n");
18+
Console.ForegroundColor = ConsoleColor.White;
19+
}
20+
else
21+
{
22+
Console.Write(Text);
23+
Console.ForegroundColor = ConsoleColor.DarkGreen;
24+
Console.Write("[Good]" + "\n\n");
25+
Console.ForegroundColor = ConsoleColor.White;
26+
}
27+
}
28+
29+
public static void DisplayCheckResult(string Text, string Result)
30+
{
31+
if (Result == "[Bad]" || Result == "Failed")
32+
{
33+
Console.Write(Text);
34+
Console.ForegroundColor = ConsoleColor.DarkRed;
35+
Console.Write(Result + "\n\n");
36+
Console.ForegroundColor = ConsoleColor.White;
37+
}
38+
else if (Result == "Skipped")
39+
{
40+
Console.Write(Text);
41+
Console.ForegroundColor = ConsoleColor.DarkYellow;
42+
Console.Write($"[{Result}]" + "\n\n");
43+
Console.ForegroundColor = ConsoleColor.White;
44+
}
45+
else
46+
{
47+
Console.Write(Text);
48+
Console.ForegroundColor = ConsoleColor.DarkGreen;
49+
Console.Write(Result + "\n\n");
50+
Console.ForegroundColor = ConsoleColor.White;
51+
}
52+
}
53+
54+
private static void ExecuteAntiDebuggingTricks()
55+
{
56+
Console.WriteLine("----------------------------------Executing Anti Debugging Tricks-------------------------------------------------------");
57+
DisplayCheckResult("GetForegroundWindow (Looking For Bad Active Debugger Windows): ", AntiDebug.GetForegroundWindowAntiDebug());
58+
DisplayCheckResult("Debugger.IsAttached: ", AntiDebug.DebuggerIsAttached());
59+
DisplayCheckResult("Hide Threads From Debugger..... ", AntiDebug.HideThreadsAntiDebug());
60+
DisplayCheckResult("IsDebuggerPresent: ", AntiDebug.IsDebuggerPresentCheck());
61+
DisplayCheckResult("NtQueryInformationProcess ProcessDebugFlags: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugFlags());
62+
DisplayCheckResult("NtQueryInformationProcess ProcessDebugPort: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugPort());
63+
DisplayCheckResult("NtQueryInformationProcess ProcessDebugObjectHandle: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugObjectHandle());
64+
DisplayCheckResult("NtClose (Invalid Handle): ", AntiDebug.NtCloseAntiDebug_InvalidHandle());
65+
DisplayCheckResult("NtClose (Protected Handle): ", AntiDebug.NtCloseAntiDebug_ProtectedHandle());
66+
DisplayCheckResult("Parent Process (Checking if the parent process are cmd.exe or explorer.exe): ", AntiDebug.ParentProcessAntiDebug());
67+
DisplayCheckResult("Hardware Registers Breakpoints Detection: ", AntiDebug.HardwareRegistersBreakpointsDetection());
68+
DisplayCheckResult("FindWindow (Looking For Bad Debugger Windows): ", AntiDebug.FindWindowAntiDebug());
69+
DisplayCheckResult("GetTickCount Anti Debug: ", "Skipped"); //it's unreliable for real anti-debug use
70+
DisplayCheckResult("OutputDebugString Anti Debug: ", "Skipped"); //it's unreliable for real anti-debug use
71+
DisplayCheckResult("Trying To Crash Non-Managed Debuggers with a Debugger Breakpoint..... ", "Skipped");
72+
//AntiDebug.DebugBreakAntiDebug(); //Not that useful, easily bypassable, and delays execution.
73+
Console.Write("Executing OllyDbg Format String Exploit.....\n\n");
74+
AntiDebug.OllyDbgFormatStringExploit();
75+
DisplayCheckResult("Patching DbgUiRemoteBreakin and DbgBreakPoint To Prevent Debugger Attaching..... ", AntiDebug.AntiDebugAttach());
76+
Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n");
77+
}
78+
79+
private static void ExecuteAntiVirtualizationTricks()
80+
{
81+
Console.WriteLine("----------------------------------Executing Anti Virtualization Tricks--------------------------------------------------");
82+
DisplayCheckResult("Checking For Sandboxie Module in Current Process: ", AntiVirtualization.IsSandboxiePresent());
83+
DisplayCheckResult("Checking For Comodo Sandbox Module in Current Process: ", AntiVirtualization.IsComodoSandboxPresent());
84+
DisplayCheckResult("Checking For Cuckoo Sandbox Module in Current Process: ", AntiVirtualization.IsCuckooSandboxPresent());
85+
DisplayCheckResult("Checking For Qihoo360 Sandbox Module in Current Process: ", AntiVirtualization.IsQihoo360SandboxPresent());
86+
DisplayCheckResult("Checking If The Program are Emulated: ", AntiVirtualization.IsEmulationPresent());
87+
DisplayCheckResult("Checking For Blacklisted Usernames: ", AntiVirtualization.CheckForBlacklistedNames());
88+
DisplayCheckResult("Checking if the Program are running under wine using dll exports detection: ", AntiVirtualization.IsWinePresent());
89+
DisplayCheckResult("Checking For VirtualBox and VMware: ", AntiVirtualization.CheckForVMwareAndVirtualBox());
90+
DisplayCheckResult("Checking For KVM: ", AntiVirtualization.CheckForKVM());
91+
DisplayCheckResult("Checking For HyperV: ", AntiVirtualization.CheckForHyperV());
92+
DisplayCheckResult("Checking For Known Bad VM File Locations: ", AntiVirtualization.BadVMFilesDetection());
93+
DisplayCheckResult("Checking For Known Bad Process Names: ", AntiVirtualization.BadVMProcessNames());
94+
DisplayCheckResult("Checking For Ports (useful to detect VMs which have no ports connected): ", AntiVirtualization.PortConnectionAntiVM());
95+
Console.Write("Trying To Crash Sandboxie if Present......\n\n");
96+
AntiVirtualization.CrashingSandboxie();
97+
Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n");
98+
}
99+
100+
private static void ExecuteAntiDllInjectionTricks()
101+
{
102+
Console.WriteLine("----------------------------------Executing Anti Dll Injection Tricks---------------------------------------------------");
103+
DisplayCheckResult("Patching LoadLibraryA To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryA());
104+
DisplayCheckResult("Patching LoadLibraryW To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryW());
105+
DisplayCheckResult("Taking Advantage of Binary Image Signature Mitigation Policy to Prevent Non-Microsoft Binaries From Being Injected..... ", AntiDllInjection.BinaryImageSignatureMitigationAntiDllInjection());
106+
Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n");
107+
}
108+
109+
private static void ExecuteOtherDetectionTricks()
110+
{
111+
Console.WriteLine("----------------------------------Executing Other Detection Tricks-----------------------------------------------------\n");
112+
DisplayCheckResult("Detecting if Unsigned Drivers are allowed to load: ", OtherChecks.IsUnsignedDriversAllowed());
113+
DisplayCheckResult("Detecting if Test-Signed Drivers are allowed to load: ", OtherChecks.IsTestSignedDriversAllowed());
114+
Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n");
115+
}
116+
117+
private static void ExecuteHooksDetectionTricks()
118+
{
119+
Console.WriteLine("----------------------------------Executing Hooks Detection Tricks------------------------------------------------------");
120+
DisplayCheckResult("Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64): ", HooksDetection.DetectBadInstructionsOnCommonAntiDebuggingFunctions());
121+
Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n");
122+
}
123+
124+
static void Main(string[] args)
125+
{
126+
Console.Title = "AntiCrack DotNet";
127+
for (;;)
128+
{
129+
ExecuteAntiDebuggingTricks();
130+
ExecuteAntiVirtualizationTricks();
131+
ExecuteAntiDllInjectionTricks();
132+
ExecuteOtherDetectionTricks();
133+
ExecuteHooksDetectionTricks();
134+
Console.ReadLine();
135+
}
136+
}
137+
}
138+
}

0 commit comments

Comments
 (0)