Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@AdvDebug
AdvDebug authored Dec 3, 2024
1 parent 4a3b93a commit 8978e84
Show file tree
Hide file tree
Showing 12 changed files with 950 additions and 244 deletions.
12 changes: 11 additions & 1 deletion AntiCrack-DotNet/AntiCrack-DotNet.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
<BootstrapperEnabled>true</BootstrapperEnabled>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>x64</PlatformTarget>
<PlatformTarget>x86</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
Expand All @@ -52,6 +52,14 @@
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup>
<TargetZone>LocalIntranet</TargetZone>
</PropertyGroup>
<PropertyGroup>
<GenerateManifests>false</GenerateManifests>
</PropertyGroup>
<PropertyGroup />
<PropertyGroup />
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Management" />
Expand All @@ -68,6 +76,8 @@
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="Structs.cs" />
<Compile Include="Syscalls.cs" />
<Compile Include="Utils.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
Expand Down
16 changes: 16 additions & 0 deletions AntiCrack-DotNet/AntiCrack-DotNet.csproj.user
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<EnableUnmanagedDebugging>true</EnableUnmanagedDebugging>
</PropertyGroup>
<PropertyGroup>
<PublishUrlHistory>publish\</PublishUrlHistory>
<InstallUrlHistory />
<SupportUrlHistory />
<UpdateUrlHistory />
<BootstrapperUrlHistory />
<ErrorReportUrlHistory />
<FallbackCulture>en-US</FallbackCulture>
<VerifyUploadedFiles>false</VerifyUploadedFiles>
</PropertyGroup>
</Project>
117 changes: 84 additions & 33 deletions AntiCrack-DotNet/AntiDebug.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@
using System.Threading;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
using System.Net;
using System.Security.Cryptography;

namespace AntiCrack_DotNet
{
Expand Down Expand Up @@ -62,8 +65,8 @@ internal sealed class AntiDebug
[DllImport("kernelbase.dll", SetLastError = true)]
private static extern int QueryFullProcessImageNameA(SafeHandle hProcess, uint Flags, byte[] lpExeName, Int32[] lpdwSize);

[DllImport("user32.dll", SetLastError = true)]
private static extern IntPtr GetForegroundWindow();
[DllImport("win32u.dll", SetLastError = true)]
private static extern IntPtr NtUserGetForegroundWindow();

[DllImport("user32.dll", SetLastError = true)]
private static extern int GetWindowTextLengthA(IntPtr HWND);
Expand Down Expand Up @@ -93,13 +96,19 @@ internal sealed class AntiDebug

/// <summary>
/// Attempts to close an invalid handle to detect debugger presence.
/// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
/// </summary>
/// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
public static bool NtCloseAntiDebug_InvalidHandle()
public static bool NtCloseAntiDebug_InvalidHandle(bool Syscall)
{
try
{
NtClose((IntPtr)0x1231222L);
int RandomInt = new Random().Next(int.MinValue, int.MaxValue);
IntPtr RandomIntPtr = new IntPtr(RandomInt);
if (Syscall)
Syscalls.SyscallNtClose(RandomIntPtr);
else
NtClose(RandomIntPtr);
return false;
}
catch
Expand All @@ -110,17 +119,22 @@ public static bool NtCloseAntiDebug_InvalidHandle()

/// <summary>
/// Attempts to close a protected handle to detect debugger presence.
/// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
/// </summary>
/// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
public static bool NtCloseAntiDebug_ProtectedHandle()
public static bool NtCloseAntiDebug_ProtectedHandle(bool Syscall)
{
IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
string RandomMutexName = new Random().Next(int.MinValue, int.MaxValue).ToString();
IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, RandomMutexName);
uint HANDLE_FLAG_PROTECT_FROM_CLOSE = 0x00000002;
SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
bool Result = false;
try
{
NtClose(hMutex);
if (Syscall)
Syscalls.SyscallNtClose(hMutex);
else
NtClose(hMutex);
Result = false;
}
catch
Expand Down Expand Up @@ -153,45 +167,62 @@ public static bool IsDebuggerPresentCheck()
}

/// <summary>
/// Checks if the process has debug flags set using NtQueryInformationProcess.
/// Checks if the process has debug flags set using NtQueryInformationProcess
/// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
/// </summary>
/// <returns>Returns true if debug flags are set, otherwise false.</returns>
public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
public static bool NtQueryInformationProcessCheck_ProcessDebugFlags(bool Syscall)
{
uint ProcessDebugFlags = 0;
NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1F, out ProcessDebugFlags, sizeof(uint), 0);
uint Class = 0x1F;
uint Size = sizeof(uint);
uint Result = 0;
if (Syscall)
Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, Class, out ProcessDebugFlags, Size, out Result);
else
NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1F, out ProcessDebugFlags, sizeof(uint), 0);
if (ProcessDebugFlags == 0)
return true;
return false;
}

/// <summary>
/// Checks if the process has a debug port using NtQueryInformationProcess.
/// <param name="Syscall">specifies if we should use syscalls to call the WinAPI functions.</param>.
/// </summary>
/// <returns>Returns true if a debug port is detected, otherwise false.</returns>
public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
public static bool NtQueryInformationProcessCheck_ProcessDebugPort(bool Syscall)
{
uint DebuggerPresent = 0;
uint Size = sizeof(uint);
if (Environment.Is64BitProcess)
Size = sizeof(uint) * 2;
NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, 0);
uint Result = 0;
if(Syscall)
Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, out Result);
else
NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, 0);
if (DebuggerPresent != 0)
return true;
return false;
}

/// <summary>
/// Checks if the process has a debug object handle using NtQueryInformationProcess.
/// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
/// </summary>
/// <returns>Returns true if a debug object handle is detected, otherwise false.</returns>
public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle(bool Syscall)
{
IntPtr hDebugObject = IntPtr.Zero;
uint Size = sizeof(uint);
if (Environment.Is64BitProcess)
Size = sizeof(uint) * 2;
NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0);

if (Syscall)
Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0);
else
NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0);
if (hDebugObject != IntPtr.Zero)
return true;
return false;
Expand Down Expand Up @@ -221,18 +252,31 @@ public static string AntiDebugAttach()
/// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
public static bool FindWindowAntiDebug()
{
string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "cheat engine", "cheatengine", "ida" };
Process[] GetProcesses = Process.GetProcesses();
foreach (Process GetWindow in GetProcesses)
{
string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "cheat engine", "cheatengine", "ida" };
foreach (string BadWindows in BadWindowNames)
try
{
if (GetWindow.MainWindowTitle.ToLower().Contains(BadWindows))
if (GetWindow.MainWindowHandle != IntPtr.Zero)
{
GetWindow.Close();
return true;
string title = GetWindow.MainWindowTitle;
if (string.IsNullOrEmpty(title)) continue;

foreach (string BadWindows in BadWindowNames)
{
if (title.IndexOf(BadWindows, StringComparison.OrdinalIgnoreCase) >= 0)
{
GetWindow.Close();
return true;
}
}
}
}
catch
{
continue;
}
}
return false;
}
Expand All @@ -241,10 +285,10 @@ public static bool FindWindowAntiDebug()
/// Checks if the foreground window belongs to a known debugger.
/// </summary>
/// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
public static bool GetForegroundWindowAntiDebug()
public static bool NtUserGetForegroundWindowAntiDebug()
{
string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
IntPtr HWND = GetForegroundWindow();
IntPtr HWND = NtUserGetForegroundWindow();
if (HWND != IntPtr.Zero)
{
int WindowLength = GetWindowTextLengthA(HWND);
Expand All @@ -254,7 +298,7 @@ public static bool GetForegroundWindowAntiDebug()
GetWindowTextA(HWND, WindowName, WindowLength + 1);
foreach (string BadWindows in BadWindowNames)
{
if (WindowName.ToString().ToLower().Contains(BadWindows))
if (Utils.Contains(WindowName.ToString().ToLower(), BadWindows))
{
return true;
}
Expand Down Expand Up @@ -353,16 +397,21 @@ public static bool HardwareRegistersBreakpointsDetection()
{
Structs.CONTEXT Context = new Structs.CONTEXT();
Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
IntPtr CurrentThread = GetCurrentThread();
if (GetThreadContext(CurrentThread, ref Context))
foreach (ProcessThread Threads in Process.GetCurrentProcess().Threads)
{
if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr4 != 0x00 || Context.Dr5 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00))
uint THREAD_GET_CONTEXT = 0x0008;
uint THREAD_QUERY_INFORMATION = 0x0040;
IntPtr hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION, false, Threads.Id);
if (GetThreadContext(hThread, ref Context))
{
NtClose(CurrentThread);
return true;
if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00))
{
NtClose(hThread);
return true;
}
}
NtClose(hThread);
}
NtClose(CurrentThread);
return false;
}

Expand All @@ -386,15 +435,17 @@ private static string CleanPath(string Path)

/// <summary>
/// Checks if the parent process is a debugger by querying process information.
/// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
/// </summary>
/// <returns>Returns true if the parent process is a debugger, otherwise false.</returns>
public static bool ParentProcessAntiDebug()
public static bool ParentProcessAntiDebug(bool Syscall)
{
try
{
Structs.PROCESS_BASIC_INFORMATION PBI = new Structs.PROCESS_BASIC_INFORMATION();
uint ProcessBasicInformation = 0;
if (NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0) == 0)
uint Result = Syscall ? Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0) : NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0);
if (Result == 0)
{
int ParentPID = PBI.InheritedFromUniqueProcessId.ToInt32();
if (ParentPID != 0)
Expand Down Expand Up @@ -432,7 +483,8 @@ public static bool NtSetDebugFilterStateAntiDebug()
return true;
}

delegate int ExecutionDelegate();
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
private delegate int ExecutionDelegate();

/// <summary>
/// Uses page guard to detect debugger presence by executing a function pointer.
Expand Down Expand Up @@ -471,5 +523,4 @@ public static bool PageGuardAntiDebug()
return false;
}
}

}
}
46 changes: 1 addition & 45 deletions AntiCrack-DotNet/AntiDllInjection.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,50 +23,6 @@ internal sealed class AntiDllInjection

#endregion


/// <summary>
/// Patches the LoadLibraryA function to prevent DLL injection.
/// </summary>
/// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
public static string PatchLoadLibraryA()
{
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
IntPtr LoadLibraryA = GetProcAddress(KernelModule, "LoadLibraryA");
byte[] HookedCode = { 0xC2, 0x04, 0x00 };
bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryA, HookedCode, 3, 0);
if (Status)
return "Success";
return "Failed";
}

/// <summary>
/// Patches the LoadLibraryW function to prevent DLL injection.
/// </summary>
/// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
public static string PatchLoadLibraryW()
{
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
IntPtr LoadLibraryW = GetProcAddress(KernelModule, "LoadLibraryW");
byte[] HookedCode = { 0xC2, 0x04, 0x00 };
bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryW, HookedCode, 3, 0);
if (Status)
return "Success";
return "Failed";
}

/// <summary>
/// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries.
/// </summary>
/// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
public static string BinaryImageSignatureMitigationAntiDllInjection()
{
Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY();
OnlyMicrosoftBinaries.MicrosoftSignedOnly = 1;
if (SetProcessMitigationPolicy(8, ref OnlyMicrosoftBinaries, Marshal.SizeOf(typeof(Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY))))
return "Success";
return "Failed";
}

/// <summary>
/// Checks if there are any injected libraries in the current process.
/// </summary>
Expand Down Expand Up @@ -98,7 +54,7 @@ public static string SetDllLoadPolicy()
{
MicrosoftSignedOnly = 1
};
if (SetProcessMitigationPolicy(0x10, ref policy, Marshal.SizeOf(policy)))
if (SetProcessMitigationPolicy(8, ref policy, Marshal.SizeOf(policy)))
return "Success";
return "Failed";
}
Expand Down
Loading

0 comments on commit 8978e84

Please sign in to comment.