Add files via upload

Author: AdvDebug

AntiCrack-DotNet/AntiDebug.cs

@@ -389,4 +389,4 @@ public static bool PageGuardAntiDebug()
             return false;
         }
     }
-}
+}

AntiCrack-DotNet/AntiDllInjection.cs

@@ -82,4 +82,4 @@ public static string SetDllLoadPolicy()
             return "Failed";
         }
     }
-}
+}

AntiCrack-DotNet/AntiVirtualization.cs

@@ -315,4 +315,4 @@ public static bool CheckForQemu()
             return false;
         }
     }
-}
+}

AntiCrack-DotNet/HooksDetection.cs

@@ -1,9 +1,9 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
 using System.Runtime.InteropServices;
 using System.Diagnostics;
+using System.Reflection;
+using System.IO;
+using System.Net.Sockets;
 
 namespace AntiCrack_DotNet
 {
@@ -51,6 +51,20 @@ private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function)
             return FunctionHandle;
         }
 
+        private static unsafe byte InternalReadByte(IntPtr ptr)
+        {
+            try
+            {
+                byte* ptr2 = (byte*)(void*)ptr;
+                return *ptr2;
+            }
+            catch
+            {
+
+            }
+            return 0;
+        }
+
         public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions)
         {
             string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
@@ -72,9 +86,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
                                     foreach (string WinAPIFunction in CommonKernelLibFunctions)
                                     {
                                         IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
-                                        byte[] FunctionBytes = new byte[1];
-                                        Marshal.Copy(Function, FunctionBytes, 0, 1);
-                                        if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
+                                        byte FunctionByte = InternalReadByte(Function);
+                                        if (FunctionByte == 0x90 || FunctionByte == 0xE9)
                                         {
                                             return true;
                                         }
@@ -93,9 +106,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
                                     foreach (string WinAPIFunction in CommonKernelLibFunctions)
                                     {
                                         IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
-                                        byte[] FunctionBytes = new byte[1];
-                                        Marshal.Copy(Function, FunctionBytes, 0, 1);
-                                        if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
+                                        byte FunctionByte = InternalReadByte(Function);
+                                        if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
                                         {
                                             return true;
                                         }
@@ -114,9 +126,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
                                     foreach (string WinAPIFunction in CommonNtdllFunctions)
                                     {
                                         IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
-                                        byte[] FunctionBytes = new byte[1];
-                                        Marshal.Copy(Function, FunctionBytes, 0, 1);
-                                        if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
+                                        byte FunctionByte = InternalReadByte(Function);
+                                        if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
                                         {
                                             return true;
                                         }
@@ -135,9 +146,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
                                     foreach (string WinAPIFunction in CommonUser32Functions)
                                     {
                                         IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
-                                        byte[] FunctionBytes = new byte[1];
-                                        Marshal.Copy(Function, FunctionBytes, 0, 1);
-                                        if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
+                                        byte FunctionByte = InternalReadByte(Function);
+                                        if (FunctionByte == 0x90 || FunctionByte == 0xE9)
                                         {
                                             return true;
                                         }
@@ -156,9 +166,8 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
                                     foreach (string WinAPIFunction in CommonWin32uFunctions)
                                     {
                                         IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
-                                        byte[] FunctionBytes = new byte[1];
-                                        Marshal.Copy(Function, FunctionBytes, 0, 1);
-                                        if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
+                                        byte FunctionByte = InternalReadByte(Function);
+                                        if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
                                         {
                                             return true;
                                         }
@@ -181,22 +190,21 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
                     {
                         IntPtr hModule = LowLevelGetModuleHandle(ModuleName);
                         IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
-                        byte[] FunctionBytes = new byte[1];
-                        Marshal.Copy(Function, FunctionBytes, 0, 1);
-                        if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
+                        byte FunctionByte = InternalReadByte(Function);
+                        if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
                         {
                             return true;
                         }
                     }
                 }
                 catch
                 {
+
                 }
             }
             return false;
         }
 
-        // Additional detection method
         public static bool DetectInlineHooks(string moduleName, string[] functions)
         {
             if (moduleName != null && functions != null)
@@ -205,11 +213,10 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
                 {
                     foreach (string function in functions)
                     {
-                        IntPtr moduleHandle = LowLevelGetModuleHandle(moduleName);
-                        IntPtr functionHandle = LowLevelGetProcAddress(moduleHandle, function);
-                        byte[] functionBytes = new byte[1];
-                        Marshal.Copy(functionHandle, functionBytes, 0, 1);
-                        if (functionBytes[0] == 0xCC || functionBytes[0] == 0xE9)
+                        IntPtr hModule = LowLevelGetModuleHandle(moduleName);
+                        IntPtr Function = LowLevelGetProcAddress(hModule, function);
+                        byte FunctionByte = InternalReadByte(Function);
+                        if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
                         {
                             return true;
                         }
@@ -219,5 +226,81 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
             }
             return false;
         }
+
+        public static bool DetectCLRHooks()
+        {
+            if (IntPtr.Size == 4)
+            {
+                try
+                {
+                    MethodInfo[] ProcessMethods = typeof(Process).GetMethods();
+                    MethodInfo[] AssemblyMethods = typeof(Assembly).GetMethods();
+                    MethodInfo[] FileMethods = typeof(File).GetMethods();
+                    MethodInfo[] SocketMethods = typeof(Socket).GetMethods();
+                    MethodInfo[] MarshalMethods = typeof(Marshal).GetMethods();
+                    MethodInfo[] StringMethods = typeof(string).GetMethods();
+                    foreach (MethodInfo ProcessMethod in ProcessMethods)
+                    {
+                        byte FirstByte = InternalReadByte(ProcessMethod.MethodHandle.GetFunctionPointer());
+                        if (FirstByte == 0xE9 || FirstByte == 255)
+                        {
+                            return true;
+                        }
+                    }
+
+                    foreach (MethodInfo AssemblyMethod in AssemblyMethods)
+                    {
+                        byte FirstByte = InternalReadByte(AssemblyMethod.MethodHandle.GetFunctionPointer());
+                        if (FirstByte == 0xE9 || FirstByte == 255)
+                            return true;
+                    }
+
+                    foreach (MethodInfo FileMethod in FileMethods)
+                    {
+                        byte FirstByte = InternalReadByte(FileMethod.MethodHandle.GetFunctionPointer());
+                        if (FirstByte == 0xE9 || FirstByte == 255)
+                            return true;
+                    }
+
+                    foreach (MethodInfo SocketMethod in SocketMethods)
+                    {
+                        byte FirstByte = InternalReadByte(SocketMethod.MethodHandle.GetFunctionPointer());
+                        if (FirstByte == 0xE9 || FirstByte == 255)
+                            return true;
+                    }
+
+                    foreach (MethodInfo MarshalMethod in MarshalMethods)
+                    {
+                        byte FirstByte = InternalReadByte(MarshalMethod.MethodHandle.GetFunctionPointer());
+                        if (FirstByte == 0xE9 || FirstByte == 255)
+                            return true;
+                    }
+
+                    foreach (MethodInfo StringMethod in StringMethods)
+                    {
+                        byte FirstByte = InternalReadByte(StringMethod.MethodHandle.GetFunctionPointer());
+                        if (FirstByte == 0xE9 || FirstByte == 255)
+                            return true;
+                    }
+
+                    Type[] AllTypes = Assembly.GetExecutingAssembly().GetTypes();
+                    foreach (Type type in AllTypes)
+                    {
+                        MethodInfo[] AllMethods = type.GetMethods();
+                        foreach (MethodInfo Method in AllMethods)
+                        {
+                            byte FirstByte = InternalReadByte(Method.MethodHandle.GetFunctionPointer());
+                            if (FirstByte == 0xE9 || FirstByte == 255)
+                                return true;
+                        }
+                    }
+                }
+                catch
+                {
+
+                }
+            }
+            return false;
+        }
     }
-}
+}

AntiCrack-DotNet/OtherChecks.cs

@@ -1,5 +1,15 @@
 using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
 using System.Runtime.InteropServices;
+using System.Reflection;
+using System.Windows.Forms;
+using System.Diagnostics;
+using System.Runtime.CompilerServices;
+using System.Threading;
+using System.Security;
 using Microsoft.Win32;
 
 namespace AntiCrack_DotNet
@@ -15,10 +25,14 @@ public class OtherChecks
         [DllImport("ntdll.dll", SetLastError = true)]
         private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_SECUREBOOT_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength);
 
-        private static uint SystemCodeIntegrityInformation = 0x67;
+        [DllImport("QCall", CharSet = CharSet.Unicode)]
+        [SecurityCritical]
+        [SuppressUnmanagedCodeSecurity]
+        private static extern void GetExecutingAssembly(uint stackMark, IntPtr retAssembly);
 
         public static bool IsUnsignedDriversAllowed()
         {
+            uint SystemCodeIntegrityInformation = 0x67;
             Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
             CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
             uint ReturnLength = 0;
@@ -35,6 +49,7 @@ public static bool IsUnsignedDriversAllowed()
 
         public static bool IsTestSignedDriversAllowed()
         {
+            uint SystemCodeIntegrityInformation = 0x67;
             Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
             CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
             uint ReturnLength = 0;
@@ -77,11 +92,12 @@ public static bool IsSecureBootEnabled()
             {
                 if (!SecureBoot.SecureBootCapable)
                     return false;
-                if (!SecureBoot.SecureBootEnabled)
+                if (SecureBoot.SecureBootEnabled)
                     return true;
             }
             return false;
         }
+
         public static bool IsVirtualizationBasedSecurityEnabled()
         {
             try
@@ -127,5 +143,14 @@ public static bool IsMemoryIntegrityEnabled()
             }
             return false;
         }
+
+        public static bool IsInovkedAssembly()
+        {
+            MethodInfo Method = typeof(Assembly).GetMethod("GetExecutingAssembly");
+            Assembly GetCallingAssem = (Assembly)Method.Invoke(null, null);
+            if (GetCallingAssem.Location != Application.ExecutablePath)
+                return true;
+            return false;
+        }
     }
-}
+}

AntiCrack-DotNet/Program.cs

@@ -105,6 +105,7 @@ private static void ExecuteAntiVirtualizationTricks()
         {
             ConsoleConfig.DisplayHeader("Executing Anti Virtualization Tricks");
             ConsoleConfig.DisplayResult("Checking For Triage: ", AntiVirtualization.TriageCheck(), "Checks if Triage is present through disk.");
+            ConsoleConfig.DisplayResult("Checking For Qemu: ", AntiVirtualization.CheckForQemu(), "Checks if running under Qemu.");
             ConsoleConfig.DisplayResult("Checking For Sandboxie Module in Current Process: ", AntiVirtualization.IsSandboxiePresent(), "Checks if Sandboxie is present.");
             ConsoleConfig.DisplayResult("Checking For Comodo Sandbox Module in Current Process: ", AntiVirtualization.IsComodoSandboxPresent(), "Checks if Comodo Sandbox is present.");
             ConsoleConfig.DisplayResult("Checking For Cuckoo Sandbox Module in Current Process: ", AntiVirtualization.IsCuckooSandboxPresent(), "Checks if Cuckoo Sandbox is present.");
@@ -127,8 +128,8 @@ private static void ExecuteAntiVirtualizationTricks()
         private static void ExecuteAntiDllInjectionTricks()
         {
             ConsoleConfig.DisplayHeader("Executing Anti DLL Injection Tricks");
-            ConsoleConfig.DisplayResult("Patching and Changing LoadLibraryA Page Protection To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryA(), "Patches LoadLibraryA to prevent DLL injection.");
-            ConsoleConfig.DisplayResult("Patching and Changing LoadLibraryW Page Protection To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryW(), "Patches LoadLibraryW to prevent DLL injection.");
+            ConsoleConfig.DisplayResult("Patching LoadLibraryA To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryA(), "Patches LoadLibraryA to prevent DLL injection.");
+            ConsoleConfig.DisplayResult("Patching LoadLibraryW To Prevent DLL Injection..... ", AntiDllInjection.PatchLoadLibraryW(), "Patches LoadLibraryW to prevent DLL injection.");
             ConsoleConfig.DisplayResult("Taking Advantage of Binary Image Signature Mitigation Policy to Prevent Non-Microsoft Binaries From Being Injected..... ", AntiDllInjection.BinaryImageSignatureMitigationAntiDllInjection(), "Enforces binary image signature mitigation policy.");
             ConsoleConfig.DisplayResult("Checking if any injected libraries are present (simple DLL path whitelist check): ", AntiDllInjection.IsInjectedLibrary(), "Checks for injected libraries.");
             ConsoleConfig.DisplayFooter();
@@ -141,13 +142,17 @@ private static void ExecuteOtherDetectionTricks()
             ConsoleConfig.DisplayResult("Detecting if Test-Signed Drivers are Allowed to Load: ", OtherChecks.IsTestSignedDriversAllowed(), "Checks if test-signed drivers are allowed.");
             ConsoleConfig.DisplayResult("Detecting if Kernel Debugging is Enabled on the System: ", OtherChecks.IsKernelDebuggingEnabled(), "Checks if kernel debugging is enabled.");
             ConsoleConfig.DisplayResult("Detecting if Secure Boot is Enabled on the System: ", OtherChecks.IsSecureBootEnabled(), "Checks if secure boot is enabled.");
+            ConsoleConfig.DisplayResult("Detecting if Virtualization-Based Security is Enabled: ", OtherChecks.IsVirtualizationBasedSecurityEnabled(), "Checks if VBS is enabled.");
+            ConsoleConfig.DisplayResult("Detecting if Memory Integrity Protection is Enabled: ", OtherChecks.IsMemoryIntegrityEnabled(), "Checks if Memory Integrity is enabled.");
+            ConsoleConfig.DisplayResult("Detecting if the current assembly has been invoked by another one: ", OtherChecks.IsInovkedAssembly(), "Checks if assembly has been invoked.");
             ConsoleConfig.DisplayFooter();
         }
 
         private static void ExecuteHooksDetectionTricks()
         {
             ConsoleConfig.DisplayHeader("Executing Hooks Detection Tricks");
             ConsoleConfig.DisplayResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64): ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(null, null), "Detects hooks on common WinAPI functions.");
+            ConsoleConfig.DisplayResult("Detecting Hooks on CLR Functions (x86 only): ", HooksDetection.DetectCLRHooks(), "Detects hooks on CLR Functions.");
             ConsoleConfig.DisplayFooter();
         }
 

AntiCrack-DotNet/Structs.cs

@@ -102,4 +102,4 @@ public struct SYSTEM_INFO
             public ushort ProcessorRevision;
         }
     }
-}
+}