From 370824303f4fac07fcbe517524e1c4e0279c0404 Mon Sep 17 00:00:00 2001 From: AdvDebug <90452585+AdvDebug@users.noreply.github.com> Date: Sat, 23 Jul 2022 00:46:30 +0200 Subject: [PATCH] Add files via upload --- AntiCrack-DotNet/AntiDebug.cs | 322 +++++++++++++++++++++++++ AntiCrack-DotNet/AntiDllInjection.cs | 5 +- AntiCrack-DotNet/AntiVirtualization.cs | 240 ++++++++++++++++++ AntiCrack-DotNet/HooksDetection.cs | 121 ++++++++++ AntiCrack-DotNet/OtherChecks.cs | 47 ++++ AntiCrack-DotNet/Program.cs | 138 +++++++++++ AntiCrack-DotNet/Structs.cs | 56 +++++ 7 files changed, 926 insertions(+), 3 deletions(-) create mode 100644 AntiCrack-DotNet/AntiDebug.cs create mode 100644 AntiCrack-DotNet/AntiVirtualization.cs create mode 100644 AntiCrack-DotNet/HooksDetection.cs create mode 100644 AntiCrack-DotNet/OtherChecks.cs create mode 100644 AntiCrack-DotNet/Program.cs create mode 100644 AntiCrack-DotNet/Structs.cs diff --git a/AntiCrack-DotNet/AntiDebug.cs b/AntiCrack-DotNet/AntiDebug.cs new file mode 100644 index 0000000..e71d91b --- /dev/null +++ b/AntiCrack-DotNet/AntiDebug.cs @@ -0,0 +1,322 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Runtime.InteropServices; +using System.Diagnostics; +using System.IO; + +namespace AntiCrack_DotNet +{ + class AntiDebug + { + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern bool NtClose(IntPtr Handle); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr CreateMutexA(IntPtr lpMutexAttributes, bool bInitialOwner, string lpName); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool IsDebuggerPresent(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool CheckRemoteDebuggerPresent(IntPtr Handle, ref bool CheckBool); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetModuleHandle(string lib); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(SafeHandle ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtSetInformationThread(IntPtr ThreadHandle, uint ThreadInformationClass, IntPtr ThreadInformation, int ThreadInformationLength); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr OpenThread(uint DesiredAccess, bool InheritHandle, int ThreadId); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern uint GetTickCount(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern void OutputDebugStringA(string Text); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetCurrentThread(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool GetThreadContext(IntPtr hThread, ref Structs.CONTEXT Context); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQueryInformationProcess(SafeHandle hProcess, uint ProcessInfoClass, out uint ProcessInfo, uint nSize, uint ReturnLength); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQueryInformationProcess(SafeHandle hProcess, uint ProcessInfoClass, out IntPtr ProcessInfo, uint nSize, uint ReturnLength); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQueryInformationProcess(SafeHandle hProcess, uint ProcessInfoClass, ref Structs.PROCESS_BASIC_INFORMATION ProcessInfo, uint nSize, uint ReturnLength); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern int QueryFullProcessImageNameA(SafeHandle hProcess, uint Flags, byte[] lpExeName, Int32[] lpdwSize); + + [DllImport("user32.dll", SetLastError = true)] + private static extern IntPtr GetForegroundWindow(); + + [DllImport("user32.dll", SetLastError = true)] + private static extern int GetWindowTextLengthA(IntPtr HWND); + + [DllImport("user32.dll", SetLastError = true)] + private static extern int GetWindowTextA(IntPtr HWND, StringBuilder WindowText, int nMaxCount); + + public static bool NtCloseAntiDebug_InvalidHandle() + { + try + { + NtClose((IntPtr)0x1231222L); + return false; + } + catch + { + return true; + } + } + + public static bool NtCloseAntiDebug_ProtectedHandle() + { + IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString()); + uint HANDLE_FLAG_PROTECT_FROM_CLOSE = 0x00000002; + SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); + try + { + NtClose(hMutex); + return false; + } + catch + { + return true; + } + } + + public static bool DebuggerIsAttached() + { + return Debugger.IsAttached; + } + + public static bool IsDebuggerPresentCheck() + { + if (IsDebuggerPresent()) + return true; + return false; + } + + public static bool NtQueryInformationProcessCheck_ProcessDebugFlags() + { + uint ProcessDebugFlags = 0; + NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1F, out ProcessDebugFlags, sizeof(uint), 0); + if (ProcessDebugFlags == 0) + return true; + return false; + } + + public static bool NtQueryInformationProcessCheck_ProcessDebugPort() + { + uint DebuggerPresent = 0; + uint Size = sizeof(uint); + if (Environment.Is64BitProcess) + Size = sizeof(uint) * 2; + NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, 0); + if (DebuggerPresent != 0) + return true; + return false; + } + + public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle() + { + IntPtr hDebugObject = IntPtr.Zero; + uint Size = sizeof(uint); + if (Environment.Is64BitProcess) + Size = sizeof(uint) * 2; + NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0); + if (hDebugObject != IntPtr.Zero) + return true; + return false; + } + + public static string AntiDebugAttach() + { + IntPtr NtdllModule = GetModuleHandle("ntdll.dll"); + IntPtr DbgUiRemoteBreakinAddress = GetProcAddress(NtdllModule, "DbgUiRemoteBreakin"); + IntPtr DbgBreakPointAddress = GetProcAddress(NtdllModule, "DbgBreakPoint"); + byte[] Int3InvaildCode = { 0xCC }; + byte[] RetCode = { 0xC3 }; + bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, DbgUiRemoteBreakinAddress, Int3InvaildCode, 1, 0); + bool Status2 = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, DbgBreakPointAddress, RetCode, 1, 0); + if (Status && Status2) + return "Success"; + return "Failed"; + } + + public static bool FindWindowAntiDebug() + { + Process[] GetProcesses = Process.GetProcesses(); + foreach (Process GetWindow in GetProcesses) + { + string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "cheat engine", "cheatengine", "ida" }; + foreach (string BadWindows in BadWindowNames) + { + if (GetWindow.MainWindowTitle.ToLower().Contains(BadWindows)) + return true; + } + } + return false; + } + + public static bool GetForegroundWindowAntiDebug() + { + string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" }; + IntPtr HWND = GetForegroundWindow(); + int WindowLength = GetWindowTextLengthA(HWND); + if (WindowLength != 0) + { + StringBuilder WindowName = new StringBuilder(WindowLength + 1); + GetWindowTextA(HWND, WindowName, WindowLength + 1); + foreach (string BadWindows in BadWindowNames) + { + if (WindowName.ToString().ToLower().Contains(BadWindows)) + return true; + } + } + return false; + } + + public static string HideThreadsAntiDebug() + { + try + { + bool AnyThreadFailed = false; + ProcessThreadCollection GetCurrentProcessThreads = Process.GetCurrentProcess().Threads; + foreach (ProcessThread Threads in GetCurrentProcessThreads) + { + IntPtr ThreadHandle = OpenThread(0x0020, false, Threads.Id); + if (ThreadHandle != IntPtr.Zero) + { + uint Status = NtSetInformationThread(ThreadHandle, 0x11, IntPtr.Zero, 0); + NtClose(ThreadHandle); + if (Status != 0x00000000) + AnyThreadFailed = true; + } + } + if (!AnyThreadFailed) + return "Success"; + return "Failed"; + } + catch + { + return "Failed"; + } + } + + public static bool GetTickCountAntiDebug() + { + uint Start = GetTickCount(); + return (GetTickCount() - Start) > 0x10; + } + + public static bool OutputDebugStringAntiDebug() + { + OutputDebugStringA("just testing some stuff..."); + if (Marshal.GetLastWin32Error() == 0) + return true; + return false; + } + + public static void OllyDbgFormatStringExploit() + { + OutputDebugStringA("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"); + } + + public static bool DebugBreakAntiDebug() + { + try + { + Debugger.Break(); + return false; + } + catch + { + return true; + } + } + + private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L; + + public static bool HardwareRegistersBreakpointsDetection() + { + Structs.CONTEXT Context = new Structs.CONTEXT(); + Context.ContextFlags = CONTEXT_DEBUG_REGISTERS; + if (GetThreadContext(GetCurrentThread(), ref Context)) + { + if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr4 != 0x00 || Context.Dr5 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00)) + { + return true; + } + } + return false; + } + + private static string CleanPath(string Path) + { + string CleanedPath = null; + foreach (char Null in Path) + { + if (Null != '\0') + { + CleanedPath += Null; + } + } + return CleanedPath; + } + + public static bool ParentProcessAntiDebug() + { + try + { + Structs.PROCESS_BASIC_INFORMATION PBI = new Structs.PROCESS_BASIC_INFORMATION(); + uint ProcessBasicInformation = 0; + if (NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0) == 0) + { + int ParentPID = PBI.InheritedFromUniqueProcessId.ToInt32(); + if (ParentPID != 0) + { + byte[] FileNameBuffer = new byte[256]; + Int32[] Size = new Int32[256]; + Size[0] = 256; + QueryFullProcessImageNameA(Process.GetProcessById(ParentPID).SafeHandle, 0, FileNameBuffer, Size); + string ParentFilePath = CleanPath(Encoding.UTF8.GetString(FileNameBuffer)); + string ParentFileName = Path.GetFileName(ParentFilePath); + string[] Whitelisted = { "explorer.exe", "cmd.exe" }; + foreach (string WhitelistedFileName in Whitelisted) + { + if (ParentFileName.Equals(WhitelistedFileName)) + { + return false; + } + } + return true; + } + else + { + System.Windows.Forms.MessageBox.Show("1"); + } + } + } + catch{}; + return false; + } + } +} \ No newline at end of file diff --git a/AntiCrack-DotNet/AntiDllInjection.cs b/AntiCrack-DotNet/AntiDllInjection.cs index 03dffa3..f401f4c 100644 --- a/AntiCrack-DotNet/AntiDllInjection.cs +++ b/AntiCrack-DotNet/AntiDllInjection.cs @@ -2,7 +2,6 @@ using System.Collections.Generic; using System.Linq; using System.Text; -using System.Threading.Tasks; using System.Runtime.InteropServices; using System.Diagnostics; @@ -44,7 +43,7 @@ public static string PatchLoadLibraryW() return "Failed"; } - public static string BinarySignatureMitigationAntiDllInjection() + public static string BinaryImageSignatureMitigationAntiDllInjection() { Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY(); OnlyMicrosoftBinaries.MicrosoftSignedOnly = 1; @@ -53,4 +52,4 @@ public static string BinarySignatureMitigationAntiDllInjection() return "Failed"; } } -} +} \ No newline at end of file diff --git a/AntiCrack-DotNet/AntiVirtualization.cs b/AntiCrack-DotNet/AntiVirtualization.cs new file mode 100644 index 0000000..e0d0890 --- /dev/null +++ b/AntiCrack-DotNet/AntiVirtualization.cs @@ -0,0 +1,240 @@ +using System; +using System.Collections.Generic; +using System.Diagnostics; +using System.IO; +using System.Linq; +using System.Management; +using System.Runtime.InteropServices; +using System.ServiceProcess; +using System.Text; +using System.Threading; + +namespace AntiCrack_DotNet +{ + class AntiVirtualization + { + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetModuleHandle(string lib); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(IntPtr ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool IsProcessCritical(IntPtr Handle, ref bool BoolToCheck); + + public static bool IsSandboxiePresent() + { + if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) + return true; + return false; + } + + public static bool IsComodoSandboxPresent() + { + if (GetModuleHandle("cmdvrt32.dll").ToInt32() != 0 || GetModuleHandle("cmdvrt64.dll").ToInt32() != 0) + return true; + return false; + } + + public static bool IsQihoo360SandboxPresent() + { + if (GetModuleHandle("SxIn.dll").ToInt32() != 0) + return true; + return false; + } + + public static bool IsCuckooSandboxPresent() + { + if (GetModuleHandle("cuckoomon.dll").ToInt32() != 0) + return true; + return false; + } + + public static bool IsEmulationPresent() + { + long Tick = Environment.TickCount; + Thread.Sleep(500); + long Tick2 = Environment.TickCount; + if (((Tick2 - Tick) < 500L)) + { + return true; + } + return false; + } + + public static bool IsWinePresent() + { + IntPtr ModuleHandle = GetModuleHandle("kernel32.dll"); + if (GetProcAddress(ModuleHandle, "wine_get_unix_file_name").ToInt32() != 0) + return true; + return false; + } + + public static bool CheckForVMwareAndVirtualBox() + { + using (ManagementObjectSearcher ObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) + { + using (ManagementObjectCollection ObjectItems = ObjectSearcher.Get()) + { + foreach (ManagementBaseObject Item in ObjectItems) + { + string ManufacturerString = Item["Manufacturer"].ToString().ToLower(); + string ModelName = Item["Model"].ToString(); + if ((ManufacturerString == "microsoft corporation" && ModelName.ToUpperInvariant().Contains("VIRTUAL") || ManufacturerString.Contains("vmware"))) + { + return true; + } + } + } + } + return false; + } + + public static bool CheckForKVM() + { + string[] BadDriversList = { "balloon.sys", "netkvm.sys", "vioinput", "viofs.sys", "vioser.sys" }; + foreach (string Drivers in Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.System), "*")) + { + foreach (string BadDrivers in BadDriversList) + { + if (Drivers.Contains(BadDrivers)) + { + return true; + } + } + } + + return false; + } + + public static bool CheckForHyperV() + { + ServiceController[] GetServicesOnSystem = ServiceController.GetServices(); + foreach (ServiceController CompareServicesNames in GetServicesOnSystem) + { + string[] Services = { "vmbus", "VMBusHID", "hyperkbd" }; + foreach (string ServicesToCheck in Services) + { + if (CompareServicesNames.ServiceName.Contains(ServicesToCheck)) + return true; + } + } + return false; + } + + public static bool CheckForBlacklistedNames() + { + string[] BadNames = { "Johnson", "Miller", "malware", "maltest", "CurrentUser", "Sandbox", "virus", "John Doe", "test user", "sand box", "WDAGUtilityAccount" }; + string Username = Environment.UserName.ToLower(); + foreach (string BadUsernames in BadNames) + { + if (Username == BadUsernames.ToLower()) + { + return true; + } + } + return false; + } + + public static bool BadVMFilesDetection() + { + try + { + string[] BadFileNames = { "VBoxMouse.sys", "VBoxGuest.sys", "VBoxSF.sys", "VBoxVideo.sys", "vmmouse.sys", "vboxogl.dll" }; + string[] BadDirs = { @"C:\Program Files\VMware", @"C:\Program Files\oracle\virtualbox guest additions" }; + foreach (string System32File in Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.System))) + { + try + { + foreach (string BadFileName in BadFileNames) + { + + if (File.Exists(System32File) && Path.GetFileName(System32File).ToLower() == BadFileName.ToLower()) + { + return true; + } + } + } + catch + { + continue; + } + } + + foreach (string BadDir in BadDirs) + { + if (Directory.Exists(BadDir.ToLower())) + { + return true; + } + } + } + catch + { + + } + return false; + } + + public static bool BadVMProcessNames() + { + try + { + string[] BadProcessNames = { "vboxservice", "VGAuthService", "vmusrvc", "qemu-ga" }; + foreach (Process Processes in Process.GetProcesses()) + { + foreach (string BadProcessName in BadProcessNames) + { + if (Processes.ProcessName == BadProcessName) + { + return true; + } + } + } + } + catch{} + return false; + } + + public static bool PortConnectionAntiVM() + { + if (new ManagementObjectSearcher("SELECT * FROM Win32_PortConnector").Get().Count == 0) + return true; + return false; + } + + public static void CrashingSandboxie() //Only use if running as x86 + { + if (!Environment.Is64BitProcess) + { + byte[] UnHookedCode = { 0xB8, 0x26, 0x00, 0x00, 0x00 }; + IntPtr NtdllModule = GetModuleHandle("ntdll.dll"); + IntPtr NtOpenProcess = GetProcAddress(NtdllModule, "NtOpenProcess"); + WriteProcessMemory(Process.GetCurrentProcess().Handle, NtOpenProcess, UnHookedCode, 5, 0); + try + { + Process[] GetProcesses = Process.GetProcesses(); + foreach (Process ProcessesHandle in GetProcesses) + { + bool DoingSomethingWithHandle = false; + try + { + IsProcessCritical(ProcessesHandle.Handle, ref DoingSomethingWithHandle); + } + catch + { + continue; + } + } + } + catch + { + + } + } + } + } +} \ No newline at end of file diff --git a/AntiCrack-DotNet/HooksDetection.cs b/AntiCrack-DotNet/HooksDetection.cs new file mode 100644 index 0000000..1591329 --- /dev/null +++ b/AntiCrack-DotNet/HooksDetection.cs @@ -0,0 +1,121 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Runtime.InteropServices; + +namespace AntiCrack_DotNet +{ + public class HooksDetection + { + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetModuleHandle(string LibraryName); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetProcAddress(IntPtr Module, string Function); + + public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions() + { + string[] Libraries = { "kernel32.dll", "ntdll.dll", "user32.dll", "win32u.dll" }; + string[] Kernel32AntiDebugFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" }; + string[] NtdllAntiDebugFunctions = { "NtQueryInformationProcess", "NtSetInformationThread", "NtClose", "NtGetContextThread", "NtQuerySystemInformation" }; + string[] User32AntiDebugFunctions = { "FindWindowW", "FindWindowA", "FindWindowExW", "FindWindowExA", "GetForegroundWindow", "GetWindowTextLengthA", "GetWindowTextA", "BlockInput" }; + string[] Win32uAntiDebugFunctions = { "NtUserBlockInput", "NtUserFindWindowEx", "NtUserQueryWindow", "NtUserGetForegroundWindow" }; + foreach (string Library in Libraries) + { + IntPtr hModule = GetModuleHandle(Library); + if (hModule != IntPtr.Zero) + { + switch (Library) + { + case "kernel32.dll": + { + try + { + foreach (string AntiDebugFunction in Kernel32AntiDebugFunctions) + { + IntPtr Function = GetProcAddress(hModule, AntiDebugFunction); + byte[] FunctionBytes = new byte[1]; + Marshal.Copy(Function, FunctionBytes, 0, 1); + if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) + { + return true; + } + } + } + catch + { + continue; + } + } + break; + case "ntdll.dll": + { + try + { + foreach (string AntiDebugFunction in NtdllAntiDebugFunctions) + { + IntPtr Function = GetProcAddress(hModule, AntiDebugFunction); + byte[] FunctionBytes = new byte[1]; + Marshal.Copy(Function, FunctionBytes, 0, 1); + if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) + { + return true; + } + } + } + catch + { + continue; + } + } + break; + case "user32.dll": + { + try + { + foreach (string AntiDebugFunction in User32AntiDebugFunctions) + { + IntPtr Function = GetProcAddress(hModule, AntiDebugFunction); + byte[] FunctionBytes = new byte[1]; + Marshal.Copy(Function, FunctionBytes, 0, 1); + if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) + { + return true; + } + } + } + catch + { + continue; + } + } + break; + case "win32u.dll": + { + try + { + foreach (string AntiDebugFunction in Win32uAntiDebugFunctions) + { + IntPtr Function = GetProcAddress(hModule, AntiDebugFunction); + byte[] FunctionBytes = new byte[1]; + Marshal.Copy(Function, FunctionBytes, 0, 1); + if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9) + { + return true; + } + } + } + catch + { + continue; + } + } + break; + } + } + } + return false; + } + } +} \ No newline at end of file diff --git a/AntiCrack-DotNet/OtherChecks.cs b/AntiCrack-DotNet/OtherChecks.cs new file mode 100644 index 0000000..d8a61e4 --- /dev/null +++ b/AntiCrack-DotNet/OtherChecks.cs @@ -0,0 +1,47 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; +using System.Runtime.InteropServices; + +namespace AntiCrack_DotNet +{ + public class OtherChecks + { + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_CODEINTEGRITY_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength); + + public static bool IsUnsignedDriversAllowed() + { + Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrity = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION(); + CodeIntegrity.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION)); + uint ReturnLength = 0; + if (NtQuerySystemInformation(0x67, ref CodeIntegrity, (uint)Marshal.SizeOf(CodeIntegrity), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(CodeIntegrity)) + { + uint CODEINTEGRITY_OPTION_ENABLED = 0x01; + if ((CodeIntegrity.CodeIntegrityOptions & CODEINTEGRITY_OPTION_ENABLED) == CODEINTEGRITY_OPTION_ENABLED) + { + return false; + } + } + return true; + } + + public static bool IsTestSignedDriversAllowed() + { + Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrity = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION(); + CodeIntegrity.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION)); + uint ReturnLength = 0; + if(NtQuerySystemInformation(0x67, ref CodeIntegrity, (uint)Marshal.SizeOf(CodeIntegrity), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(CodeIntegrity)) + { + uint CODEINTEGRITY_OPTION_TESTSIGN = 0x02; + if ((CodeIntegrity.CodeIntegrityOptions & CODEINTEGRITY_OPTION_TESTSIGN) == CODEINTEGRITY_OPTION_TESTSIGN) + { + return true; + } + } + return false; + } + } +} \ No newline at end of file diff --git a/AntiCrack-DotNet/Program.cs b/AntiCrack-DotNet/Program.cs new file mode 100644 index 0000000..7d9c376 --- /dev/null +++ b/AntiCrack-DotNet/Program.cs @@ -0,0 +1,138 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Diagnostics; + +namespace AntiCrack_DotNet +{ + class Program + { + public static void DisplayCheckResult(string Text, bool Result) + { + if (Result == true) + { + Console.Write(Text); + Console.ForegroundColor = ConsoleColor.DarkRed; + Console.Write("[Bad]" + "\n\n"); + Console.ForegroundColor = ConsoleColor.White; + } + else + { + Console.Write(Text); + Console.ForegroundColor = ConsoleColor.DarkGreen; + Console.Write("[Good]" + "\n\n"); + Console.ForegroundColor = ConsoleColor.White; + } + } + + public static void DisplayCheckResult(string Text, string Result) + { + if (Result == "[Bad]" || Result == "Failed") + { + Console.Write(Text); + Console.ForegroundColor = ConsoleColor.DarkRed; + Console.Write(Result + "\n\n"); + Console.ForegroundColor = ConsoleColor.White; + } + else if (Result == "Skipped") + { + Console.Write(Text); + Console.ForegroundColor = ConsoleColor.DarkYellow; + Console.Write($"[{Result}]" + "\n\n"); + Console.ForegroundColor = ConsoleColor.White; + } + else + { + Console.Write(Text); + Console.ForegroundColor = ConsoleColor.DarkGreen; + Console.Write(Result + "\n\n"); + Console.ForegroundColor = ConsoleColor.White; + } + } + + private static void ExecuteAntiDebuggingTricks() + { + Console.WriteLine("----------------------------------Executing Anti Debugging Tricks-------------------------------------------------------"); + DisplayCheckResult("GetForegroundWindow (Looking For Bad Active Debugger Windows): ", AntiDebug.GetForegroundWindowAntiDebug()); + DisplayCheckResult("Debugger.IsAttached: ", AntiDebug.DebuggerIsAttached()); + DisplayCheckResult("Hide Threads From Debugger..... ", AntiDebug.HideThreadsAntiDebug()); + DisplayCheckResult("IsDebuggerPresent: ", AntiDebug.IsDebuggerPresentCheck()); + DisplayCheckResult("NtQueryInformationProcess ProcessDebugFlags: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugFlags()); + DisplayCheckResult("NtQueryInformationProcess ProcessDebugPort: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugPort()); + DisplayCheckResult("NtQueryInformationProcess ProcessDebugObjectHandle: ", AntiDebug.NtQueryInformationProcessCheck_ProcessDebugObjectHandle()); + DisplayCheckResult("NtClose (Invalid Handle): ", AntiDebug.NtCloseAntiDebug_InvalidHandle()); + DisplayCheckResult("NtClose (Protected Handle): ", AntiDebug.NtCloseAntiDebug_ProtectedHandle()); + DisplayCheckResult("Parent Process (Checking if the parent process are cmd.exe or explorer.exe): ", AntiDebug.ParentProcessAntiDebug()); + DisplayCheckResult("Hardware Registers Breakpoints Detection: ", AntiDebug.HardwareRegistersBreakpointsDetection()); + DisplayCheckResult("FindWindow (Looking For Bad Debugger Windows): ", AntiDebug.FindWindowAntiDebug()); + DisplayCheckResult("GetTickCount Anti Debug: ", "Skipped"); //it's unreliable for real anti-debug use + DisplayCheckResult("OutputDebugString Anti Debug: ", "Skipped"); //it's unreliable for real anti-debug use + DisplayCheckResult("Trying To Crash Non-Managed Debuggers with a Debugger Breakpoint..... ", "Skipped"); + //AntiDebug.DebugBreakAntiDebug(); //Not that useful, easily bypassable, and delays execution. + Console.Write("Executing OllyDbg Format String Exploit.....\n\n"); + AntiDebug.OllyDbgFormatStringExploit(); + DisplayCheckResult("Patching DbgUiRemoteBreakin and DbgBreakPoint To Prevent Debugger Attaching..... ", AntiDebug.AntiDebugAttach()); + Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); + } + + private static void ExecuteAntiVirtualizationTricks() + { + Console.WriteLine("----------------------------------Executing Anti Virtualization Tricks--------------------------------------------------"); + DisplayCheckResult("Checking For Sandboxie Module in Current Process: ", AntiVirtualization.IsSandboxiePresent()); + DisplayCheckResult("Checking For Comodo Sandbox Module in Current Process: ", AntiVirtualization.IsComodoSandboxPresent()); + DisplayCheckResult("Checking For Cuckoo Sandbox Module in Current Process: ", AntiVirtualization.IsCuckooSandboxPresent()); + DisplayCheckResult("Checking For Qihoo360 Sandbox Module in Current Process: ", AntiVirtualization.IsQihoo360SandboxPresent()); + DisplayCheckResult("Checking If The Program are Emulated: ", AntiVirtualization.IsEmulationPresent()); + DisplayCheckResult("Checking For Blacklisted Usernames: ", AntiVirtualization.CheckForBlacklistedNames()); + DisplayCheckResult("Checking if the Program are running under wine using dll exports detection: ", AntiVirtualization.IsWinePresent()); + DisplayCheckResult("Checking For VirtualBox and VMware: ", AntiVirtualization.CheckForVMwareAndVirtualBox()); + DisplayCheckResult("Checking For KVM: ", AntiVirtualization.CheckForKVM()); + DisplayCheckResult("Checking For HyperV: ", AntiVirtualization.CheckForHyperV()); + DisplayCheckResult("Checking For Known Bad VM File Locations: ", AntiVirtualization.BadVMFilesDetection()); + DisplayCheckResult("Checking For Known Bad Process Names: ", AntiVirtualization.BadVMProcessNames()); + DisplayCheckResult("Checking For Ports (useful to detect VMs which have no ports connected): ", AntiVirtualization.PortConnectionAntiVM()); + Console.Write("Trying To Crash Sandboxie if Present......\n\n"); + AntiVirtualization.CrashingSandboxie(); + Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); + } + + private static void ExecuteAntiDllInjectionTricks() + { + Console.WriteLine("----------------------------------Executing Anti Dll Injection Tricks---------------------------------------------------"); + DisplayCheckResult("Patching LoadLibraryA To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryA()); + DisplayCheckResult("Patching LoadLibraryW To Prevent Dll Injection..... ", AntiDllInjection.PatchLoadLibraryW()); + DisplayCheckResult("Taking Advantage of Binary Image Signature Mitigation Policy to Prevent Non-Microsoft Binaries From Being Injected..... ", AntiDllInjection.BinaryImageSignatureMitigationAntiDllInjection()); + Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); + } + + private static void ExecuteOtherDetectionTricks() + { + Console.WriteLine("----------------------------------Executing Other Detection Tricks-----------------------------------------------------\n"); + DisplayCheckResult("Detecting if Unsigned Drivers are allowed to load: ", OtherChecks.IsUnsignedDriversAllowed()); + DisplayCheckResult("Detecting if Test-Signed Drivers are allowed to load: ", OtherChecks.IsTestSignedDriversAllowed()); + Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); + } + + private static void ExecuteHooksDetectionTricks() + { + Console.WriteLine("----------------------------------Executing Hooks Detection Tricks------------------------------------------------------"); + DisplayCheckResult("Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for JMP and NOP Instructions on Functions Addresses (Most Effective on x64): ", HooksDetection.DetectBadInstructionsOnCommonAntiDebuggingFunctions()); + Console.WriteLine("------------------------------------------------------------------------------------------------------------------------\n\n"); + } + + static void Main(string[] args) + { + Console.Title = "AntiCrack DotNet"; + for (;;) + { + ExecuteAntiDebuggingTricks(); + ExecuteAntiVirtualizationTricks(); + ExecuteAntiDllInjectionTricks(); + ExecuteOtherDetectionTricks(); + ExecuteHooksDetectionTricks(); + Console.ReadLine(); + } + } + } +} \ No newline at end of file diff --git a/AntiCrack-DotNet/Structs.cs b/AntiCrack-DotNet/Structs.cs new file mode 100644 index 0000000..99c4902 --- /dev/null +++ b/AntiCrack-DotNet/Structs.cs @@ -0,0 +1,56 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Runtime.InteropServices; +using System.Text; + +namespace AntiCrack_DotNet +{ + class Structs + { + [StructLayout(LayoutKind.Sequential)] + public struct CONTEXT + { + public uint P1Home; + public uint P2Home; + public uint P3Home; + public uint P4Home; + public uint P5Home; + public uint P6Home; + public long ContextFlags; + public uint Dr0; + public uint Dr1; + public uint Dr2; + public uint Dr3; + public uint Dr4; + public uint Dr5; + public uint Dr6; + public uint Dr7; + } + + public struct PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY + { + public uint MicrosoftSignedOnly; + } + + [StructLayout(LayoutKind.Explicit)] + public struct SYSTEM_CODEINTEGRITY_INFORMATION + { + [FieldOffset(0)] + public ulong Length; + [FieldOffset(4)] + public uint CodeIntegrityOptions; + } + + [StructLayout(LayoutKind.Sequential)] + public struct PROCESS_BASIC_INFORMATION + { + internal IntPtr Reserved1; + internal IntPtr PebBaseAddress; + internal IntPtr Reserved2_0; + internal IntPtr Reserved2_1; + internal IntPtr UniqueProcessId; + internal IntPtr InheritedFromUniqueProcessId; + } + } +} \ No newline at end of file