Skip to content

Commit 242f4fe

Browse files
AdvDebugAdvDebug
authored
Add files via upload
1 parent 5f88c57 commit 242f4fe

File tree

4 files changed

+458
-0
lines changed

4 files changed

+458
-0
lines changed

AntiCrack-DotNet/HooksDetection.cs

Lines changed: 168 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
using System;
2+
using System.Collections.Generic;
3+
using System.Linq;
4+
using System.Text;
5+
using System.Runtime.InteropServices;
6+
7+
namespace AntiCrack_DotNet
8+
{
9+
public class HooksDetection
10+
{
11+
[DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
12+
private static extern void RtlInitUnicodeString(out Structs.UNICODE_STRING DestinationString, string SourceString);
13+
14+
[DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Ansi)]
15+
private static extern void RtlUnicodeStringToAnsiString(out Structs.ANSI_STRING DestinationString, Structs.UNICODE_STRING UnicodeString, bool AllocateDestinationString);
16+
17+
[DllImport("ntdll.dll", SetLastError = true)]
18+
private static extern uint LdrGetDllHandle([MarshalAs(UnmanagedType.LPWStr)] string DllPath, [MarshalAs(UnmanagedType.LPWStr)] string DllCharacteristics, Structs.UNICODE_STRING LibraryName, ref IntPtr DllHandle);
19+
20+
[DllImport("ntdll.dll", SetLastError = true, CharSet = CharSet.Ansi)]
21+
private static extern uint LdrGetProcedureAddress(IntPtr Module, Structs.ANSI_STRING ProcedureName, ushort ProcedureNumber, out IntPtr FunctionHandle);
22+
23+
private static IntPtr LowLevelGetModuleHandle(string Library)
24+
{
25+
IntPtr hModule = IntPtr.Zero;
26+
Structs.UNICODE_STRING UnicodeString = new Structs.UNICODE_STRING();
27+
RtlInitUnicodeString(out UnicodeString, Library);
28+
LdrGetDllHandle(null, null, UnicodeString, ref hModule);
29+
return hModule;
30+
}
31+
32+
private static IntPtr LowLevelGetProcAddress(IntPtr hModule, string Function)
33+
{
34+
IntPtr FunctionHandle = IntPtr.Zero;
35+
Structs.UNICODE_STRING UnicodeString = new Structs.UNICODE_STRING();
36+
Structs.ANSI_STRING AnsiString = new Structs.ANSI_STRING();
37+
RtlInitUnicodeString(out UnicodeString, Function);
38+
RtlUnicodeStringToAnsiString(out AnsiString, UnicodeString, true);
39+
LdrGetProcedureAddress(hModule, AnsiString, 0, out FunctionHandle);
40+
return FunctionHandle;
41+
}
42+
43+
public static bool DetectBadInstructionsOnCommonAntiDebuggingFunctions()
44+
{
45+
string[] Libraries = { "kernel32.dll", "kernelbase.dll", "ntdll.dll", "user32.dll", "win32u.dll" };
46+
string[] KernelLibAntiDebugFunctions = { "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "GetThreadContext", "CloseHandle", "OutputDebugStringA", "GetTickCount", "SetHandleInformation" };
47+
string[] NtdllAntiDebugFunctions = { "NtQueryInformationProcess", "NtSetInformationThread", "NtClose", "NtGetContextThread", "NtQuerySystemInformation" };
48+
string[] User32AntiDebugFunctions = { "FindWindowW", "FindWindowA", "FindWindowExW", "FindWindowExA", "GetForegroundWindow", "GetWindowTextLengthA", "GetWindowTextA", "BlockInput" };
49+
string[] Win32uAntiDebugFunctions = { "NtUserBlockInput", "NtUserFindWindowEx", "NtUserQueryWindow", "NtUserGetForegroundWindow" };
50+
foreach (string Library in Libraries)
51+
{
52+
IntPtr hModule = LowLevelGetModuleHandle(Library);
53+
if (hModule != IntPtr.Zero)
54+
{
55+
switch (Library)
56+
{
57+
case "kernel32.dll":
58+
{
59+
try
60+
{
61+
foreach (string AntiDebugFunction in KernelLibAntiDebugFunctions)
62+
{
63+
IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction);
64+
byte[] FunctionBytes = new byte[1];
65+
Marshal.Copy(Function, FunctionBytes, 0, 1);
66+
if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
67+
{
68+
return true;
69+
}
70+
}
71+
}
72+
catch
73+
{
74+
continue;
75+
}
76+
}
77+
break;
78+
case "kernelbase.dll":
79+
{
80+
try
81+
{
82+
foreach (string AntiDebugFunction in KernelLibAntiDebugFunctions)
83+
{
84+
IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction);
85+
byte[] FunctionBytes = new byte[1];
86+
Marshal.Copy(Function, FunctionBytes, 0, 1);
87+
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
88+
{
89+
return true;
90+
}
91+
}
92+
}
93+
catch
94+
{
95+
continue;
96+
}
97+
}
98+
break;
99+
case "ntdll.dll":
100+
{
101+
try
102+
{
103+
foreach (string AntiDebugFunction in NtdllAntiDebugFunctions)
104+
{
105+
IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction);
106+
byte[] FunctionBytes = new byte[1];
107+
Marshal.Copy(Function, FunctionBytes, 0, 1);
108+
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
109+
{
110+
return true;
111+
}
112+
}
113+
}
114+
catch
115+
{
116+
continue;
117+
}
118+
}
119+
break;
120+
case "user32.dll":
121+
{
122+
try
123+
{
124+
foreach (string AntiDebugFunction in User32AntiDebugFunctions)
125+
{
126+
IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction);
127+
byte[] FunctionBytes = new byte[1];
128+
Marshal.Copy(Function, FunctionBytes, 0, 1);
129+
if (FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
130+
{
131+
return true;
132+
}
133+
}
134+
}
135+
catch
136+
{
137+
continue;
138+
}
139+
}
140+
break;
141+
case "win32u.dll":
142+
{
143+
try
144+
{
145+
foreach (string AntiDebugFunction in Win32uAntiDebugFunctions)
146+
{
147+
IntPtr Function = LowLevelGetProcAddress(hModule, AntiDebugFunction);
148+
byte[] FunctionBytes = new byte[1];
149+
Marshal.Copy(Function, FunctionBytes, 0, 1);
150+
if (FunctionBytes[0] == 255 || FunctionBytes[0] == 0x90 || FunctionBytes[0] == 0xE9)
151+
{
152+
return true;
153+
}
154+
}
155+
}
156+
catch
157+
{
158+
continue;
159+
}
160+
}
161+
break;
162+
}
163+
}
164+
}
165+
return false;
166+
}
167+
}
168+
}

AntiCrack-DotNet/OtherChecks.cs

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
using System;
2+
using System.Collections.Generic;
3+
using System.Linq;
4+
using System.Text;
5+
using System.Threading.Tasks;
6+
using System.Runtime.InteropServices;
7+
8+
namespace AntiCrack_DotNet
9+
{
10+
public class OtherChecks
11+
{
12+
[DllImport("ntdll.dll", SetLastError = true)]
13+
private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_CODEINTEGRITY_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength);
14+
15+
[DllImport("ntdll.dll", SetLastError = true)]
16+
private static extern uint NtQuerySystemInformation(uint SystemInformationClass, ref Structs.SYSTEM_KERNEL_DEBUGGER_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength);
17+
18+
private static uint SystemCodeIntegrityInformation = 0x67;
19+
20+
public static bool IsUnsignedDriversAllowed()
21+
{
22+
Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
23+
CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
24+
uint ReturnLength = 0;
25+
if (NtQuerySystemInformation(SystemCodeIntegrityInformation, ref CodeIntegrityInfo, (uint)Marshal.SizeOf(CodeIntegrityInfo), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(CodeIntegrityInfo))
26+
{
27+
uint CODEINTEGRITY_OPTION_ENABLED = 0x01;
28+
if ((CodeIntegrityInfo.CodeIntegrityOptions & CODEINTEGRITY_OPTION_ENABLED) == CODEINTEGRITY_OPTION_ENABLED)
29+
{
30+
return false;
31+
}
32+
}
33+
return true;
34+
}
35+
36+
public static bool IsTestSignedDriversAllowed()
37+
{
38+
Structs.SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrityInfo = new Structs.SYSTEM_CODEINTEGRITY_INFORMATION();
39+
CodeIntegrityInfo.Length = (uint)Marshal.SizeOf(typeof(Structs.SYSTEM_CODEINTEGRITY_INFORMATION));
40+
uint ReturnLength = 0;
41+
if(NtQuerySystemInformation(SystemCodeIntegrityInformation, ref CodeIntegrityInfo, (uint)Marshal.SizeOf(CodeIntegrityInfo), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(CodeIntegrityInfo))
42+
{
43+
uint CODEINTEGRITY_OPTION_TESTSIGN = 0x02;
44+
if ((CodeIntegrityInfo.CodeIntegrityOptions & CODEINTEGRITY_OPTION_TESTSIGN) == CODEINTEGRITY_OPTION_TESTSIGN)
45+
{
46+
return true;
47+
}
48+
}
49+
return false;
50+
}
51+
52+
public static bool IsKernelDebuggingEnabled()
53+
{
54+
uint SystemKernelDebuggerInformation = 0x23;
55+
Structs.SYSTEM_KERNEL_DEBUGGER_INFORMATION KernelDebugInfo = new Structs.SYSTEM_KERNEL_DEBUGGER_INFORMATION();
56+
KernelDebugInfo.KernelDebuggerEnabled = false;
57+
KernelDebugInfo.KernelDebuggerNotPresent = true;
58+
uint ReturnLength = 0;
59+
if (NtQuerySystemInformation(SystemKernelDebuggerInformation, ref KernelDebugInfo, (uint)Marshal.SizeOf(KernelDebugInfo), out ReturnLength) >= 0 && ReturnLength == (uint)Marshal.SizeOf(KernelDebugInfo))
60+
{
61+
if (KernelDebugInfo.KernelDebuggerEnabled || !KernelDebugInfo.KernelDebuggerNotPresent)
62+
{
63+
return true;
64+
}
65+
}
66+
return false;
67+
}
68+
}
69+
}

0 commit comments

Comments
 (0)