Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@AdvDebug
AdvDebug authored Aug 12, 2024
1 parent 38ef1a1 commit aa7751e
Show file tree
Hide file tree
Showing 2 changed files with 115 additions and 30 deletions.
139 changes: 112 additions & 27 deletions AntiCrack-DotNet/HooksDetection.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@
using System.Net.Sockets;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;

namespace AntiCrack_DotNet
{
public sealed class HooksDetection
{
public static object ProcessMethod { get; private set; }

#region WinApi

Expand Down Expand Up @@ -89,10 +91,8 @@ private static unsafe byte InternalReadByte(IntPtr ptr)
/// <summary>
/// Detects hooks on common Windows API functions.
/// </summary>
/// <param name="ModuleName">The name of the module to check for hooks.</param>
/// <param name="Functions">The list of functions to check for hooks.</param>
/// <returns>Returns true if hooks are detected, otherwise false.</returns>
public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions)
public static bool DetectHooksOnCommonWinAPIFunctions()
{
string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
string[] CommonKernelLibFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" };
Expand Down Expand Up @@ -209,26 +209,6 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
}
}
}
if (ModuleName != null && Functions != null)
{
try
{
foreach (string WinAPIFunction in Functions)
{
IntPtr hModule = LowLevelGetModuleHandle(ModuleName);
IntPtr Function = LowLevelGetProcAddress(hModule, WinAPIFunction);
byte FunctionByte = InternalReadByte(Function);
if (FunctionByte == 255 || FunctionByte == 0x90 || FunctionByte == 0xE9)
{
return true;
}
}
}
catch
{

}
}
return false;
}

Expand Down Expand Up @@ -260,15 +240,29 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
return false;
}

public static bool IsModule(IntPtr Address)
{
foreach (ProcessModule module in Process.GetCurrentProcess().Modules)
{
IntPtr Base = module.BaseAddress;
IntPtr End = IntPtr.Add(Base, module.ModuleMemorySize);
if (Address.ToInt64() >= Base.ToInt64() && Address.ToInt64() < End.ToInt64())
{
return true;
}
}
return false;
}

/// <summary>
/// Detects hooks in common .NET methods.
/// </summary>
/// <returns>Returns true if hooks are detected, otherwise false.</returns>
public static bool DetectCLRHooks()
{
if (IntPtr.Size == 4)
try
{
try
if (IntPtr.Size == 4)
{
MethodInfo[] ProcessMethods = typeof(Process).GetMethods();
MethodInfo[] AssemblyMethods = typeof(Assembly).GetMethods();
Expand All @@ -278,7 +272,8 @@ public static bool DetectCLRHooks()
MethodInfo[] StringMethods = typeof(string).GetMethods();
foreach (MethodInfo ProcessMethod in ProcessMethods)
{
byte FirstByte = InternalReadByte(ProcessMethod.MethodHandle.GetFunctionPointer());
IntPtr FP = ProcessMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
return true;
Expand Down Expand Up @@ -332,10 +327,100 @@ public static bool DetectCLRHooks()
}
}
}
catch
else if(IntPtr.Size == 8)
{
MethodInfo[] ProcessMethods = typeof(Process).GetMethods();
MethodInfo[] AssemblyMethods = typeof(Assembly).GetMethods();
MethodInfo[] FileMethods = typeof(File).GetMethods();
MethodInfo[] SocketMethods = typeof(Socket).GetMethods();
MethodInfo[] MarshalMethods = typeof(Marshal).GetMethods();
MethodInfo[] StringMethods = typeof(string).GetMethods();
foreach (MethodInfo ProcessMethod in ProcessMethods)
{
IntPtr FP = ProcessMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if(IsModule(FP))
return true;
}
}

foreach (MethodInfo AssemblyMethod in AssemblyMethods)
{
IntPtr FP = AssemblyMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if (IsModule(FP))
return true;
}
}

foreach (MethodInfo FileMethod in FileMethods)
{
IntPtr FP = FileMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if (IsModule(FP))
return true;
}
}

foreach (MethodInfo SocketMethod in SocketMethods)
{
IntPtr FP = SocketMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if (IsModule(FP))
return true;
}
}

foreach (MethodInfo MarshalMethod in MarshalMethods)
{
IntPtr FP = MarshalMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if (IsModule(FP))
return true;
}
}

foreach (MethodInfo StringMethod in StringMethods)
{
IntPtr FP = StringMethod.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if (IsModule(FP))
return true;
}
}

Type[] AllTypes = Assembly.GetExecutingAssembly().GetTypes();
foreach (Type type in AllTypes)
{
MethodInfo[] AllMethods = type.GetMethods();
foreach (MethodInfo Method in AllMethods)
{
IntPtr FP = Method.MethodHandle.GetFunctionPointer();
byte FirstByte = InternalReadByte(FP);
if (FirstByte == 0xE9 || FirstByte == 255)
{
if (IsModule(FP))
return true;
}
}
}
}
}
catch
{

}
return false;
}
Expand Down
6 changes: 3 additions & 3 deletions AntiCrack-DotNet/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,8 +149,8 @@ private static void ExecuteOtherDetectionTricks()
private static void ExecuteHooksDetectionTricks()
{
ConsoleConfig.DisplayHeader("Executing Hooks Detection Tricks");
ConsoleConfig.DisplayResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses: ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(null, null), "Detects hooks on common WinAPI functions.");
ConsoleConfig.DisplayResult("Detecting Hooks on CLR Functions (x86 only): ", HooksDetection.DetectCLRHooks(), "Detects hooks on CLR Functions.");
ConsoleConfig.DisplayResult("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses: ", HooksDetection.DetectHooksOnCommonWinAPIFunctions(), "Detects hooks on common WinAPI functions.");
ConsoleConfig.DisplayResult("Detecting Hooks on CLR Functions: ", HooksDetection.DetectCLRHooks(), "Detects hooks on CLR Functions.");
ConsoleConfig.DisplayFooter();
}

Expand All @@ -171,4 +171,4 @@ public static void Main(string[] args)
}
}
}
}
}

0 comments on commit aa7751e

Please sign in to comment.