diff --git a/AntiCrack-DotNet/AntiCrack-DotNet.csproj b/AntiCrack-DotNet/AntiCrack-DotNet.csproj
index 1746c35..43983fa 100644
--- a/AntiCrack-DotNet/AntiCrack-DotNet.csproj
+++ b/AntiCrack-DotNet/AntiCrack-DotNet.csproj
@@ -54,17 +54,10 @@
-
-
+
-
-
-
-
-
-
diff --git a/AntiCrack-DotNet/AntiDebug.cs b/AntiCrack-DotNet/AntiDebug.cs
index 535e768..190b6c9 100644
--- a/AntiCrack-DotNet/AntiDebug.cs
+++ b/AntiCrack-DotNet/AntiDebug.cs
@@ -1,19 +1,16 @@
using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Runtime.InteropServices;
-using System.Diagnostics;
using System.IO;
+using System.Text;
using System.Threading;
-using System.Windows.Forms;
-using System.ServiceProcess;
-using System.Runtime.CompilerServices;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
namespace AntiCrack_DotNet
{
- class AntiDebug
+ internal sealed class AntiDebug
{
+ #region WinApi
+
[DllImport("kernelbase.dll", SetLastError = true)]
private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags);
@@ -92,6 +89,12 @@ class AntiDebug
[DllImport("kernelbase.dll", SetLastError = true)]
private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType);
+ #endregion
+
+ ///
+ /// Attempts to close an invalid handle to detect debugger presence.
+ ///
+ /// Returns true if an exception is caught, indicating no debugger, otherwise false.
public static bool NtCloseAntiDebug_InvalidHandle()
{
try
@@ -105,6 +108,10 @@ public static bool NtCloseAntiDebug_InvalidHandle()
}
}
+ ///
+ /// Attempts to close a protected handle to detect debugger presence.
+ ///
+ /// Returns true if an exception is caught, indicating no debugger, otherwise false.
public static bool NtCloseAntiDebug_ProtectedHandle()
{
IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
@@ -125,11 +132,19 @@ public static bool NtCloseAntiDebug_ProtectedHandle()
return Result;
}
+ ///
+ /// Checks if a debugger is attached to the process.
+ ///
+ /// Returns true if a debugger is attached, otherwise false.
public static bool DebuggerIsAttached()
{
return Debugger.IsAttached;
}
+ ///
+ /// Checks if a debugger is present using the IsDebuggerPresent API.
+ ///
+ /// Returns true if a debugger is present, otherwise false.
public static bool IsDebuggerPresentCheck()
{
if (IsDebuggerPresent())
@@ -137,6 +152,10 @@ public static bool IsDebuggerPresentCheck()
return false;
}
+ ///
+ /// Checks if the process has debug flags set using NtQueryInformationProcess.
+ ///
+ /// Returns true if debug flags are set, otherwise false.
public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
{
uint ProcessDebugFlags = 0;
@@ -146,6 +165,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
return false;
}
+ ///
+ /// Checks if the process has a debug port using NtQueryInformationProcess.
+ ///
+ /// Returns true if a debug port is detected, otherwise false.
public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
{
uint DebuggerPresent = 0;
@@ -158,6 +181,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
return false;
}
+ ///
+ /// Checks if the process has a debug object handle using NtQueryInformationProcess.
+ ///
+ /// Returns true if a debug object handle is detected, otherwise false.
public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
{
IntPtr hDebugObject = IntPtr.Zero;
@@ -170,6 +197,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
return false;
}
+ ///
+ /// Patches the DbgUiRemoteBreakin and DbgBreakPoint functions to prevent debugger attachment.
+ ///
+ /// Returns "Success" if the patching was successful, otherwise "Failed".
public static string AntiDebugAttach()
{
IntPtr NtdllModule = GetModuleHandle("ntdll.dll");
@@ -184,6 +215,10 @@ public static string AntiDebugAttach()
return "Failed";
}
+ ///
+ /// Checks for the presence of known debugger windows.
+ ///
+ /// Returns true if a known debugger window is detected, otherwise false.
public static bool FindWindowAntiDebug()
{
Process[] GetProcesses = Process.GetProcesses();
@@ -202,6 +237,10 @@ public static bool FindWindowAntiDebug()
return false;
}
+ ///
+ /// Checks if the foreground window belongs to a known debugger.
+ ///
+ /// Returns true if a known debugger window is detected, otherwise false.
public static bool GetForegroundWindowAntiDebug()
{
string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
@@ -225,6 +264,10 @@ public static bool GetForegroundWindowAntiDebug()
return false;
}
+ ///
+ /// Hides threads from the debugger by setting the NtSetInformationThread.
+ ///
+ /// Returns "Success" if the threads were hidden successfully, otherwise "Failed".
public static string HideThreadsAntiDebug()
{
try
@@ -252,12 +295,21 @@ public static string HideThreadsAntiDebug()
}
}
+ ///
+ /// Uses GetTickCount to detect debugger presence.
+ ///
+ /// Returns true if debugger presence is detected, otherwise false.
public static bool GetTickCountAntiDebug()
{
uint Start = GetTickCount();
Thread.Sleep(0x10);
return (GetTickCount() - Start) > 0x10;
}
+
+ ///
+ /// Uses OutputDebugString to detect debugger presence.
+ ///
+ /// Returns true if debugger presence is detected, otherwise false.
public static bool OutputDebugStringAntiDebug()
{
Debugger.Log(0, null, "just testing some stuff...");
@@ -266,11 +318,18 @@ public static bool OutputDebugStringAntiDebug()
return false;
}
+ ///
+ /// Exploits a format string vulnerability in OllyDbg.
+ ///
public static void OllyDbgFormatStringExploit()
{
Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
}
+ ///
+ /// Triggers a debug break to detect debugger presence.
+ ///
+ /// Returns true if an exception is caught, indicating no debugger, otherwise false.
public static bool DebugBreakAntiDebug()
{
try
@@ -286,6 +345,10 @@ public static bool DebugBreakAntiDebug()
private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L;
+ ///
+ /// Detects hardware breakpoints by checking debug registers.
+ ///
+ /// Returns true if hardware breakpoints are detected, otherwise false.
public static bool HardwareRegistersBreakpointsDetection()
{
Structs.CONTEXT Context = new Structs.CONTEXT();
@@ -302,6 +365,12 @@ public static bool HardwareRegistersBreakpointsDetection()
NtClose(CurrentThread);
return false;
}
+
+ ///
+ /// Cleans the specified path by removing null characters.
+ ///
+ /// The path to clean.
+ /// The cleaned path.
private static string CleanPath(string Path)
{
string CleanedPath = null;
@@ -315,6 +384,10 @@ private static string CleanPath(string Path)
return CleanedPath;
}
+ ///
+ /// Checks if the parent process is a debugger by querying process information.
+ ///
+ /// Returns true if the parent process is a debugger, otherwise false.
public static bool ParentProcessAntiDebug()
{
try
@@ -348,6 +421,10 @@ public static bool ParentProcessAntiDebug()
return false;
}
+ ///
+ /// Uses NtSetDebugFilterState to prevent debugging.
+ ///
+ /// Returns true if the filter state was set successfully, otherwise false.
public static bool NtSetDebugFilterStateAntiDebug()
{
if (NtSetDebugFilterState(0, 0, true) != 0)
@@ -356,6 +433,11 @@ public static bool NtSetDebugFilterStateAntiDebug()
}
delegate int ExecutionDelegate();
+
+ ///
+ /// Uses page guard to detect debugger presence by executing a function pointer.
+ ///
+ /// Returns true if debugger presence is detected, otherwise false.
public static bool PageGuardAntiDebug()
{
Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO();
@@ -389,4 +471,5 @@ public static bool PageGuardAntiDebug()
return false;
}
}
-}
\ No newline at end of file
+
+}
diff --git a/AntiCrack-DotNet/AntiDllInjection.cs b/AntiCrack-DotNet/AntiDllInjection.cs
index 34a4454..c229987 100644
--- a/AntiCrack-DotNet/AntiDllInjection.cs
+++ b/AntiCrack-DotNet/AntiDllInjection.cs
@@ -1,17 +1,14 @@
using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Runtime.InteropServices;
using System.Diagnostics;
-using System.IO;
-using System.Windows.Forms;
-using static AntiCrack_DotNet.Structs;
+using System.Runtime.InteropServices;
namespace AntiCrack_DotNet
{
- class AntiDllInjection
+ internal sealed class AntiDllInjection
{
+
+ #region WinApi
+
[DllImport("kernelbase.dll", SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lib);
@@ -24,6 +21,13 @@ class AntiDllInjection
[DllImport("kernelbase.dll", SetLastError = true)]
public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size);
+ #endregion
+
+
+ ///
+ /// Patches the LoadLibraryA function to prevent DLL injection.
+ ///
+ /// Returns "Success" if the patching was successful, otherwise "Failed".
public static string PatchLoadLibraryA()
{
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
@@ -35,6 +39,10 @@ public static string PatchLoadLibraryA()
return "Failed";
}
+ ///
+ /// Patches the LoadLibraryW function to prevent DLL injection.
+ ///
+ /// Returns "Success" if the patching was successful, otherwise "Failed".
public static string PatchLoadLibraryW()
{
IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
@@ -46,6 +54,10 @@ public static string PatchLoadLibraryW()
return "Failed";
}
+ ///
+ /// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries.
+ ///
+ /// Returns "Success" if the policy was set successfully, otherwise "Failed".
public static string BinaryImageSignatureMitigationAntiDllInjection()
{
Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY();
@@ -55,6 +67,10 @@ public static string BinaryImageSignatureMitigationAntiDllInjection()
return "Failed";
}
+ ///
+ /// Checks if there are any injected libraries in the current process.
+ ///
+ /// Returns true if an injected library is detected, otherwise false.
public static bool IsInjectedLibrary()
{
bool IsMalicious = false;
@@ -71,6 +87,11 @@ public static bool IsInjectedLibrary()
}
return IsMalicious;
}
+
+ ///
+ /// Sets the DLL load policy to only allow Microsoft-signed DLLs to be loaded.
+ ///
+ /// Returns "Success" if the policy was set successfully, otherwise "Failed".
public static string SetDllLoadPolicy()
{
Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
diff --git a/AntiCrack-DotNet/AntiVirtualization.cs b/AntiCrack-DotNet/AntiVirtualization.cs
index 8170a90..1bfb557 100644
--- a/AntiCrack-DotNet/AntiVirtualization.cs
+++ b/AntiCrack-DotNet/AntiVirtualization.cs
@@ -1,20 +1,19 @@
using System;
-using System.Collections.Generic;
-using System.Diagnostics;
using System.IO;
-using System.Linq;
+using System.Threading;
using System.Management;
-using System.Runtime.InteropServices;
+using System.Diagnostics;
using System.ServiceProcess;
-using System.Text;
-using System.Threading;
-using System.Windows.Forms;
-using Microsoft.Win32.SafeHandles;
+using System.Runtime.InteropServices;
+using Microsoft.Win32;
namespace AntiCrack_DotNet
{
- class AntiVirtualization
+ internal sealed class AntiVirtualization
{
+
+ #region WinApi
+
[DllImport("kernelbase.dll", SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lib);
@@ -33,6 +32,12 @@ class AntiVirtualization
[DllImport("ucrtbase.dll", SetLastError = true)]
private static extern int fclose(IntPtr filestream);
+ #endregion
+
+ ///
+ /// Checks if Sandboxie is present on the system.
+ ///
+ /// True if Sandboxie is detected, otherwise false.
public static bool IsSandboxiePresent()
{
if (GetModuleHandle("SbieDll.dll").ToInt32() != 0)
@@ -40,6 +45,10 @@ public static bool IsSandboxiePresent()
return false;
}
+ ///
+ /// Checks if Comodo Sandbox is present on the system.
+ ///
+ /// True if Comodo Sandbox is detected, otherwise false.
public static bool IsComodoSandboxPresent()
{
if (GetModuleHandle("cmdvrt32.dll").ToInt32() != 0 || GetModuleHandle("cmdvrt64.dll").ToInt32() != 0)
@@ -47,6 +56,10 @@ public static bool IsComodoSandboxPresent()
return false;
}
+ ///
+ /// Checks if Qihoo 360 Sandbox is present on the system.
+ ///
+ /// True if Qihoo 360 Sandbox is detected, otherwise false.
public static bool IsQihoo360SandboxPresent()
{
if (GetModuleHandle("SxIn.dll").ToInt32() != 0)
@@ -54,6 +67,10 @@ public static bool IsQihoo360SandboxPresent()
return false;
}
+ ///
+ /// Checks if Cuckoo Sandbox is present on the system.
+ ///
+ /// True if Cuckoo Sandbox is detected, otherwise false.
public static bool IsCuckooSandboxPresent()
{
if (GetModuleHandle("cuckoomon.dll").ToInt32() != 0)
@@ -61,6 +78,10 @@ public static bool IsCuckooSandboxPresent()
return false;
}
+ ///
+ /// Checks if the environment is running in an emulation by measuring the sleep interval.
+ ///
+ /// True if emulation is detected, otherwise false.
public static bool IsEmulationPresent()
{
long Tick = Environment.TickCount;
@@ -73,6 +94,10 @@ public static bool IsEmulationPresent()
return false;
}
+ ///
+ /// Checks if the environment is running in Wine.
+ ///
+ /// True if Wine is detected, otherwise false.
public static bool IsWinePresent()
{
IntPtr ModuleHandle = GetModuleHandle("kernel32.dll");
@@ -81,6 +106,10 @@ public static bool IsWinePresent()
return false;
}
+ ///
+ /// Checks if the environment is running in VMware or VirtualBox.
+ ///
+ /// True if VMware or VirtualBox is detected, otherwise false.
public static bool CheckForVMwareAndVirtualBox()
{
using (ManagementObjectSearcher ObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
@@ -101,6 +130,10 @@ public static bool CheckForVMwareAndVirtualBox()
return false;
}
+ ///
+ /// Checks if the environment is running in KVM.
+ ///
+ /// True if KVM is detected, otherwise false.
public static bool CheckForKVM()
{
string[] BadDriversList = { "balloon.sys", "netkvm.sys", "vioinput", "viofs.sys", "vioser.sys" };
@@ -118,6 +151,10 @@ public static bool CheckForKVM()
return false;
}
+ ///
+ /// Checks if the environment is running in Hyper-V.
+ ///
+ /// True if Hyper-V is detected, otherwise false.
public static bool CheckForHyperV()
{
ServiceController[] GetServicesOnSystem = ServiceController.GetServices();
@@ -133,6 +170,10 @@ public static bool CheckForHyperV()
return false;
}
+ ///
+ /// Checks if the current user name matches any blacklisted names.
+ ///
+ /// True if a blacklisted name is detected, otherwise false.
public static bool CheckForBlacklistedNames()
{
string[] BadNames = { "Johnson", "Miller", "malware", "maltest", "CurrentUser", "Sandbox", "virus", "John Doe", "test user", "sand box", "WDAGUtilityAccount" };
@@ -147,6 +188,10 @@ public static bool CheckForBlacklistedNames()
return false;
}
+ ///
+ /// Detects bad VM-related files and directories on the system.
+ ///
+ /// True if bad VM-related files or directories are detected, otherwise false.
public static bool BadVMFilesDetection()
{
try
@@ -186,6 +231,10 @@ public static bool BadVMFilesDetection()
return false;
}
+ ///
+ /// Checks for the presence of bad VM-related process names.
+ ///
+ /// True if bad VM-related process names are detected, otherwise false.
public static bool BadVMProcessNames()
{
try
@@ -206,6 +255,10 @@ public static bool BadVMProcessNames()
return false;
}
+ ///
+ /// Checks for VM-related ports on the system.
+ ///
+ /// True if no port connectors are found, indicating a possible VM environment, otherwise false.
public static bool PortConnectionAntiVM()
{
if (new ManagementObjectSearcher("SELECT * FROM Win32_PortConnector").Get().Count == 0)
@@ -213,6 +266,9 @@ public static bool PortConnectionAntiVM()
return false;
}
+ ///
+ /// Attempts to crash Sandboxie if detected.
+ ///
public static void CrashingSandboxie()
{
if (!Environment.Is64BitProcess)
@@ -244,6 +300,10 @@ public static void CrashingSandboxie()
}
}
+ ///
+ /// Checks for VM-related device names.
+ ///
+ /// True if VM-related device names are detected, otherwise false.
public static bool CheckDevices()
{
string[] Devices = { "\\\\.\\pipe\\cuckoo", "\\\\.\\HGFS", "\\\\.\\vmci", "\\\\.\\VBoxMiniRdrDN", "\\\\.\\VBoxGuest", "\\\\.\\pipe\\VBoxMiniRdDN", "\\\\.\\VBoxTrayIPC", "\\\\.\\pipe\\VBoxTrayIPC" };
@@ -265,6 +325,11 @@ public static bool CheckDevices()
}
return false;
}
+
+ ///
+ /// Checks if the environment is running in Parallels.
+ ///
+ /// True if Parallels is detected, otherwise false.
public static bool CheckForParallels()
{
string[] BadDriversList = { "prl_sf", "prl_tg", "prl_eth" };
@@ -282,6 +347,10 @@ public static bool CheckForParallels()
return false;
}
+ ///
+ /// Checks for specific disk drive models that indicate a virtual environment.
+ ///
+ /// True if specific disk drive models are detected, otherwise false.
public static bool TriageCheck()
{
using (var searcher = new ManagementObjectSearcher("SELECT * FROM Win32_DiskDrive"))
@@ -298,6 +367,42 @@ public static bool TriageCheck()
return false;
}
+ ///
+ /// Checks for specific Machine GUIDs that indicate a virtual environment in Any.Run.
+ ///
+ /// True if specific Machine GUIDs are detected, otherwise false.
+ public static bool AnyRunCheck()
+ {
+ string[] uuids = {
+ "bb926e54-e3ca-40fd-ae90-2764341e7792", // win10 free
+ "90059c37-1320-41a4-b58d-2b75a9850d2f", // win7 free
+ };
+ // https://app.any.run/tasks/a143d613-4e75-4cde-991a-6e096348bfec
+ using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Cryptography"))
+ {
+ if (key != null)
+ {
+ object value = key.GetValue("MachineGuid");
+
+ if (value != null)
+ {
+ foreach (string uuid in uuids)
+ {
+ if (uuid == value.ToString())
+ {
+ return true;
+ }
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ ///
+ /// Checks if the environment is running in QEMU.
+ ///
+ /// True if QEMU is detected, otherwise false.
public static bool CheckForQemu()
{
string[] BadDriversList = { "qemu-ga", "qemuwmi" };
@@ -315,4 +420,4 @@ public static bool CheckForQemu()
return false;
}
}
-}
\ No newline at end of file
+}
diff --git a/AntiCrack-DotNet/HooksDetection.cs b/AntiCrack-DotNet/HooksDetection.cs
index 81ecd3a..e3a14cd 100644
--- a/AntiCrack-DotNet/HooksDetection.cs
+++ b/AntiCrack-DotNet/HooksDetection.cs
@@ -1,14 +1,17 @@
using System;
-using System.Runtime.InteropServices;
-using System.Diagnostics;
-using System.Reflection;
using System.IO;
+using System.Reflection;
using System.Net.Sockets;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
namespace AntiCrack_DotNet
{
- public class HooksDetection
+ public sealed class HooksDetection
{
+
+ #region WinApi
+
[DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
private static extern void RtlInitUnicodeString(out Structs.UNICODE_STRING DestinationString, string SourceString);
@@ -27,6 +30,13 @@ public class HooksDetection
[DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Ansi)]
private static extern uint LdrGetProcedureAddressForCaller(IntPtr Module, Structs.ANSI_STRING ProcedureName, ushort ProcedureNumber, out IntPtr FunctionHandle, ulong Flags, IntPtr CallBack);
+ #endregion
+
+ ///
+ /// Gets the handle of a specified module using low-level functions.
+ ///
+ /// The name of the library to get the handle for.
+ /// The handle to the module.
private static IntPtr LowLevelGetModuleHandle(string Library)
{
if (IntPtr.Size == 4)
@@ -38,6 +48,12 @@ private static IntPtr LowLevelGetModuleHandle(string Library)
return hModule;
}
+ ///
+ /// Gets the address of a specified function using low-level functions.
+ ///
+ /// The handle to the module.
+ /// The name of the function to get the address for.
+ /// The address of the function.
private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function)
{
if (IntPtr.Size == 4)
@@ -51,6 +67,11 @@ private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function)
return FunctionHandle;
}
+ ///
+ /// Reads a byte from a specified memory address.
+ ///
+ /// The memory address to read from.
+ /// The byte read from the memory address.
private static unsafe byte InternalReadByte(IntPtr ptr)
{
try
@@ -65,6 +86,12 @@ private static unsafe byte InternalReadByte(IntPtr ptr)
return 0;
}
+ ///
+ /// Detects hooks on common Windows API functions.
+ ///
+ /// The name of the module to check for hooks.
+ /// The list of functions to check for hooks.
+ /// Returns true if hooks are detected, otherwise false.
public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions)
{
string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
@@ -205,6 +232,12 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
return false;
}
+ ///
+ /// Detects inline hooks on specified functions within a module.
+ ///
+ /// The name of the module to check for hooks.
+ /// The list of functions to check for hooks.
+ /// Returns true if hooks are detected, otherwise false.
public static bool DetectInlineHooks(string moduleName, string[] functions)
{
if (moduleName != null && functions != null)
@@ -227,6 +260,10 @@ public static bool DetectInlineHooks(string moduleName, string[] functions)
return false;
}
+ ///
+ /// Detects hooks in common .NET methods.
+ ///
+ /// Returns true if hooks are detected, otherwise false.
public static bool DetectCLRHooks()
{
if (IntPtr.Size == 4)
@@ -303,4 +340,5 @@ public static bool DetectCLRHooks()
return false;
}
}
-}
\ No newline at end of file
+
+}
diff --git a/AntiCrack-DotNet/OtherChecks.cs b/AntiCrack-DotNet/OtherChecks.cs
index 19d6964..648a048 100644
--- a/AntiCrack-DotNet/OtherChecks.cs
+++ b/AntiCrack-DotNet/OtherChecks.cs
@@ -1,21 +1,16 @@
using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-using System.Runtime.InteropServices;
+using System.Security;
using System.Reflection;
using System.Windows.Forms;
-using System.Diagnostics;
-using System.Runtime.CompilerServices;
-using System.Threading;
-using System.Security;
+using System.Runtime.InteropServices;
using Microsoft.Win32;
namespace AntiCrack_DotNet
{
- public class OtherChecks
+ public sealed class OtherChecks
{
+ #region WinApi
+
[DllImport("ntdll.dll", SetLastError = true)]
private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_CODEINTEGRITY_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength);
@@ -30,6 +25,12 @@ public class OtherChecks
[SuppressUnmanagedCodeSecurity]
private static extern void GetExecutingAssembly(uint stackMark, IntPtr retAssembly);
+ #endregion
+
+ ///
+ /// Checks if unsigned drivers are allowed on the system.
+ ///
+ /// Returns true if unsigned drivers are allowed, otherwise false.
public static bool IsUnsignedDriversAllowed()
{
uint SystemCodeIntegrityInformation = 0x67;
@@ -47,6 +48,10 @@ public static bool IsUnsignedDriversAllowed()
return true;
}
+ ///
+ /// Checks if test-signed drivers are allowed on the system.
+ ///
+ /// Returns true if test-signed drivers are allowed, otherwise false.
public static bool IsTestSignedDriversAllowed()
{
uint SystemCodeIntegrityInformation = 0x67;
@@ -64,6 +69,10 @@ public static bool IsTestSignedDriversAllowed()
return false;
}
+ ///
+ /// Checks if kernel debugging is enabled on the system.
+ ///
+ /// Returns true if kernel debugging is enabled, otherwise false.
public static bool IsKernelDebuggingEnabled()
{
uint SystemKernelDebuggerInformation = 0x23;
@@ -81,6 +90,10 @@ public static bool IsKernelDebuggingEnabled()
return false;
}
+ ///
+ /// Checks if Secure Boot is enabled on the system.
+ ///
+ /// Returns true if Secure Boot is enabled, otherwise false.
public static bool IsSecureBootEnabled()
{
uint SystemSecureBootInformation = 0x91;
@@ -98,6 +111,10 @@ public static bool IsSecureBootEnabled()
return false;
}
+ ///
+ /// Checks if virtualization-based security is enabled on the system.
+ ///
+ /// Returns true if virtualization-based security is enabled, otherwise false.
public static bool IsVirtualizationBasedSecurityEnabled()
{
try
@@ -121,6 +138,10 @@ public static bool IsVirtualizationBasedSecurityEnabled()
return false;
}
+ ///
+ /// Checks if memory integrity (Hypervisor-enforced Code Integrity) is enabled on the system.
+ ///
+ /// Returns true if memory integrity is enabled, otherwise false.
public static bool IsMemoryIntegrityEnabled()
{
try
@@ -144,6 +165,10 @@ public static bool IsMemoryIntegrityEnabled()
return false;
}
+ ///
+ /// Checks if the current assembly is invoked by another assembly.
+ ///
+ /// Returns true if the current assembly is invoked by another assembly, otherwise false.
public static bool IsInovkedAssembly()
{
MethodInfo Method = typeof(Assembly).GetMethod("GetExecutingAssembly");
@@ -153,4 +178,5 @@ public static bool IsInovkedAssembly()
return false;
}
}
-}
\ No newline at end of file
+
+}
diff --git a/AntiCrack-DotNet/Program.cs b/AntiCrack-DotNet/Program.cs
index f7da44c..55a639f 100644
--- a/AntiCrack-DotNet/Program.cs
+++ b/AntiCrack-DotNet/Program.cs
@@ -1,14 +1,10 @@
using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Diagnostics;
namespace AntiCrack_DotNet
{
- class Program
+ internal sealed class Program
{
- private class ConsoleConfig
+ private sealed class ConsoleConfig
{
public static void SetDefaultColors()
{
@@ -104,6 +100,7 @@ private static void ExecuteAntiDebuggingTricks()
private static void ExecuteAntiVirtualizationTricks()
{
ConsoleConfig.DisplayHeader("Executing Anti Virtualization Tricks");
+ ConsoleConfig.DisplayResult("Checking For Any.run: ", AntiVirtualization.AnyRunCheck(), "Checks if Any.run is present through crypto id.");
ConsoleConfig.DisplayResult("Checking For Triage: ", AntiVirtualization.TriageCheck(), "Checks if Triage is present through disk.");
ConsoleConfig.DisplayResult("Checking For Qemu: ", AntiVirtualization.CheckForQemu(), "Checks if running under Qemu.");
ConsoleConfig.DisplayResult("Checking For Parallels: ", AntiVirtualization.CheckForParallels(), "Checks if running under Parallels.");
@@ -157,10 +154,11 @@ private static void ExecuteHooksDetectionTricks()
ConsoleConfig.DisplayFooter();
}
- static void Main(string[] args)
+ public static void Main(string[] args)
{
ConsoleConfig.SetDefaultColors();
ConsoleConfig.SetTitle("AntiCrack DotNet");
+
while (true)
{
ExecuteAntiDebuggingTricks();
diff --git a/AntiCrack-DotNet/Structs.cs b/AntiCrack-DotNet/Structs.cs
index 52d78f6..19aa777 100644
--- a/AntiCrack-DotNet/Structs.cs
+++ b/AntiCrack-DotNet/Structs.cs
@@ -1,12 +1,9 @@
using System;
-using System.Collections.Generic;
-using System.Linq;
using System.Runtime.InteropServices;
-using System.Text;
namespace AntiCrack_DotNet
{
- class Structs
+ internal sealed class Structs
{
[StructLayout(LayoutKind.Sequential)]
public struct CONTEXT
diff --git a/README.md b/README.md
index cc29887..e26c078 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,8 @@ A C# Project which Contains some Anti-Cracking, anti memory injection techniques
## Anti Virtualization
+* Detecting Any.run
+
* Detecting Triage
* Detecting Qemu.