From 03d9df1cbf3875a97d15fbba6ad0d7e3c33730d0 Mon Sep 17 00:00:00 2001 From: Imperator Vladimir Date: Fri, 9 Aug 2024 01:23:54 +0300 Subject: [PATCH] New feature + comments Added any.run detection by detection machine guid. Check here https://app.any.run/tasks/a143d613-4e75-4cde-991a-6e096348bfec Added comments for almost every method. --- AntiCrack-DotNet/AntiCrack-DotNet.csproj | 9 +- AntiCrack-DotNet/AntiDebug.cs | 103 +++++++++++++++++-- AntiCrack-DotNet/AntiDllInjection.cs | 37 +++++-- AntiCrack-DotNet/AntiVirtualization.cs | 125 +++++++++++++++++++++-- AntiCrack-DotNet/HooksDetection.cs | 48 ++++++++- AntiCrack-DotNet/OtherChecks.cs | 48 +++++++-- AntiCrack-DotNet/Program.cs | 12 +-- AntiCrack-DotNet/Structs.cs | 5 +- README.md | 2 + 9 files changed, 326 insertions(+), 63 deletions(-) diff --git a/AntiCrack-DotNet/AntiCrack-DotNet.csproj b/AntiCrack-DotNet/AntiCrack-DotNet.csproj index 1746c35..43983fa 100644 --- a/AntiCrack-DotNet/AntiCrack-DotNet.csproj +++ b/AntiCrack-DotNet/AntiCrack-DotNet.csproj @@ -54,17 +54,10 @@ - - + - - - - - - diff --git a/AntiCrack-DotNet/AntiDebug.cs b/AntiCrack-DotNet/AntiDebug.cs index 535e768..190b6c9 100644 --- a/AntiCrack-DotNet/AntiDebug.cs +++ b/AntiCrack-DotNet/AntiDebug.cs @@ -1,19 +1,16 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; -using System.Runtime.InteropServices; -using System.Diagnostics; using System.IO; +using System.Text; using System.Threading; -using System.Windows.Forms; -using System.ServiceProcess; -using System.Runtime.CompilerServices; +using System.Diagnostics; +using System.Runtime.InteropServices; namespace AntiCrack_DotNet { - class AntiDebug + internal sealed class AntiDebug { + #region WinApi + [DllImport("kernelbase.dll", SetLastError = true)] private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags); @@ -92,6 +89,12 @@ class AntiDebug [DllImport("kernelbase.dll", SetLastError = true)] private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType); + #endregion + + /// + /// Attempts to close an invalid handle to detect debugger presence. + /// + /// Returns true if an exception is caught, indicating no debugger, otherwise false. public static bool NtCloseAntiDebug_InvalidHandle() { try @@ -105,6 +108,10 @@ public static bool NtCloseAntiDebug_InvalidHandle() } } + /// + /// Attempts to close a protected handle to detect debugger presence. + /// + /// Returns true if an exception is caught, indicating no debugger, otherwise false. public static bool NtCloseAntiDebug_ProtectedHandle() { IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString()); @@ -125,11 +132,19 @@ public static bool NtCloseAntiDebug_ProtectedHandle() return Result; } + /// + /// Checks if a debugger is attached to the process. + /// + /// Returns true if a debugger is attached, otherwise false. public static bool DebuggerIsAttached() { return Debugger.IsAttached; } + /// + /// Checks if a debugger is present using the IsDebuggerPresent API. + /// + /// Returns true if a debugger is present, otherwise false. public static bool IsDebuggerPresentCheck() { if (IsDebuggerPresent()) @@ -137,6 +152,10 @@ public static bool IsDebuggerPresentCheck() return false; } + /// + /// Checks if the process has debug flags set using NtQueryInformationProcess. + /// + /// Returns true if debug flags are set, otherwise false. public static bool NtQueryInformationProcessCheck_ProcessDebugFlags() { uint ProcessDebugFlags = 0; @@ -146,6 +165,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugFlags() return false; } + /// + /// Checks if the process has a debug port using NtQueryInformationProcess. + /// + /// Returns true if a debug port is detected, otherwise false. public static bool NtQueryInformationProcessCheck_ProcessDebugPort() { uint DebuggerPresent = 0; @@ -158,6 +181,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugPort() return false; } + /// + /// Checks if the process has a debug object handle using NtQueryInformationProcess. + /// + /// Returns true if a debug object handle is detected, otherwise false. public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle() { IntPtr hDebugObject = IntPtr.Zero; @@ -170,6 +197,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle() return false; } + /// + /// Patches the DbgUiRemoteBreakin and DbgBreakPoint functions to prevent debugger attachment. + /// + /// Returns "Success" if the patching was successful, otherwise "Failed". public static string AntiDebugAttach() { IntPtr NtdllModule = GetModuleHandle("ntdll.dll"); @@ -184,6 +215,10 @@ public static string AntiDebugAttach() return "Failed"; } + /// + /// Checks for the presence of known debugger windows. + /// + /// Returns true if a known debugger window is detected, otherwise false. public static bool FindWindowAntiDebug() { Process[] GetProcesses = Process.GetProcesses(); @@ -202,6 +237,10 @@ public static bool FindWindowAntiDebug() return false; } + /// + /// Checks if the foreground window belongs to a known debugger. + /// + /// Returns true if a known debugger window is detected, otherwise false. public static bool GetForegroundWindowAntiDebug() { string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" }; @@ -225,6 +264,10 @@ public static bool GetForegroundWindowAntiDebug() return false; } + /// + /// Hides threads from the debugger by setting the NtSetInformationThread. + /// + /// Returns "Success" if the threads were hidden successfully, otherwise "Failed". public static string HideThreadsAntiDebug() { try @@ -252,12 +295,21 @@ public static string HideThreadsAntiDebug() } } + /// + /// Uses GetTickCount to detect debugger presence. + /// + /// Returns true if debugger presence is detected, otherwise false. public static bool GetTickCountAntiDebug() { uint Start = GetTickCount(); Thread.Sleep(0x10); return (GetTickCount() - Start) > 0x10; } + + /// + /// Uses OutputDebugString to detect debugger presence. + /// + /// Returns true if debugger presence is detected, otherwise false. public static bool OutputDebugStringAntiDebug() { Debugger.Log(0, null, "just testing some stuff..."); @@ -266,11 +318,18 @@ public static bool OutputDebugStringAntiDebug() return false; } + /// + /// Exploits a format string vulnerability in OllyDbg. + /// public static void OllyDbgFormatStringExploit() { Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"); } + /// + /// Triggers a debug break to detect debugger presence. + /// + /// Returns true if an exception is caught, indicating no debugger, otherwise false. public static bool DebugBreakAntiDebug() { try @@ -286,6 +345,10 @@ public static bool DebugBreakAntiDebug() private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L; + /// + /// Detects hardware breakpoints by checking debug registers. + /// + /// Returns true if hardware breakpoints are detected, otherwise false. public static bool HardwareRegistersBreakpointsDetection() { Structs.CONTEXT Context = new Structs.CONTEXT(); @@ -302,6 +365,12 @@ public static bool HardwareRegistersBreakpointsDetection() NtClose(CurrentThread); return false; } + + /// + /// Cleans the specified path by removing null characters. + /// + /// The path to clean. + /// The cleaned path. private static string CleanPath(string Path) { string CleanedPath = null; @@ -315,6 +384,10 @@ private static string CleanPath(string Path) return CleanedPath; } + /// + /// Checks if the parent process is a debugger by querying process information. + /// + /// Returns true if the parent process is a debugger, otherwise false. public static bool ParentProcessAntiDebug() { try @@ -348,6 +421,10 @@ public static bool ParentProcessAntiDebug() return false; } + /// + /// Uses NtSetDebugFilterState to prevent debugging. + /// + /// Returns true if the filter state was set successfully, otherwise false. public static bool NtSetDebugFilterStateAntiDebug() { if (NtSetDebugFilterState(0, 0, true) != 0) @@ -356,6 +433,11 @@ public static bool NtSetDebugFilterStateAntiDebug() } delegate int ExecutionDelegate(); + + /// + /// Uses page guard to detect debugger presence by executing a function pointer. + /// + /// Returns true if debugger presence is detected, otherwise false. public static bool PageGuardAntiDebug() { Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO(); @@ -389,4 +471,5 @@ public static bool PageGuardAntiDebug() return false; } } -} \ No newline at end of file + +} diff --git a/AntiCrack-DotNet/AntiDllInjection.cs b/AntiCrack-DotNet/AntiDllInjection.cs index 34a4454..c229987 100644 --- a/AntiCrack-DotNet/AntiDllInjection.cs +++ b/AntiCrack-DotNet/AntiDllInjection.cs @@ -1,17 +1,14 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; -using System.Runtime.InteropServices; using System.Diagnostics; -using System.IO; -using System.Windows.Forms; -using static AntiCrack_DotNet.Structs; +using System.Runtime.InteropServices; namespace AntiCrack_DotNet { - class AntiDllInjection + internal sealed class AntiDllInjection { + + #region WinApi + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetModuleHandle(string lib); @@ -24,6 +21,13 @@ class AntiDllInjection [DllImport("kernelbase.dll", SetLastError = true)] public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size); + #endregion + + + /// + /// Patches the LoadLibraryA function to prevent DLL injection. + /// + /// Returns "Success" if the patching was successful, otherwise "Failed". public static string PatchLoadLibraryA() { IntPtr KernelModule = GetModuleHandle("kernelbase.dll"); @@ -35,6 +39,10 @@ public static string PatchLoadLibraryA() return "Failed"; } + /// + /// Patches the LoadLibraryW function to prevent DLL injection. + /// + /// Returns "Success" if the patching was successful, otherwise "Failed". public static string PatchLoadLibraryW() { IntPtr KernelModule = GetModuleHandle("kernelbase.dll"); @@ -46,6 +54,10 @@ public static string PatchLoadLibraryW() return "Failed"; } + /// + /// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries. + /// + /// Returns "Success" if the policy was set successfully, otherwise "Failed". public static string BinaryImageSignatureMitigationAntiDllInjection() { Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY(); @@ -55,6 +67,10 @@ public static string BinaryImageSignatureMitigationAntiDllInjection() return "Failed"; } + /// + /// Checks if there are any injected libraries in the current process. + /// + /// Returns true if an injected library is detected, otherwise false. public static bool IsInjectedLibrary() { bool IsMalicious = false; @@ -71,6 +87,11 @@ public static bool IsInjectedLibrary() } return IsMalicious; } + + /// + /// Sets the DLL load policy to only allow Microsoft-signed DLLs to be loaded. + /// + /// Returns "Success" if the policy was set successfully, otherwise "Failed". public static string SetDllLoadPolicy() { Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY diff --git a/AntiCrack-DotNet/AntiVirtualization.cs b/AntiCrack-DotNet/AntiVirtualization.cs index 8170a90..1bfb557 100644 --- a/AntiCrack-DotNet/AntiVirtualization.cs +++ b/AntiCrack-DotNet/AntiVirtualization.cs @@ -1,20 +1,19 @@ using System; -using System.Collections.Generic; -using System.Diagnostics; using System.IO; -using System.Linq; +using System.Threading; using System.Management; -using System.Runtime.InteropServices; +using System.Diagnostics; using System.ServiceProcess; -using System.Text; -using System.Threading; -using System.Windows.Forms; -using Microsoft.Win32.SafeHandles; +using System.Runtime.InteropServices; +using Microsoft.Win32; namespace AntiCrack_DotNet { - class AntiVirtualization + internal sealed class AntiVirtualization { + + #region WinApi + [DllImport("kernelbase.dll", SetLastError = true)] private static extern IntPtr GetModuleHandle(string lib); @@ -33,6 +32,12 @@ class AntiVirtualization [DllImport("ucrtbase.dll", SetLastError = true)] private static extern int fclose(IntPtr filestream); + #endregion + + /// + /// Checks if Sandboxie is present on the system. + /// + /// True if Sandboxie is detected, otherwise false. public static bool IsSandboxiePresent() { if (GetModuleHandle("SbieDll.dll").ToInt32() != 0) @@ -40,6 +45,10 @@ public static bool IsSandboxiePresent() return false; } + /// + /// Checks if Comodo Sandbox is present on the system. + /// + /// True if Comodo Sandbox is detected, otherwise false. public static bool IsComodoSandboxPresent() { if (GetModuleHandle("cmdvrt32.dll").ToInt32() != 0 || GetModuleHandle("cmdvrt64.dll").ToInt32() != 0) @@ -47,6 +56,10 @@ public static bool IsComodoSandboxPresent() return false; } + /// + /// Checks if Qihoo 360 Sandbox is present on the system. + /// + /// True if Qihoo 360 Sandbox is detected, otherwise false. public static bool IsQihoo360SandboxPresent() { if (GetModuleHandle("SxIn.dll").ToInt32() != 0) @@ -54,6 +67,10 @@ public static bool IsQihoo360SandboxPresent() return false; } + /// + /// Checks if Cuckoo Sandbox is present on the system. + /// + /// True if Cuckoo Sandbox is detected, otherwise false. public static bool IsCuckooSandboxPresent() { if (GetModuleHandle("cuckoomon.dll").ToInt32() != 0) @@ -61,6 +78,10 @@ public static bool IsCuckooSandboxPresent() return false; } + /// + /// Checks if the environment is running in an emulation by measuring the sleep interval. + /// + /// True if emulation is detected, otherwise false. public static bool IsEmulationPresent() { long Tick = Environment.TickCount; @@ -73,6 +94,10 @@ public static bool IsEmulationPresent() return false; } + /// + /// Checks if the environment is running in Wine. + /// + /// True if Wine is detected, otherwise false. public static bool IsWinePresent() { IntPtr ModuleHandle = GetModuleHandle("kernel32.dll"); @@ -81,6 +106,10 @@ public static bool IsWinePresent() return false; } + /// + /// Checks if the environment is running in VMware or VirtualBox. + /// + /// True if VMware or VirtualBox is detected, otherwise false. public static bool CheckForVMwareAndVirtualBox() { using (ManagementObjectSearcher ObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem")) @@ -101,6 +130,10 @@ public static bool CheckForVMwareAndVirtualBox() return false; } + /// + /// Checks if the environment is running in KVM. + /// + /// True if KVM is detected, otherwise false. public static bool CheckForKVM() { string[] BadDriversList = { "balloon.sys", "netkvm.sys", "vioinput", "viofs.sys", "vioser.sys" }; @@ -118,6 +151,10 @@ public static bool CheckForKVM() return false; } + /// + /// Checks if the environment is running in Hyper-V. + /// + /// True if Hyper-V is detected, otherwise false. public static bool CheckForHyperV() { ServiceController[] GetServicesOnSystem = ServiceController.GetServices(); @@ -133,6 +170,10 @@ public static bool CheckForHyperV() return false; } + /// + /// Checks if the current user name matches any blacklisted names. + /// + /// True if a blacklisted name is detected, otherwise false. public static bool CheckForBlacklistedNames() { string[] BadNames = { "Johnson", "Miller", "malware", "maltest", "CurrentUser", "Sandbox", "virus", "John Doe", "test user", "sand box", "WDAGUtilityAccount" }; @@ -147,6 +188,10 @@ public static bool CheckForBlacklistedNames() return false; } + /// + /// Detects bad VM-related files and directories on the system. + /// + /// True if bad VM-related files or directories are detected, otherwise false. public static bool BadVMFilesDetection() { try @@ -186,6 +231,10 @@ public static bool BadVMFilesDetection() return false; } + /// + /// Checks for the presence of bad VM-related process names. + /// + /// True if bad VM-related process names are detected, otherwise false. public static bool BadVMProcessNames() { try @@ -206,6 +255,10 @@ public static bool BadVMProcessNames() return false; } + /// + /// Checks for VM-related ports on the system. + /// + /// True if no port connectors are found, indicating a possible VM environment, otherwise false. public static bool PortConnectionAntiVM() { if (new ManagementObjectSearcher("SELECT * FROM Win32_PortConnector").Get().Count == 0) @@ -213,6 +266,9 @@ public static bool PortConnectionAntiVM() return false; } + /// + /// Attempts to crash Sandboxie if detected. + /// public static void CrashingSandboxie() { if (!Environment.Is64BitProcess) @@ -244,6 +300,10 @@ public static void CrashingSandboxie() } } + /// + /// Checks for VM-related device names. + /// + /// True if VM-related device names are detected, otherwise false. public static bool CheckDevices() { string[] Devices = { "\\\\.\\pipe\\cuckoo", "\\\\.\\HGFS", "\\\\.\\vmci", "\\\\.\\VBoxMiniRdrDN", "\\\\.\\VBoxGuest", "\\\\.\\pipe\\VBoxMiniRdDN", "\\\\.\\VBoxTrayIPC", "\\\\.\\pipe\\VBoxTrayIPC" }; @@ -265,6 +325,11 @@ public static bool CheckDevices() } return false; } + + /// + /// Checks if the environment is running in Parallels. + /// + /// True if Parallels is detected, otherwise false. public static bool CheckForParallels() { string[] BadDriversList = { "prl_sf", "prl_tg", "prl_eth" }; @@ -282,6 +347,10 @@ public static bool CheckForParallels() return false; } + /// + /// Checks for specific disk drive models that indicate a virtual environment. + /// + /// True if specific disk drive models are detected, otherwise false. public static bool TriageCheck() { using (var searcher = new ManagementObjectSearcher("SELECT * FROM Win32_DiskDrive")) @@ -298,6 +367,42 @@ public static bool TriageCheck() return false; } + /// + /// Checks for specific Machine GUIDs that indicate a virtual environment in Any.Run. + /// + /// True if specific Machine GUIDs are detected, otherwise false. + public static bool AnyRunCheck() + { + string[] uuids = { + "bb926e54-e3ca-40fd-ae90-2764341e7792", // win10 free + "90059c37-1320-41a4-b58d-2b75a9850d2f", // win7 free + }; + // https://app.any.run/tasks/a143d613-4e75-4cde-991a-6e096348bfec + using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Cryptography")) + { + if (key != null) + { + object value = key.GetValue("MachineGuid"); + + if (value != null) + { + foreach (string uuid in uuids) + { + if (uuid == value.ToString()) + { + return true; + } + } + } + } + } + return false; + } + + /// + /// Checks if the environment is running in QEMU. + /// + /// True if QEMU is detected, otherwise false. public static bool CheckForQemu() { string[] BadDriversList = { "qemu-ga", "qemuwmi" }; @@ -315,4 +420,4 @@ public static bool CheckForQemu() return false; } } -} \ No newline at end of file +} diff --git a/AntiCrack-DotNet/HooksDetection.cs b/AntiCrack-DotNet/HooksDetection.cs index 81ecd3a..e3a14cd 100644 --- a/AntiCrack-DotNet/HooksDetection.cs +++ b/AntiCrack-DotNet/HooksDetection.cs @@ -1,14 +1,17 @@ using System; -using System.Runtime.InteropServices; -using System.Diagnostics; -using System.Reflection; using System.IO; +using System.Reflection; using System.Net.Sockets; +using System.Diagnostics; +using System.Runtime.InteropServices; namespace AntiCrack_DotNet { - public class HooksDetection + public sealed class HooksDetection { + + #region WinApi + [DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Unicode)] private static extern void RtlInitUnicodeString(out Structs.UNICODE_STRING DestinationString, string SourceString); @@ -27,6 +30,13 @@ public class HooksDetection [DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Ansi)] private static extern uint LdrGetProcedureAddressForCaller(IntPtr Module, Structs.ANSI_STRING ProcedureName, ushort ProcedureNumber, out IntPtr FunctionHandle, ulong Flags, IntPtr CallBack); + #endregion + + /// + /// Gets the handle of a specified module using low-level functions. + /// + /// The name of the library to get the handle for. + /// The handle to the module. private static IntPtr LowLevelGetModuleHandle(string Library) { if (IntPtr.Size == 4) @@ -38,6 +48,12 @@ private static IntPtr LowLevelGetModuleHandle(string Library) return hModule; } + /// + /// Gets the address of a specified function using low-level functions. + /// + /// The handle to the module. + /// The name of the function to get the address for. + /// The address of the function. private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function) { if (IntPtr.Size == 4) @@ -51,6 +67,11 @@ private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function) return FunctionHandle; } + /// + /// Reads a byte from a specified memory address. + /// + /// The memory address to read from. + /// The byte read from the memory address. private static unsafe byte InternalReadByte(IntPtr ptr) { try @@ -65,6 +86,12 @@ private static unsafe byte InternalReadByte(IntPtr ptr) return 0; } + /// + /// Detects hooks on common Windows API functions. + /// + /// The name of the module to check for hooks. + /// The list of functions to check for hooks. + /// Returns true if hooks are detected, otherwise false. public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[] Functions) { string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" }; @@ -205,6 +232,12 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[ return false; } + /// + /// Detects inline hooks on specified functions within a module. + /// + /// The name of the module to check for hooks. + /// The list of functions to check for hooks. + /// Returns true if hooks are detected, otherwise false. public static bool DetectInlineHooks(string moduleName, string[] functions) { if (moduleName != null && functions != null) @@ -227,6 +260,10 @@ public static bool DetectInlineHooks(string moduleName, string[] functions) return false; } + /// + /// Detects hooks in common .NET methods. + /// + /// Returns true if hooks are detected, otherwise false. public static bool DetectCLRHooks() { if (IntPtr.Size == 4) @@ -303,4 +340,5 @@ public static bool DetectCLRHooks() return false; } } -} \ No newline at end of file + +} diff --git a/AntiCrack-DotNet/OtherChecks.cs b/AntiCrack-DotNet/OtherChecks.cs index 19d6964..648a048 100644 --- a/AntiCrack-DotNet/OtherChecks.cs +++ b/AntiCrack-DotNet/OtherChecks.cs @@ -1,21 +1,16 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; -using System.Threading.Tasks; -using System.Runtime.InteropServices; +using System.Security; using System.Reflection; using System.Windows.Forms; -using System.Diagnostics; -using System.Runtime.CompilerServices; -using System.Threading; -using System.Security; +using System.Runtime.InteropServices; using Microsoft.Win32; namespace AntiCrack_DotNet { - public class OtherChecks + public sealed class OtherChecks { + #region WinApi + [DllImport("ntdll.dll", SetLastError = true)] private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_CODEINTEGRITY_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength); @@ -30,6 +25,12 @@ public class OtherChecks [SuppressUnmanagedCodeSecurity] private static extern void GetExecutingAssembly(uint stackMark, IntPtr retAssembly); + #endregion + + /// + /// Checks if unsigned drivers are allowed on the system. + /// + /// Returns true if unsigned drivers are allowed, otherwise false. public static bool IsUnsignedDriversAllowed() { uint SystemCodeIntegrityInformation = 0x67; @@ -47,6 +48,10 @@ public static bool IsUnsignedDriversAllowed() return true; } + /// + /// Checks if test-signed drivers are allowed on the system. + /// + /// Returns true if test-signed drivers are allowed, otherwise false. public static bool IsTestSignedDriversAllowed() { uint SystemCodeIntegrityInformation = 0x67; @@ -64,6 +69,10 @@ public static bool IsTestSignedDriversAllowed() return false; } + /// + /// Checks if kernel debugging is enabled on the system. + /// + /// Returns true if kernel debugging is enabled, otherwise false. public static bool IsKernelDebuggingEnabled() { uint SystemKernelDebuggerInformation = 0x23; @@ -81,6 +90,10 @@ public static bool IsKernelDebuggingEnabled() return false; } + /// + /// Checks if Secure Boot is enabled on the system. + /// + /// Returns true if Secure Boot is enabled, otherwise false. public static bool IsSecureBootEnabled() { uint SystemSecureBootInformation = 0x91; @@ -98,6 +111,10 @@ public static bool IsSecureBootEnabled() return false; } + /// + /// Checks if virtualization-based security is enabled on the system. + /// + /// Returns true if virtualization-based security is enabled, otherwise false. public static bool IsVirtualizationBasedSecurityEnabled() { try @@ -121,6 +138,10 @@ public static bool IsVirtualizationBasedSecurityEnabled() return false; } + /// + /// Checks if memory integrity (Hypervisor-enforced Code Integrity) is enabled on the system. + /// + /// Returns true if memory integrity is enabled, otherwise false. public static bool IsMemoryIntegrityEnabled() { try @@ -144,6 +165,10 @@ public static bool IsMemoryIntegrityEnabled() return false; } + /// + /// Checks if the current assembly is invoked by another assembly. + /// + /// Returns true if the current assembly is invoked by another assembly, otherwise false. public static bool IsInovkedAssembly() { MethodInfo Method = typeof(Assembly).GetMethod("GetExecutingAssembly"); @@ -153,4 +178,5 @@ public static bool IsInovkedAssembly() return false; } } -} \ No newline at end of file + +} diff --git a/AntiCrack-DotNet/Program.cs b/AntiCrack-DotNet/Program.cs index f7da44c..55a639f 100644 --- a/AntiCrack-DotNet/Program.cs +++ b/AntiCrack-DotNet/Program.cs @@ -1,14 +1,10 @@ using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; -using System.Diagnostics; namespace AntiCrack_DotNet { - class Program + internal sealed class Program { - private class ConsoleConfig + private sealed class ConsoleConfig { public static void SetDefaultColors() { @@ -104,6 +100,7 @@ private static void ExecuteAntiDebuggingTricks() private static void ExecuteAntiVirtualizationTricks() { ConsoleConfig.DisplayHeader("Executing Anti Virtualization Tricks"); + ConsoleConfig.DisplayResult("Checking For Any.run: ", AntiVirtualization.AnyRunCheck(), "Checks if Any.run is present through crypto id."); ConsoleConfig.DisplayResult("Checking For Triage: ", AntiVirtualization.TriageCheck(), "Checks if Triage is present through disk."); ConsoleConfig.DisplayResult("Checking For Qemu: ", AntiVirtualization.CheckForQemu(), "Checks if running under Qemu."); ConsoleConfig.DisplayResult("Checking For Parallels: ", AntiVirtualization.CheckForParallels(), "Checks if running under Parallels."); @@ -157,10 +154,11 @@ private static void ExecuteHooksDetectionTricks() ConsoleConfig.DisplayFooter(); } - static void Main(string[] args) + public static void Main(string[] args) { ConsoleConfig.SetDefaultColors(); ConsoleConfig.SetTitle("AntiCrack DotNet"); + while (true) { ExecuteAntiDebuggingTricks(); diff --git a/AntiCrack-DotNet/Structs.cs b/AntiCrack-DotNet/Structs.cs index 52d78f6..19aa777 100644 --- a/AntiCrack-DotNet/Structs.cs +++ b/AntiCrack-DotNet/Structs.cs @@ -1,12 +1,9 @@ using System; -using System.Collections.Generic; -using System.Linq; using System.Runtime.InteropServices; -using System.Text; namespace AntiCrack_DotNet { - class Structs + internal sealed class Structs { [StructLayout(LayoutKind.Sequential)] public struct CONTEXT diff --git a/README.md b/README.md index cc29887..e26c078 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ A C# Project which Contains some Anti-Cracking, anti memory injection techniques ## Anti Virtualization +* Detecting Any.run + * Detecting Triage * Detecting Qemu.