Skip to content

Commit 06581bf

Browse files
AdvDebugAdvDebug
authored
Add files via upload
1 parent 91872f7 commit 06581bf

File tree

7 files changed

+282
-78
lines changed

7 files changed

+282
-78
lines changed

AntiCrack-DotNet/AntiDebug.cs

+108-33
Original file line numberDiff line numberDiff line change
@@ -5,51 +5,53 @@
55
using System.Runtime.InteropServices;
66
using System.Diagnostics;
77
using System.IO;
8+
using System.Threading;
9+
using static System.Net.WebRequestMethods;
10+
using System.Windows.Forms;
11+
using System.ServiceProcess;
12+
using System.Runtime.CompilerServices;
813

914
namespace AntiCrack_DotNet
1015
{
1116
class AntiDebug
1217
{
13-
[DllImport("kernel32.dll", SetLastError = true)]
18+
[DllImport("kernelbase.dll", SetLastError = true)]
1419
private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags);
1520

1621
[DllImport("ntdll.dll", SetLastError = true)]
1722
private static extern bool NtClose(IntPtr Handle);
1823

19-
[DllImport("kernel32.dll", SetLastError = true)]
24+
[DllImport("kernelbase.dll", SetLastError = true)]
2025
private static extern IntPtr CreateMutexA(IntPtr lpMutexAttributes, bool bInitialOwner, string lpName);
2126

22-
[DllImport("kernel32.dll", SetLastError = true)]
27+
[DllImport("kernelbase.dll", SetLastError = true)]
2328
private static extern bool IsDebuggerPresent();
2429

25-
[DllImport("kernel32.dll", SetLastError = true)]
26-
private static extern bool CheckRemoteDebuggerPresent(IntPtr Handle, ref bool CheckBool);
27-
28-
[DllImport("kernel32.dll", SetLastError = true)]
30+
[DllImport("kernelbase.dll", SetLastError = true)]
2931
private static extern IntPtr GetModuleHandle(string lib);
3032

31-
[DllImport("kernel32.dll", SetLastError = true)]
33+
[DllImport("kernelbase.dll", SetLastError = true)]
3234
private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function);
3335

34-
[DllImport("kernel32.dll", SetLastError = true)]
35-
private static extern bool WriteProcessMemory(SafeHandle ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes);
36+
[DllImport("kernelbase.dll", SetLastError = true)]
37+
private static extern bool WriteProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes);
38+
39+
[DllImport("kernelbase.dll", SetLastError = true)]
40+
private static extern bool ReadProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, out byte[] Buffer, uint size, out int NumOfBytes);
3641

3742
[DllImport("ntdll.dll", SetLastError = true)]
3843
private static extern uint NtSetInformationThread(IntPtr ThreadHandle, uint ThreadInformationClass, IntPtr ThreadInformation, int ThreadInformationLength);
3944

40-
[DllImport("kernel32.dll", SetLastError = true)]
45+
[DllImport("kernelbase.dll", SetLastError = true)]
4146
private static extern IntPtr OpenThread(uint DesiredAccess, bool InheritHandle, int ThreadId);
4247

43-
[DllImport("kernel32.dll", SetLastError = true)]
48+
[DllImport("kernelbase.dll", SetLastError = true)]
4449
private static extern uint GetTickCount();
4550

46-
[DllImport("kernel32.dll", SetLastError = true)]
47-
private static extern void OutputDebugStringA(string Text);
48-
49-
[DllImport("kernel32.dll", SetLastError = true)]
51+
[DllImport("kernelbase.dll", SetLastError = true)]
5052
private static extern IntPtr GetCurrentThread();
5153

52-
[DllImport("kernel32.dll", SetLastError = true)]
54+
[DllImport("kernelbase.dll", SetLastError = true)]
5355
private static extern bool GetThreadContext(IntPtr hThread, ref Structs.CONTEXT Context);
5456

5557
[DllImport("ntdll.dll", SetLastError = true)]
@@ -61,7 +63,7 @@ class AntiDebug
6163
[DllImport("ntdll.dll", SetLastError = true)]
6264
private static extern uint NtQueryInformationProcess(SafeHandle hProcess, uint ProcessInfoClass, ref Structs.PROCESS_BASIC_INFORMATION ProcessInfo, uint nSize, uint ReturnLength);
6365

64-
[DllImport("kernel32.dll", SetLastError = true)]
66+
[DllImport("kernelbase.dll", SetLastError = true)]
6567
private static extern int QueryFullProcessImageNameA(SafeHandle hProcess, uint Flags, byte[] lpExeName, Int32[] lpdwSize);
6668

6769
[DllImport("user32.dll", SetLastError = true)]
@@ -73,6 +75,24 @@ class AntiDebug
7375
[DllImport("user32.dll", SetLastError = true)]
7476
private static extern int GetWindowTextA(IntPtr HWND, StringBuilder WindowText, int nMaxCount);
7577

78+
[DllImport("ntdll.dll", SetLastError = true)]
79+
private static extern uint NtSetDebugFilterState(ulong ComponentId, uint Level, bool State);
80+
81+
[DllImport("kernelbase.dll", SetLastError = true)]
82+
private static extern void GetSystemInfo(out Structs.SYSTEM_INFO lpSystemInfo);
83+
84+
[DllImport("kernelbase.dll", SetLastError = true)]
85+
private static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
86+
87+
[DllImport("ntdll.dll", SetLastError = true)]
88+
private static extern IntPtr memset(IntPtr Dst, int val, uint size);
89+
90+
[DllImport("kernelbase.dll", SetLastError = true)]
91+
private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
92+
93+
[DllImport("kernelbase.dll", SetLastError = true)]
94+
private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize,uint dwFreeType);
95+
7696
public static bool NtCloseAntiDebug_InvalidHandle()
7797
{
7898
try
@@ -91,15 +111,19 @@ public static bool NtCloseAntiDebug_ProtectedHandle()
91111
IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
92112
uint HANDLE_FLAG_PROTECT_FROM_CLOSE = 0x00000002;
93113
SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
114+
bool Result = false;
94115
try
95116
{
96117
NtClose(hMutex);
97-
return false;
118+
Result = false;
98119
}
99120
catch
100121
{
101-
return true;
122+
Result = true;
102123
}
124+
SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0);
125+
NtClose(hMutex);
126+
return Result;
103127
}
104128

105129
public static bool DebuggerIsAttached()
@@ -170,7 +194,10 @@ public static bool FindWindowAntiDebug()
170194
foreach (string BadWindows in BadWindowNames)
171195
{
172196
if (GetWindow.MainWindowTitle.ToLower().Contains(BadWindows))
197+
{
198+
GetWindow.Close();
173199
return true;
200+
}
174201
}
175202
}
176203
return false;
@@ -180,15 +207,20 @@ public static bool GetForegroundWindowAntiDebug()
180207
{
181208
string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
182209
IntPtr HWND = GetForegroundWindow();
183-
int WindowLength = GetWindowTextLengthA(HWND);
184-
if (WindowLength != 0)
210+
if (HWND != IntPtr.Zero)
185211
{
186-
StringBuilder WindowName = new StringBuilder(WindowLength + 1);
187-
GetWindowTextA(HWND, WindowName, WindowLength + 1);
188-
foreach (string BadWindows in BadWindowNames)
212+
int WindowLength = GetWindowTextLengthA(HWND);
213+
if (WindowLength != 0)
189214
{
190-
if (WindowName.ToString().ToLower().Contains(BadWindows))
191-
return true;
215+
StringBuilder WindowName = new StringBuilder(WindowLength + 1);
216+
GetWindowTextA(HWND, WindowName, WindowLength + 1);
217+
foreach (string BadWindows in BadWindowNames)
218+
{
219+
if (WindowName.ToString().ToLower().Contains(BadWindows))
220+
{
221+
return true;
222+
}
223+
}
192224
}
193225
}
194226
return false;
@@ -224,20 +256,20 @@ public static string HideThreadsAntiDebug()
224256
public static bool GetTickCountAntiDebug()
225257
{
226258
uint Start = GetTickCount();
259+
Thread.Sleep(0x10);
227260
return (GetTickCount() - Start) > 0x10;
228261
}
229-
230262
public static bool OutputDebugStringAntiDebug()
231263
{
232-
OutputDebugStringA("just testing some stuff...");
264+
Debugger.Log(0, null, "just testing some stuff...");
233265
if (Marshal.GetLastWin32Error() == 0)
234266
return true;
235267
return false;
236268
}
237269

238270
public static void OllyDbgFormatStringExploit()
239271
{
240-
OutputDebugStringA("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
272+
Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
241273
}
242274

243275
public static bool DebugBreakAntiDebug()
@@ -259,16 +291,18 @@ public static bool HardwareRegistersBreakpointsDetection()
259291
{
260292
Structs.CONTEXT Context = new Structs.CONTEXT();
261293
Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
262-
if (GetThreadContext(GetCurrentThread(), ref Context))
294+
IntPtr CurrentThread = GetCurrentThread();
295+
if (GetThreadContext(CurrentThread, ref Context))
263296
{
264297
if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr4 != 0x00 || Context.Dr5 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00))
265298
{
299+
NtClose(CurrentThread);
266300
return true;
267301
}
268302
}
303+
NtClose(CurrentThread);
269304
return false;
270305
}
271-
272306
private static string CleanPath(string Path)
273307
{
274308
string CleanedPath = null;
@@ -314,5 +348,46 @@ public static bool ParentProcessAntiDebug()
314348
catch{};
315349
return false;
316350
}
351+
352+
public static bool NtSetDebugFilterStateAntiDebug()
353+
{
354+
if (NtSetDebugFilterState(0, 0, true) != 0)
355+
return false;
356+
return true;
357+
}
358+
359+
delegate int ExecutionDelegate();
360+
public static bool PageGuardAntiDebug()
361+
{
362+
Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO();
363+
GetSystemInfo(out SysInfo);
364+
uint MEM_COMMIT = 0x00001000;
365+
uint MEM_RESERVE = 0x00002000;
366+
uint PAGE_EXECUTE_READWRITE = 0x40;
367+
uint PAGE_GUARD = 0x100;
368+
uint MEM_RELEASE = 0x00008000;
369+
IntPtr AllocatedSpace = VirtualAlloc(IntPtr.Zero, SysInfo.PageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
370+
if (AllocatedSpace != IntPtr.Zero)
371+
{
372+
memset(AllocatedSpace, 1, 0xC3);
373+
uint OldProtect = 0;
374+
if(VirtualProtect(AllocatedSpace, SysInfo.PageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, out OldProtect))
375+
{
376+
try
377+
{
378+
ExecutionDelegate IsDebugged = Marshal.GetDelegateForFunctionPointer<ExecutionDelegate>(AllocatedSpace);
379+
int Result = IsDebugged();
380+
}
381+
catch
382+
{
383+
VirtualFree(AllocatedSpace, SysInfo.PageSize, MEM_RELEASE);
384+
return false;
385+
}
386+
VirtualFree(AllocatedSpace, SysInfo.PageSize, MEM_RELEASE);
387+
return true;
388+
}
389+
}
390+
return false;
391+
}
317392
}
318-
}
393+
}

AntiCrack-DotNet/AntiDllInjection.cs

+27-7
Original file line numberDiff line numberDiff line change
@@ -4,29 +4,32 @@
44
using System.Text;
55
using System.Runtime.InteropServices;
66
using System.Diagnostics;
7+
using System.IO;
8+
using System.Windows.Forms;
9+
using static AntiCrack_DotNet.Structs;
710

811
namespace AntiCrack_DotNet
912
{
1013
class AntiDllInjection
1114
{
12-
[DllImport("kernel32.dll", SetLastError = true)]
15+
[DllImport("kernelbase.dll", SetLastError = true)]
1316
private static extern IntPtr GetModuleHandle(string lib);
1417

15-
[DllImport("kernel32.dll", SetLastError = true)]
18+
[DllImport("kernelbase.dll", SetLastError = true)]
1619
private static extern IntPtr GetProcAddress(IntPtr ModuleHandle, string Function);
1720

18-
[DllImport("kernel32.dll", SetLastError = true)]
19-
private static extern bool WriteProcessMemory(IntPtr ProcHandle, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes);
21+
[DllImport("kernelbase.dll", SetLastError = true)]
22+
private static extern bool WriteProcessMemory(SafeHandle hProcess, IntPtr BaseAddress, byte[] Buffer, uint size, int NumOfBytes);
2023

21-
[DllImport("kernel32.dll", SetLastError = true)]
24+
[DllImport("kernelbase.dll", SetLastError = true)]
2225
public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size);
2326

2427
public static string PatchLoadLibraryA()
2528
{
2629
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
2730
IntPtr LoadLibraryA = GetProcAddress(KernelModule, "LoadLibraryA");
2831
byte[] HookedCode = { 0xC2, 0x04, 0x00 };
29-
bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, LoadLibraryA, HookedCode, 3, 0);
32+
bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryA, HookedCode, 3, 0);
3033
if (Status)
3134
return "Success";
3235
return "Failed";
@@ -37,7 +40,7 @@ public static string PatchLoadLibraryW()
3740
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
3841
IntPtr LoadLibraryW = GetProcAddress(KernelModule, "LoadLibraryW");
3942
byte[] HookedCode = { 0xC2, 0x04, 0x00 };
40-
bool Status = WriteProcessMemory(Process.GetCurrentProcess().Handle, LoadLibraryW, HookedCode, 3, 0);
43+
bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryW, HookedCode, 3, 0);
4144
if (Status)
4245
return "Success";
4346
return "Failed";
@@ -51,5 +54,22 @@ public static string BinaryImageSignatureMitigationAntiDllInjection()
5154
return "Success";
5255
return "Failed";
5356
}
57+
58+
public static bool IsInjectedLibrary()
59+
{
60+
bool IsMalicious = false;
61+
string Windows = Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower();
62+
string ProgramData = Windows.Replace(@"\windows", @"\programdata");
63+
foreach (ProcessModule Module in Process.GetCurrentProcess().Modules)
64+
{
65+
string FileName = Module.FileName.ToLower();
66+
if (!FileName.StartsWith(Windows) && !FileName.StartsWith(ProgramData))
67+
IsMalicious = true;
68+
69+
if (FileName.StartsWith(Environment.CurrentDirectory.ToLower())) //for compatibility
70+
IsMalicious = false;
71+
}
72+
return IsMalicious;
73+
}
5474
}
5575
}

0 commit comments

Comments
 (0)