From ade360f89d3085621480239df6e21274b3c1a38e Mon Sep 17 00:00:00 2001 From: AdvDebug <90452585+AdvDebug@users.noreply.github.com> Date: Sat, 18 Jun 2022 18:05:30 -0700 Subject: [PATCH] Add files via upload --- AntiCrack-DotNet/AntiDebug.cs | 207 +++++++++++++++++++++++++++ AntiCrack-DotNet/AntiDllInjection.cs | 56 ++++++++ AntiCrack-DotNet/Structs.cs | 31 ++++ 3 files changed, 294 insertions(+) create mode 100644 AntiCrack-DotNet/AntiDebug.cs create mode 100644 AntiCrack-DotNet/AntiDllInjection.cs create mode 100644 AntiCrack-DotNet/Structs.cs diff --git a/AntiCrack-DotNet/AntiDebug.cs b/AntiCrack-DotNet/AntiDebug.cs new file mode 100644 index 0000000..3e7d881 --- /dev/null +++ b/AntiCrack-DotNet/AntiDebug.cs @@ -0,0 +1,207 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; +using System.Runtime.InteropServices; +using System.Diagnostics; + +namespace AntiCrack_DotNet +{ + class AntiDebug + { + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool CloseHandle(IntPtr Handle); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool IsDebuggerPresent(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool CheckRemoteDebuggerPresent(IntPtr Handle, ref bool CheckBool); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetModuleHandle(string lib); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(IntPtr ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtSetInformationThread(IntPtr ThreadHandle, uint ThreadInformationClass, IntPtr ThreadInformation, int ThreadInformationLength); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr OpenThread(uint DesiredAccess, bool InheritHandle, int ThreadId); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern uint GetTickCount(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern void OutputDebugStringA(string Text); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern uint GetLastError(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetCurrentThread(); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool GetThreadContext(IntPtr hThread, ref Structs.CONTEXT Context); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQueryInformationProcess(IntPtr hProcess, uint ProcessInfoClass, out uint ProcessInfo, uint nSize, uint ReturnLength); + + [DllImport("ntdll.dll", SetLastError = true)] + private static extern uint NtQueryInformationProcess(IntPtr hProcess, uint ProcessInfoClass, out IntPtr ProcessInfo, uint nSize, uint ReturnLength); + + public static bool CloseHandleAntiDebug() + { + try + { + CloseHandle((IntPtr)0x1231222L); + return false; + } + catch (Exception ex) + { + if (ex.Message == "External component has thrown an exception.") + { + return true; + } + } + return false; + } + + public static bool DebuggerIsAttached() + { + return Debugger.IsAttached; + } + + public static bool IsDebuggerPresentCheck() + { + if (IsDebuggerPresent()) + return true; + return false; + } + + public static bool NtQueryInformationProcessCheck_ProcessDebugFlags() + { + uint ProcessDebugFlags = 0; + NtQueryInformationProcess(Process.GetCurrentProcess().Handle, 0x1F, out ProcessDebugFlags, sizeof(uint), 0); + if (ProcessDebugFlags == 0) + return true; + return false; + } + + public static bool NtQueryInformationProcessCheck_ProcessDebugPort() + { + uint DebuggerPresent = 0; + NtQueryInformationProcess(Process.GetCurrentProcess().Handle, 7, out DebuggerPresent, sizeof(uint), 0); + if (DebuggerPresent != 0) + return true; + return false; + } + + public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle() + { + IntPtr hDebugObject = IntPtr.Zero; + NtQueryInformationProcess(Process.GetCurrentProcess().Handle, 0x1E, out hDebugObject, sizeof(uint), 0); + if (hDebugObject != IntPtr.Zero) + return true; + return false; + } + + public static string PatchingDbgUiRemoteBreakin() + { + IntPtr NtdllModule = GetModuleHandle("ntdll.dll"); + IntPtr DbgUiRemoteBreakinAddress = GetProcAddress(NtdllModule, "DbgUiRemoteBreakin"); + byte[] Int3InvaildCode = { 0xCC }; + bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, DbgUiRemoteBreakinAddress, Int3InvaildCode, 1, 0); + if (Status) + return "Success"; + return "Failed"; + } + + public static bool FindWindowAntiDebug() + { + Process[] GetProcesses = Process.GetProcesses(); + foreach (Process GetWindow in GetProcesses) + { + string[] BadWindowNames = { "x32dbg", "x64dbg", "ollydbg" }; + foreach (string BadWindows in BadWindowNames) + { + if (GetWindow.MainWindowTitle.ToLower().Contains(BadWindows)) + return true; + } + } + return false; + } + + public static string HideThreadsAntiDebug() + { + ProcessThreadCollection GetCurrentProcessThreads = Process.GetCurrentProcess().Threads; + foreach (ProcessThread Threads in GetCurrentProcessThreads) + { + IntPtr ThreadHandle = OpenThread(0x0020, false, Threads.Id); + if (ThreadHandle != IntPtr.Zero) + { + uint Status = NtSetInformationThread(ThreadHandle, 0x11, IntPtr.Zero, 0); + CloseHandle(ThreadHandle); + if (Status == 0x00000000) + return "Success"; + } + } + return "Failed"; + } + + public static bool GetTickCountAntiDebug() + { + uint Start = GetTickCount(); + string AnyJob = Process.GetCurrentProcess().MainModule.FileName; + string AnyJob2 = Process.GetCurrentProcess().PrivateMemorySize64.ToString(); + return (GetTickCount() - Start) > 2; + } + + public static bool OutputDebugStringAntiDebug() + { + OutputDebugStringA("just testing some stuff..."); + if (Marshal.GetLastWin32Error() == 0) + return true; + return false; + } + + public static void OllyDbgFormatStringExploit() + { + OutputDebugStringA("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"); + } + + public static bool DebugBreakAntiDebug() + { + try + { + Debugger.Break(); + return false; + } + catch + { + return true; + } + } + + private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L; + + public static bool HardwareRegistersBreakpointsDetection() + { + Structs.CONTEXT Context = new Structs.CONTEXT(); + Context.ContextFlags = CONTEXT_DEBUG_REGISTERS; + if(GetThreadContext(GetCurrentThread(), ref Context)) + { + if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr4 != 0x00 || Context.Dr5 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00)) + { + return true; + } + } + return false; + } + } +} \ No newline at end of file diff --git a/AntiCrack-DotNet/AntiDllInjection.cs b/AntiCrack-DotNet/AntiDllInjection.cs new file mode 100644 index 0000000..03dffa3 --- /dev/null +++ b/AntiCrack-DotNet/AntiDllInjection.cs @@ -0,0 +1,56 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; +using System.Runtime.InteropServices; +using System.Diagnostics; + +namespace AntiCrack_DotNet +{ + class AntiDllInjection + { + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetModuleHandle(string lib); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function); + + [DllImport("kernel32.dll", SetLastError = true)] + private static extern bool WriteProcessMemory(IntPtr ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes); + + [DllImport("kernel32.dll", SetLastError = true)] + public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size); + + public static string PatchLoadLibraryA() + { + IntPtr KernelModule = GetModuleHandle("kernelbase.dll"); + IntPtr LoadLibraryA = GetProcAddress(KernelModule, "LoadLibraryA"); + byte[] HookedCode = { 0xC2, 0x04, 0x00 }; + bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, LoadLibraryA, HookedCode, 3, 0); + if (Status) + return "Success"; + return "Failed"; + } + + public static string PatchLoadLibraryW() + { + IntPtr KernelModule = GetModuleHandle("kernelbase.dll"); + IntPtr LoadLibraryW = GetProcAddress(KernelModule, "LoadLibraryW"); + byte[] HookedCode = { 0xC2, 0x04, 0x00 }; + bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, LoadLibraryW, HookedCode, 3, 0); + if (Status) + return "Success"; + return "Failed"; + } + + public static string BinarySignatureMitigationAntiDllInjection() + { + Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY(); + OnlyMicrosoftBinaries.MicrosoftSignedOnly = 1; + if (SetProcessMitigationPolicy(8, ref OnlyMicrosoftBinaries, Marshal.SizeOf(typeof(Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY)))) + return "Success"; + return "Failed"; + } + } +} diff --git a/AntiCrack-DotNet/Structs.cs b/AntiCrack-DotNet/Structs.cs new file mode 100644 index 0000000..da6ac93 --- /dev/null +++ b/AntiCrack-DotNet/Structs.cs @@ -0,0 +1,31 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading.Tasks; + +namespace AntiCrack_DotNet +{ + class Structs + { + [StructLayout(LayoutKind.Sequential)] + public struct CONTEXT + { + public long ContextFlags; + public uint Dr0; + public uint Dr1; + public uint Dr2; + public uint Dr3; + public uint Dr4; + public uint Dr5; + public uint Dr6; + public uint Dr7; + } + + public struct PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY + { + public uint MicrosoftSignedOnly; + } + } +} \ No newline at end of file