Merge pull request #4 from Jisll/main

Many improvements, bug fixes and new functions.

Author: AdvDebug

AntiCrack-DotNet/AntiDebug.cs

@@ -6,7 +6,6 @@
 using System.Diagnostics;
 using System.IO;
 using System.Threading;
-using static System.Net.WebRequestMethods;
 using System.Windows.Forms;
 using System.ServiceProcess;
 using System.Runtime.CompilerServices;
@@ -91,7 +90,7 @@ class AntiDebug
         private static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
 
         [DllImport("kernelbase.dll", SetLastError = true)]
-        private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize,uint dwFreeType);
+        private static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType);
 
         public static bool NtCloseAntiDebug_InvalidHandle()
         {
@@ -345,7 +344,7 @@ public static bool ParentProcessAntiDebug()
                     }
                 }
             }
-            catch{};
+            catch { }
             return false;
         }
 
@@ -371,7 +370,7 @@ public static bool PageGuardAntiDebug()
             {
                 memset(AllocatedSpace, 1, 0xC3);
                 uint OldProtect = 0;
-                if(VirtualProtect(AllocatedSpace, SysInfo.PageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, out OldProtect))
+                if (VirtualProtect(AllocatedSpace, SysInfo.PageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, out OldProtect))
                 {
                     try
                     {
@@ -390,4 +389,4 @@ public static bool PageGuardAntiDebug()
             return false;
         }
     }
-}
+}

AntiCrack-DotNet/AntiDllInjection.cs

@@ -66,10 +66,20 @@ public static bool IsInjectedLibrary()
                 if (!FileName.StartsWith(Windows) && !FileName.StartsWith(ProgramData))
                     IsMalicious = true;
 
-                if (FileName.StartsWith(Environment.CurrentDirectory.ToLower())) //for compatibility
+                if (FileName.StartsWith(Environment.CurrentDirectory.ToLower()))
                     IsMalicious = false;
             }
             return IsMalicious;
         }
+        public static string SetDllLoadPolicy()
+        {
+            Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
+            {
+                MicrosoftSignedOnly = 1
+            };
+            if (SetProcessMitigationPolicy(0x10, ref policy, Marshal.SizeOf(policy)))
+                return "Success";
+            return "Failed";
+        }
     }
-}
+}

AntiCrack-DotNet/AntiVirtualization.cs

@@ -213,7 +213,7 @@ public static bool PortConnectionAntiVM()
             return false;
         }
 
-        public static void CrashingSandboxie() //Only use if running as x86
+        public static void CrashingSandboxie()
         {
             if (!Environment.Is64BitProcess)
             {
@@ -265,5 +265,38 @@ public static bool CheckDevices()
             }
             return false;
         }
+        public static bool CheckForParallels()
+        {
+            string[] BadDriversList = { "prl_sf", "prl_tg", "prl_eth" };
+            foreach (string Drivers in Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.System), "*"))
+            {
+                foreach (string BadDrivers in BadDriversList)
+                {
+                    if (Drivers.Contains(BadDrivers))
+                    {
+                        return true;
+                    }
+                }
+            }
+
+            return false;
+        }
+
+        public static bool CheckForQemu()
+        {
+            string[] BadDriversList = { "qemu-ga", "qemuwmi" };
+            foreach (string Drivers in Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.System), "*"))
+            {
+                foreach (string BadDrivers in BadDriversList)
+                {
+                    if (Drivers.Contains(BadDrivers))
+                    {
+                        return true;
+                    }
+                }
+            }
+
+            return false;
+        }
     }
-}
+}

AntiCrack-DotNet/HooksDetection.cs

@@ -37,7 +37,7 @@ private static IntPtr LowLevelGetModuleHandle(string Library)
             LdrGetDllHandleEx(0, null, null, UnicodeString, ref hModule);
             return hModule;
         }
-        
+
         private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function)
         {
             if (IntPtr.Size == 4)
@@ -195,5 +195,29 @@ public static bool DetectHooksOnCommonWinAPIFunctions(string ModuleName, string[
             }
             return false;
         }
+
+        // Additional detection method
+        public static bool DetectInlineHooks(string moduleName, string[] functions)
+        {
+            if (moduleName != null && functions != null)
+            {
+                try
+                {
+                    foreach (string function in functions)
+                    {
+                        IntPtr moduleHandle = LowLevelGetModuleHandle(moduleName);
+                        IntPtr functionHandle = LowLevelGetProcAddress(moduleHandle, function);
+                        byte[] functionBytes = new byte[1];
+                        Marshal.Copy(functionHandle, functionBytes, 0, 1);
+                        if (functionBytes[0] == 0xCC || functionBytes[0] == 0xE9)
+                        {
+                            return true;
+                        }
+                    }
+                }
+                catch { }
+            }
+            return false;
+        }
     }
-}
+}

AntiCrack-DotNet/OtherChecks.cs

@@ -1,9 +1,6 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using System.Runtime.InteropServices;
+using Microsoft.Win32;
 
 namespace AntiCrack_DotNet
 {
@@ -41,7 +38,7 @@ public static bool IsTestSignedDriversAllowed()
             Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
             CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
             uint ReturnLength = 0;
-            if(NtQuerySystemInformation(SystemCodeIntegrityInformation, ref CodeIntegrityInfo, (uint)Marshal.SizeOf(CodeIntegrityInfo), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(CodeIntegrityInfo))
+            if (NtQuerySystemInformation(SystemCodeIntegrityInformation, ref CodeIntegrityInfo, (uint)Marshal.SizeOf(CodeIntegrityInfo), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(CodeIntegrityInfo))
             {
                 uint CODEINTEGRITY_OPTION_TESTSIGN = 0x02;
                 if ((CodeIntegrityInfo.CodeIntegrityOptions & CODEINTEGRITY_OPTION_TESTSIGN) == CODEINTEGRITY_OPTION_TESTSIGN)
@@ -85,5 +82,50 @@ public static bool IsSecureBootEnabled()
             }
             return false;
         }
+        public static bool IsVirtualizationBasedSecurityEnabled()
+        {
+            try
+            {
+                using (var searcher = new System.Management.ManagementObjectSearcher(@"root\cimv2\Security\MicrosoftVolumeEncryption", "SELECT * FROM Win32_EncryptableVolume WHERE DriveLetter = C:"))
+                {
+                    foreach (var obj in searcher.Get())
+                    {
+                        var protectionStatus = (uint)obj["ProtectionStatus"];
+                        if (protectionStatus == 1)
+                        {
+                            return true;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                return false;
+            }
+            return false;
+        }
+
+        public static bool IsMemoryIntegrityEnabled()
+        {
+            try
+            {
+                using (RegistryKey key = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"))
+                {
+                    if (key != null)
+                    {
+                        object value = key.GetValue("Enabled");
+                        if (value != null && (int)value == 1)
+                        {
+                            return true;
+                        }
+                    }
+                }
+            }
+            catch
+            {
+                return false;
+            }
+            return false;
+        }
     }
-}
+}