Detect any.run

AntiCrack-DotNet/AntiCrack-DotNet.csproj

@@ -54,17 +54,10 @@
  </PropertyGroup>
  <ItemGroup>
  <Reference Include="System" />
- <Reference Include="System.Core" />
  <Reference Include="System.Management" />
- <Reference Include="System.Security" />
+ <Reference Include="Microsoft.CSharp" />
  <Reference Include="System.ServiceProcess" />
  <Reference Include="System.Windows.Forms" />
- <Reference Include="System.Xml.Linq" />
- <Reference Include="System.Data.DataSetExtensions" />
- <Reference Include="Microsoft.CSharp" />
- <Reference Include="System.Data" />
- <Reference Include="System.Net.Http" />
- <Reference Include="System.Xml" />
  </ItemGroup>
  <ItemGroup>
  <Compile Include="AntiDebug.cs" />

AntiCrack-DotNet/AntiDebug.cs

@@ -1,19 +1,16 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Runtime.InteropServices;
-using System.Diagnostics;
 using System.IO;
+using System.Text;
 using System.Threading;
-using System.Windows.Forms;
-using System.ServiceProcess;
-using System.Runtime.CompilerServices;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
 
 namespace AntiCrack_DotNet
 {
- class AntiDebug
+ internal sealed class AntiDebug
  {
+ #region WinApi
+
  [DllImport("kernelbase.dll", SetLastError = true)]
  private static extern bool SetHandleInformation(IntPtr hObject, uint dwMask, uint dwFlags);
 
@@ -92,6 +89,12 @@ class AntiDebug
  [DllImport("kernelbase.dll", SetLastError = true)]
  private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType);
 
+ #endregion
+
+ /// <summary>
+ /// Attempts to close an invalid handle to detect debugger presence.
+ /// </summary>
+ /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
  public static bool NtCloseAntiDebug_InvalidHandle()
  {
  try
@@ -105,6 +108,10 @@ public static bool NtCloseAntiDebug_InvalidHandle()
  }
  }
 
+ /// <summary>
+ /// Attempts to close a protected handle to detect debugger presence.
+ /// </summary>
+ /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
  public static bool NtCloseAntiDebug_ProtectedHandle()
  {
  IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
@@ -125,18 +132,30 @@ public static bool NtCloseAntiDebug_ProtectedHandle()
  return Result;
  }
 
+ /// <summary>
+ /// Checks if a debugger is attached to the process.
+ /// </summary>
+ /// <returns>Returns true if a debugger is attached, otherwise false.</returns>
  public static bool DebuggerIsAttached()
  {
  return Debugger.IsAttached;
  }
 
+ /// <summary>
+ /// Checks if a debugger is present using the IsDebuggerPresent API.
+ /// </summary>
+ /// <returns>Returns true if a debugger is present, otherwise false.</returns>
  public static bool IsDebuggerPresentCheck()
  {
  if (IsDebuggerPresent())
  return true;
  return false;
  }
 
+ /// <summary>
+ /// Checks if the process has debug flags set using NtQueryInformationProcess.
+ /// </summary>
+ /// <returns>Returns true if debug flags are set, otherwise false.</returns>
  public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
  {
  uint ProcessDebugFlags = 0;
@@ -146,6 +165,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
  return false;
  }
 
+ /// <summary>
+ /// Checks if the process has a debug port using NtQueryInformationProcess.
+ /// </summary>
+ /// <returns>Returns true if a debug port is detected, otherwise false.</returns>
  public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
  {
  uint DebuggerPresent = 0;
@@ -158,6 +181,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
  return false;
  }
 
+ /// <summary>
+ /// Checks if the process has a debug object handle using NtQueryInformationProcess.
+ /// </summary>
+ /// <returns>Returns true if a debug object handle is detected, otherwise false.</returns>
  public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
  {
  IntPtr hDebugObject = IntPtr.Zero;
@@ -170,6 +197,10 @@ public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
  return false;
  }
 
+ /// <summary>
+ /// Patches the DbgUiRemoteBreakin and DbgBreakPoint functions to prevent debugger attachment.
+ /// </summary>
+ /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
  public static string AntiDebugAttach()
  {
  IntPtr NtdllModule = GetModuleHandle("ntdll.dll");
@@ -184,6 +215,10 @@ public static string AntiDebugAttach()
  return "Failed";
  }
 
+ /// <summary>
+ /// Checks for the presence of known debugger windows.
+ /// </summary>
+ /// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
  public static bool FindWindowAntiDebug()
  {
  Process[] GetProcesses = Process.GetProcesses();
@@ -202,6 +237,10 @@ public static bool FindWindowAntiDebug()
  return false;
  }
 
+ /// <summary>
+ /// Checks if the foreground window belongs to a known debugger.
+ /// </summary>
+ /// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
  public static bool GetForegroundWindowAntiDebug()
  {
  string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
@@ -225,6 +264,10 @@ public static bool GetForegroundWindowAntiDebug()
  return false;
  }
 
+ /// <summary>
+ /// Hides threads from the debugger by setting the NtSetInformationThread.
+ /// </summary>
+ /// <returns>Returns "Success" if the threads were hidden successfully, otherwise "Failed".</returns>
  public static string HideThreadsAntiDebug()
  {
  try
@@ -252,12 +295,21 @@ public static string HideThreadsAntiDebug()
  }
  }
 
+ /// <summary>
+ /// Uses GetTickCount to detect debugger presence.
+ /// </summary>
+ /// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
  public static bool GetTickCountAntiDebug()
  {
  uint Start = GetTickCount();
  Thread.Sleep(0x10);
  return (GetTickCount() - Start) > 0x10;
  }
+
+ /// <summary>
+ /// Uses OutputDebugString to detect debugger presence.
+ /// </summary>
+ /// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
  public static bool OutputDebugStringAntiDebug()
  {
  Debugger.Log(0, null, "just testing some stuff...");
@@ -266,11 +318,18 @@ public static bool OutputDebugStringAntiDebug()
  return false;
  }
 
+ /// <summary>
+ /// Exploits a format string vulnerability in OllyDbg.
+ /// </summary>
  public static void OllyDbgFormatStringExploit()
  {
  Debugger.Log(0, null, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s");
  }
 
+ /// <summary>
+ /// Triggers a debug break to detect debugger presence.
+ /// </summary>
+ /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
  public static bool DebugBreakAntiDebug()
  {
  try
@@ -286,6 +345,10 @@ public static bool DebugBreakAntiDebug()
 
  private static long CONTEXT_DEBUG_REGISTERS = 0x00010000L | 0x00000010L;
 
+ /// <summary>
+ /// Detects hardware breakpoints by checking debug registers.
+ /// </summary>
+ /// <returns>Returns true if hardware breakpoints are detected, otherwise false.</returns>
  public static bool HardwareRegistersBreakpointsDetection()
  {
  Structs.CONTEXT Context = new Structs.CONTEXT();
@@ -302,6 +365,12 @@ public static bool HardwareRegistersBreakpointsDetection()
  NtClose(CurrentThread);
  return false;
  }
+
+ /// <summary>
+ /// Cleans the specified path by removing null characters.
+ /// </summary>
+ /// <param name="Path">The path to clean.</param>
+ /// <returns>The cleaned path.</returns>
  private static string CleanPath(string Path)
  {
  string CleanedPath = null;
@@ -315,6 +384,10 @@ private static string CleanPath(string Path)
  return CleanedPath;
  }
 
+ /// <summary>
+ /// Checks if the parent process is a debugger by querying process information.
+ /// </summary>
+ /// <returns>Returns true if the parent process is a debugger, otherwise false.</returns>
  public static bool ParentProcessAntiDebug()
  {
  try
@@ -348,6 +421,10 @@ public static bool ParentProcessAntiDebug()
  return false;
  }
 
+ /// <summary>
+ /// Uses NtSetDebugFilterState to prevent debugging.
+ /// </summary>
+ /// <returns>Returns true if the filter state was set successfully, otherwise false.</returns>
  public static bool NtSetDebugFilterStateAntiDebug()
  {
  if (NtSetDebugFilterState(0, 0, true) != 0)
@@ -356,6 +433,11 @@ public static bool NtSetDebugFilterStateAntiDebug()
  }
 
  delegate int ExecutionDelegate();
+
+ /// <summary>
+ /// Uses page guard to detect debugger presence by executing a function pointer.
+ /// </summary>
+ /// <returns>Returns true if debugger presence is detected, otherwise false.</returns>
  public static bool PageGuardAntiDebug()
  {
  Structs.SYSTEM_INFO SysInfo = new Structs.SYSTEM_INFO();
@@ -389,4 +471,5 @@ public static bool PageGuardAntiDebug()
  return false;
  }
  }
-}
+
+}

AntiCrack-DotNet/AntiDllInjection.cs

@@ -1,17 +1,14 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Runtime.InteropServices;
 using System.Diagnostics;
-using System.IO;
-using System.Windows.Forms;
-using static AntiCrack_DotNet.Structs;
+using System.Runtime.InteropServices;
 
 namespace AntiCrack_DotNet
 {
- class AntiDllInjection
+ internal sealed class AntiDllInjection
  {
+
+ #region WinApi
+
  [DllImport("kernelbase.dll", SetLastError = true)]
  private static extern IntPtr GetModuleHandle(string lib);
 
@@ -24,6 +21,13 @@ class AntiDllInjection
  [DllImport("kernelbase.dll", SetLastError = true)]
  public static extern bool SetProcessMitigationPolicy(int policy, ref Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY lpBuffer, int size);
 
+ #endregion
+
+
+ /// <summary>
+ /// Patches the LoadLibraryA function to prevent DLL injection.
+ /// </summary>
+ /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
  public static string PatchLoadLibraryA()
  {
  IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
@@ -35,6 +39,10 @@ public static string PatchLoadLibraryA()
  return "Failed";
  }
 
+ /// <summary>
+ /// Patches the LoadLibraryW function to prevent DLL injection.
+ /// </summary>
+ /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
  public static string PatchLoadLibraryW()
  {
  IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
@@ -46,6 +54,10 @@ public static string PatchLoadLibraryW()
  return "Failed";
  }
 
+ /// <summary>
+ /// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries.
+ /// </summary>
+ /// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
  public static string BinaryImageSignatureMitigationAntiDllInjection()
  {
  Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY();
@@ -55,6 +67,10 @@ public static string BinaryImageSignatureMitigationAntiDllInjection()
  return "Failed";
  }
 
+ /// <summary>
+ /// Checks if there are any injected libraries in the current process.
+ /// </summary>
+ /// <returns>Returns true if an injected library is detected, otherwise false.</returns>
  public static bool IsInjectedLibrary()
  {
  bool IsMalicious = false;
@@ -71,6 +87,11 @@ public static bool IsInjectedLibrary()
  }
  return IsMalicious;
  }
+
+ /// <summary>
+ /// Sets the DLL load policy to only allow Microsoft-signed DLLs to be loaded.
+ /// </summary>
+ /// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
  public static string SetDllLoadPolicy()
  {
  Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY