Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@AdvDebug
AdvDebug authored Jun 6, 2024
1 parent e3930b0 commit 1486361
Show file tree
Hide file tree
Showing 7 changed files with 150 additions and 37 deletions.
2 changes: 1 addition & 1 deletion AntiCrack-DotNet/AntiDebug.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,4 +389,4 @@ public static bool PageGuardAntiDebug()
return false;
}
}
}
}
2 changes: 1 addition & 1 deletion AntiCrack-DotNet/AntiDllInjection.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,4 @@ public static string SetDllLoadPolicy()
return "Failed";
}
}
}
}
2 changes: 1 addition & 1 deletion AntiCrack-DotNet/AntiVirtualization.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,4 +315,4 @@ public static bool CheckForQemu()
return false;
}
}
}
}
139 changes: 111 additions & 28 deletions AntiCrack-DotNet/HooksDetection.cs
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Reflection;
using System.IO;
using System.Net.Sockets;

namespace AntiCrack_DotNet
{
Expand Down Expand Up @@ -51,6 +51,20 @@ private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function)
return FunctionHandle;
}

private static unsafe byte InternalReadByte(IntPtr ptr)
{
try
{
byte* ptr2 = (byte*)(void*)ptr;
return *ptr2;
}
catch
{

}
return 0;
}

public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions)
{
string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
Expand All @@ -72,9 +86,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
foreach (string WinAPIFunction in CommonKernelLibFunctions)
{
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte[] FunctionBytes = new byte[1];
Marshal.Copy(Function, FunctionBytes, 0, 1);
if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
Expand All @@ -93,9 +106,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
foreach (string WinAPIFunction in CommonKernelLibFunctions)
{
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte[] FunctionBytes = new byte[1];
Marshal.Copy(Function, FunctionBytes, 0, 1);
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
Expand All @@ -114,9 +126,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
foreach (string WinAPIFunction in CommonNtdllFunctions)
{
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte[] FunctionBytes = new byte[1];
Marshal.Copy(Function, FunctionBytes, 0, 1);
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
Expand All @@ -135,9 +146,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
foreach (string WinAPIFunction in CommonUser32Functions)
{
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte[] FunctionBytes = new byte[1];
Marshal.Copy(Function, FunctionBytes, 0, 1);
if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
Expand All @@ -156,9 +166,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
foreach (string WinAPIFunction in CommonWin32uFunctions)
{
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte[] FunctionBytes = new byte[1];
Marshal.Copy(Function, FunctionBytes, 0, 1);
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
Expand All @@ -181,22 +190,21 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
{
IntPtr hModule = LowLevelGetModuleHandle(ModuleName);
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte[] FunctionBytes = new byte[1];
Marshal.Copy(Function, FunctionBytes, 0, 1);
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
}
}
catch
{

}
}
return false;
}

// Additional detection method
public static bool DetectInlineHooks(string moduleName, string[] functions)
{
if (moduleName != null && functions != null)
Expand All @@ -205,11 +213,10 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
{
foreach (string function in functions)
{
IntPtr moduleHandle = LowLevelGetModuleHandle(moduleName);
IntPtr functionHandle = LowLevelGetProcAddress(moduleHandle, function);
byte[] functionBytes = new byte[1];
Marshal.Copy(functionHandle, functionBytes, 0, 1);
if (functionBytes[0] == 0xCC || functionBytes[0] == 0xE9)
IntPtr hModule = LowLevelGetModuleHandle(moduleName);
IntPtr Function = LowLevelGetProcAddress(hModule, function);
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
Expand All @@ -219,5 +226,81 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
}
return false;
}

public static bool DetectCLRHooks()
{
if (IntPtr.Size == 4)
{
try
{
MethodInfo[] ProcessMethods = typeof(Process).GetMethods();
MethodInfo[] AssemblyMethods = typeof(Assembly).GetMethods();
MethodInfo[] FileMethods = typeof(File).GetMethods();
MethodInfo[] SocketMethods = typeof(Socket).GetMethods();
MethodInfo[] MarshalMethods = typeof(Marshal).GetMethods();
MethodInfo[] StringMethods = typeof(string).GetMethods();
foreach (MethodInfo ProcessMethod in ProcessMethods)
{
byte FirstByte = InternalReadByte(ProcessMethod.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
{
return true;
}
}

foreach (MethodInfo AssemblyMethod in AssemblyMethods)
{
byte FirstByte = InternalReadByte(AssemblyMethod.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
return true;
}

foreach (MethodInfo FileMethod in FileMethods)
{
byte FirstByte = InternalReadByte(FileMethod.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
return true;
}

foreach (MethodInfo SocketMethod in SocketMethods)
{
byte FirstByte = InternalReadByte(SocketMethod.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
return true;
}

foreach (MethodInfo MarshalMethod in MarshalMethods)
{
byte FirstByte = InternalReadByte(MarshalMethod.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
return true;
}

foreach (MethodInfo StringMethod in StringMethods)
{
byte FirstByte = InternalReadByte(StringMethod.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
return true;
}

Type[] AllTypes = Assembly.GetExecutingAssembly().GetTypes();
foreach (Type type in AllTypes)
{
MethodInfo[] AllMethods = type.GetMethods();
foreach (MethodInfo Method in AllMethods)
{
byte FirstByte = InternalReadByte(Method.MethodHandle.GetFunctionPointer());
if (FirstByte == 0xE9 || FirstByte == 255)
return true;
}
}
}
catch
{

}
}
return false;
}
}
}
}
31 changes: 28 additions & 3 deletions AntiCrack-DotNet/OtherChecks.cs
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Windows.Forms;
using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Threading;
using System.Security;
using Microsoft.Win32;

namespace AntiCrack_DotNet
Expand All @@ -15,10 +25,14 @@ public class OtherChecks
[DllImport("ntdll.dll", SetLastError = true)]
private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_SECUREBOOT_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength);

private static uint SystemCodeIntegrityInformation = 0x67;
[DllImport("QCall", CharSet = CharSet.Unicode)]
[SecurityCritical]
[SuppressUnmanagedCodeSecurity]
private static extern void GetExecutingAssembly(uint stackMark, IntPtr retAssembly);

public static bool IsUnsignedDriversAllowed()
{
uint SystemCodeIntegrityInformation = 0x67;
Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
uint ReturnLength = 0;
Expand All @@ -35,6 +49,7 @@ public static bool IsUnsignedDriversAllowed()

public static bool IsTestSignedDriversAllowed()
{
uint SystemCodeIntegrityInformation = 0x67;
Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
uint ReturnLength = 0;
Expand Down Expand Up @@ -77,11 +92,12 @@ public static bool IsSecureBootEnabled()
{
if (!SecureBoot.SecureBootCapable)
return false;
if (!SecureBoot.SecureBootEnabled)
if (SecureBoot.SecureBootEnabled)
return true;
}
return false;
}

public static bool IsVirtualizationBasedSecurityEnabled()
{
try
Expand Down Expand Up @@ -127,5 +143,14 @@ public static bool IsMemoryIntegrityEnabled()
}
return false;
}

public static bool IsInovkedAssembly()
{
MethodInfo Method = typeof(Assembly).GetMethod("GetExecutingAssembly");
Assembly GetCallingAssem = (Assembly)Method.Invoke(null, null);
if (GetCallingAssem.Location != Application.ExecutablePath)
return true;
return false;
}
}
}
}
9 changes: 7 additions & 2 deletions AntiCrack-DotNet/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ private static void ExecuteAntiVirtualizationTricks()
{
ConsoleConfig.DisplayHeader("Executing Anti Virtualization Tricks");
ConsoleConfig.DisplayResult("Checking For Triage: ", AntiVirtualization.TriageCheck(), "Checks if Triage is present through disk.");
ConsoleConfig.DisplayResult("Checking For Qemu: ", AntiVirtualization.CheckForQemu(), "Checks if running under Qemu.");
ConsoleConfig.DisplayResult("Checking For Sandboxie Module in Current Process: ", AntiVirtualization.IsSandboxiePresent(), "Checks if Sandboxie is present.");
ConsoleConfig.DisplayResult("Checking For Comodo Sandbox Module in Current Process: ", AntiVirtualization.IsComodoSandboxPresent(), "Checks if Comodo Sandbox is present.");
ConsoleConfig.DisplayResult("Checking For Cuckoo Sandbox Module in Current Process: ", AntiVirtualization.IsCuckooSandboxPresent(), "Checks if Cuckoo Sandbox is present.");
Expand All @@ -127,8 +128,8 @@ private static void ExecuteAntiVirtualizationTricks()
private static void ExecuteAntiDllInjectionTricks()
{
ConsoleConfig.DisplayHeader("Executing Anti DLL Injection Tricks");
ConsoleConfig.DisplayResult("Patching and Changing LoadLibraryA Page Protection To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryA(), "Patches LoadLibraryA to prevent DLL injection.");
ConsoleConfig.DisplayResult("Patching and Changing LoadLibraryW Page Protection To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryW(), "Patches LoadLibraryW to prevent DLL injection.");
ConsoleConfig.DisplayResult("Patching LoadLibraryA To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryA(), "Patches LoadLibraryA to prevent DLL injection.");
ConsoleConfig.DisplayResult("Patching LoadLibraryW To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryW(), "Patches LoadLibraryW to prevent DLL injection.");
ConsoleConfig.DisplayResult("Taking Advantage of Binary Image Signature Mitigation Policy to Prevent Non-Microsoft Binaries From Being Injected..... ", AntiDllInjection.BinaryImageSignatureMitigationAntiDllInjection(), "Enforces binary image signature mitigation policy.");
ConsoleConfig.DisplayResult("Checking if any injected libraries are present (simple DLL path whitelist check): ", AntiDllInjection.IsInjectedLibrary(), "Checks for injected libraries.");
ConsoleConfig.DisplayFooter();
Expand All @@ -141,13 +142,17 @@ private static void ExecuteOtherDetectionTricks()
ConsoleConfig.DisplayResult("Detecting if Test-Signed Drivers are Allowed to Load: ", OtherChecks.IsTestSignedDriversAllowed(), "Checks if test-signed drivers are allowed.");
ConsoleConfig.DisplayResult("Detecting if Kernel Debugging is Enabled on the System: ", OtherChecks.IsKernelDebuggingEnabled(), "Checks if kernel debugging is enabled.");
ConsoleConfig.DisplayResult("Detecting if Secure Boot is Enabled on the System: ", OtherChecks.IsSecureBootEnabled(), "Checks if secure boot is enabled.");
ConsoleConfig.DisplayResult("Detecting if Virtualization-Based Security is Enabled: ", OtherChecks.IsVirtualizationBasedSecurityEnabled(), "Checks if VBS is enabled.");
ConsoleConfig.DisplayResult("Detecting if Memory Integrity Protection is Enabled: ", OtherChecks.IsMemoryIntegrityEnabled(), "Checks if Memory Integrity is enabled.");
ConsoleConfig.DisplayResult("Detecting if the current assembly has been invoked by another one: ", OtherChecks.IsInovkedAssembly(), "Checks if assembly has been invoked.");
ConsoleConfig.DisplayFooter();
}

private static void ExecuteHooksDetectionTricks()
{
ConsoleConfig.DisplayHeader("Executing Hooks Detection Tricks");
ConsoleConfig.DisplayResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64): ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(null, null), "Detects hooks on common WinAPI functions.");
ConsoleConfig.DisplayResult("Detecting Hooks on CLR Functions (x86 only): ", HooksDetection.DetectCLRHooks(), "Detects hooks on CLR Functions.");
ConsoleConfig.DisplayFooter();
}

Expand Down
2 changes: 1 addition & 1 deletion AntiCrack-DotNet/Structs.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,4 +102,4 @@ public struct SYSTEM_INFO
public ushort ProcessorRevision;
}
}
}
}

0 comments on commit 1486361

Please sign in to comment.