From aa7751e9848d4e6798c1a52132aca60bd50f99cf Mon Sep 17 00:00:00 2001
From: AdvDebug <90452585+AdvDebug@users.noreply.github.com>
Date: Mon, 12 Aug 2024 18:33:19 +0300
Subject: [PATCH] Add files via upload
---
AntiCrack-DotNet/HooksDetection.cs | 139 +++++++++++++++++++++++------
AntiCrack-DotNet/Program.cs | 6 +-
2 files changed, 115 insertions(+), 30 deletions(-)
diff --git a/AntiCrack-DotNet/HooksDetection.cs b/AntiCrack-DotNet/HooksDetection.cs
index e3a14cd..14bdaa1 100644
--- a/AntiCrack-DotNet/HooksDetection.cs
+++ b/AntiCrack-DotNet/HooksDetection.cs
@@ -4,11 +4,13 @@
using System.Net.Sockets;
using System.Diagnostics;
using System.Runtime.InteropServices;
+using System.Net;
namespace AntiCrack_DotNet
{
public sealed class HooksDetection
{
+ public static object ProcessMethod { get; private set; }
#region WinApi
@@ -89,10 +91,8 @@ private static unsafe byte InternalReadByte(IntPtr ptr)
///
/// Detects hooks on common Windows API functions.
///
- /// The name of the module to check for hooks.
- /// The list of functions to check for hooks.
/// Returns true if hooks are detected, otherwise false.
- public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions)
+ public static bool DetectHooksOnCommonWinAPIFunctions()
{
string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
string[] CommonKernelLibFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" };
@@ -209,26 +209,6 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
}
}
}
- if (ModuleName != null && Functions != null)
- {
- try
- {
- foreach (string WinAPIFunction in Functions)
- {
- IntPtr hModule = LowLevelGetModuleHandle(ModuleName);
- IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
- byte FunctionByte = InternalReadByte(Function);
- if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
- {
- return true;
- }
- }
- }
- catch
- {
-
- }
- }
return false;
}
@@ -260,15 +240,29 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
return false;
}
+ public static bool IsModule(IntPtr Address)
+ {
+ foreach (ProcessModule module in Process.GetCurrentProcess().Modules)
+ {
+ IntPtr Base = module.BaseAddress;
+ IntPtr End = IntPtr.Add(Base, module.ModuleMemorySize);
+ if (Address.ToInt64() >= Base.ToInt64() && Address.ToInt64() < End.ToInt64())
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
///
/// Detects hooks in common .NET methods.
///
/// Returns true if hooks are detected, otherwise false.
public static bool DetectCLRHooks()
{
- if (IntPtr.Size == 4)
+ try
{
- try
+ if (IntPtr.Size == 4)
{
MethodInfo[] ProcessMethods = typeof(Process).GetMethods();
MethodInfo[] AssemblyMethods = typeof(Assembly).GetMethods();
@@ -278,7 +272,8 @@ public static bool DetectCLRHooks()
MethodInfo[] StringMethods = typeof(string).GetMethods();
foreach (MethodInfo ProcessMethod in ProcessMethods)
{
- byte FirstByte = InternalReadByte(ProcessMethod.MethodHandle.GetFunctionPointer());
+ IntPtr FP = ProcessMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
return true;
@@ -332,10 +327,100 @@ public static bool DetectCLRHooks()
}
}
}
- catch
+ else if(IntPtr.Size == 8)
{
+ MethodInfo[] ProcessMethods = typeof(Process).GetMethods();
+ MethodInfo[] AssemblyMethods = typeof(Assembly).GetMethods();
+ MethodInfo[] FileMethods = typeof(File).GetMethods();
+ MethodInfo[] SocketMethods = typeof(Socket).GetMethods();
+ MethodInfo[] MarshalMethods = typeof(Marshal).GetMethods();
+ MethodInfo[] StringMethods = typeof(string).GetMethods();
+ foreach (MethodInfo ProcessMethod in ProcessMethods)
+ {
+ IntPtr FP = ProcessMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if(IsModule(FP))
+ return true;
+ }
+ }
+
+ foreach (MethodInfo AssemblyMethod in AssemblyMethods)
+ {
+ IntPtr FP = AssemblyMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if (IsModule(FP))
+ return true;
+ }
+ }
+ foreach (MethodInfo FileMethod in FileMethods)
+ {
+ IntPtr FP = FileMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if (IsModule(FP))
+ return true;
+ }
+ }
+
+ foreach (MethodInfo SocketMethod in SocketMethods)
+ {
+ IntPtr FP = SocketMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if (IsModule(FP))
+ return true;
+ }
+ }
+
+ foreach (MethodInfo MarshalMethod in MarshalMethods)
+ {
+ IntPtr FP = MarshalMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if (IsModule(FP))
+ return true;
+ }
+ }
+
+ foreach (MethodInfo StringMethod in StringMethods)
+ {
+ IntPtr FP = StringMethod.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if (IsModule(FP))
+ return true;
+ }
+ }
+
+ Type[] AllTypes = Assembly.GetExecutingAssembly().GetTypes();
+ foreach (Type type in AllTypes)
+ {
+ MethodInfo[] AllMethods = type.GetMethods();
+ foreach (MethodInfo Method in AllMethods)
+ {
+ IntPtr FP = Method.MethodHandle.GetFunctionPointer();
+ byte FirstByte = InternalReadByte(FP);
+ if (FirstByte == 0xE9 || FirstByte == 255)
+ {
+ if (IsModule(FP))
+ return true;
+ }
+ }
+ }
}
+ }
+ catch
+ {
+
}
return false;
}
diff --git a/AntiCrack-DotNet/Program.cs b/AntiCrack-DotNet/Program.cs
index 55a639f..33e2dcc 100644
--- a/AntiCrack-DotNet/Program.cs
+++ b/AntiCrack-DotNet/Program.cs
@@ -149,8 +149,8 @@ private static void ExecuteOtherDetectionTricks()
private static void ExecuteHooksDetectionTricks()
{
ConsoleConfig.DisplayHeader("Executing Hooks Detection Tricks");
- ConsoleConfig.DisplayResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses: ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(null, null), "Detects hooks on common WinAPI functions.");
- ConsoleConfig.DisplayResult("Detecting Hooks on CLR Functions (x86 only): ", HooksDetection.DetectCLRHooks(), "Detects hooks on CLR Functions.");
+ ConsoleConfig.DisplayResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses: ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(), "Detects hooks on common WinAPI functions.");
+ ConsoleConfig.DisplayResult("Detecting Hooks on CLR Functions: ", HooksDetection.DetectCLRHooks(), "Detects hooks on CLR Functions.");
ConsoleConfig.DisplayFooter();
}
@@ -171,4 +171,4 @@ public static void Main(string[] args)
}
}
}
-}
+}
\ No newline at end of file