Add files via upload

Author: AdvDebug

AntiCrack-DotNet/AntiCrack-DotNet.csproj

@@ -30,7 +30,7 @@
     <BootstrapperEnabled>true</BootstrapperEnabled>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
-    <PlatformTarget>x64</PlatformTarget>
+    <PlatformTarget>x86</PlatformTarget>
     <DebugSymbols>true</DebugSymbols>
     <DebugType>full</DebugType>
     <Optimize>false</Optimize>
@@ -52,6 +52,14 @@
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <Prefer32Bit>false</Prefer32Bit>
   </PropertyGroup>
+  <PropertyGroup>
+    <TargetZone>LocalIntranet</TargetZone>
+  </PropertyGroup>
+  <PropertyGroup>
+    <GenerateManifests>false</GenerateManifests>
+  </PropertyGroup>
+  <PropertyGroup />
+  <PropertyGroup />
   <ItemGroup>
     <Reference Include="System" />
     <Reference Include="System.Management" />
@@ -68,6 +76,8 @@
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="Structs.cs" />
+    <Compile Include="Syscalls.cs" />
+    <Compile Include="Utils.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="App.config" />

AntiCrack-DotNet/AntiCrack-DotNet.csproj.user

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
+    <EnableUnmanagedDebugging>true</EnableUnmanagedDebugging>
+  </PropertyGroup>
+  <PropertyGroup>
+    <PublishUrlHistory>publish\</PublishUrlHistory>
+    <InstallUrlHistory />
+    <SupportUrlHistory />
+    <UpdateUrlHistory />
+    <BootstrapperUrlHistory />
+    <ErrorReportUrlHistory />
+    <FallbackCulture>en-US</FallbackCulture>
+    <VerifyUploadedFiles>false</VerifyUploadedFiles>
+  </PropertyGroup>
+</Project>

AntiCrack-DotNet/AntiDebug.cs

@@ -4,6 +4,9 @@
 using System.Threading;
 using System.Diagnostics;
 using System.Runtime.InteropServices;
+using System.Windows.Forms;
+using System.Net;
+using System.Security.Cryptography;
 
 namespace AntiCrack_DotNet
 {
@@ -62,8 +65,8 @@ internal sealed class AntiDebug
         [DllImport("kernelbase.dll", SetLastError = true)]
         private static extern int QueryFullProcessImageNameA(SafeHandle hProcess, uint Flags, byte[] lpExeName, Int32[] lpdwSize);
 
-        [DllImport("user32.dll", SetLastError = true)]
-        private static extern IntPtr GetForegroundWindow();
+        [DllImport("win32u.dll", SetLastError = true)]
+        private static extern IntPtr NtUserGetForegroundWindow();
 
         [DllImport("user32.dll", SetLastError = true)]
         private static extern int GetWindowTextLengthA(IntPtr HWND);
@@ -93,13 +96,19 @@ internal sealed class AntiDebug
 
         /// <summary>
         /// Attempts to close an invalid handle to detect debugger presence.
+        /// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
         /// </summary>
         /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
-        public static bool NtCloseAntiDebug_InvalidHandle()
+        public static bool NtCloseAntiDebug_InvalidHandle(bool Syscall)
         {
             try
             {
-                NtClose((IntPtr)0x1231222L);
+                int RandomInt = new Random().Next(int.MinValue, int.MaxValue);
+                IntPtr RandomIntPtr = new IntPtr(RandomInt);
+                if (Syscall)
+                    Syscalls.SyscallNtClose(RandomIntPtr);
+                else
+                    NtClose(RandomIntPtr);
                 return false;
             }
             catch
@@ -110,17 +119,22 @@ public static bool NtCloseAntiDebug_InvalidHandle()
 
         /// <summary>
         /// Attempts to close a protected handle to detect debugger presence.
+        /// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
         /// </summary>
         /// <returns>Returns true if an exception is caught, indicating no debugger, otherwise false.</returns>
-        public static bool NtCloseAntiDebug_ProtectedHandle()
+        public static bool NtCloseAntiDebug_ProtectedHandle(bool Syscall)
         {
-            IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, new Random().Next(0, 9999999).ToString());
+            string RandomMutexName = new Random().Next(int.MinValue, int.MaxValue).ToString();
+            IntPtr hMutex = CreateMutexA(IntPtr.Zero, false, RandomMutexName);
             uint HANDLE_FLAG_PROTECT_FROM_CLOSE = 0x00000002;
             SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
             bool Result = false;
             try
             {
-                NtClose(hMutex);
+                if (Syscall)
+                    Syscalls.SyscallNtClose(hMutex);
+                else
+                    NtClose(hMutex);
                 Result = false;
             }
             catch
@@ -153,45 +167,62 @@ public static bool IsDebuggerPresentCheck()
         }
 
         /// <summary>
-        /// Checks if the process has debug flags set using NtQueryInformationProcess.
+        /// Checks if the process has debug flags set using NtQueryInformationProcess
+        /// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
         /// </summary>
         /// <returns>Returns true if debug flags are set, otherwise false.</returns>
-        public static bool NtQueryInformationProcessCheck_ProcessDebugFlags()
+        public static bool NtQueryInformationProcessCheck_ProcessDebugFlags(bool Syscall)
         {
             uint ProcessDebugFlags = 0;
-            NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1F, out ProcessDebugFlags, sizeof(uint), 0);
+            uint Class = 0x1F;
+            uint Size = sizeof(uint);
+            uint Result = 0;
+            if (Syscall)
+                Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, Class, out ProcessDebugFlags, Size, out Result);
+            else
+                NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1F, out ProcessDebugFlags, sizeof(uint), 0);
             if (ProcessDebugFlags == 0)
                 return true;
             return false;
         }
 
         /// <summary>
         /// Checks if the process has a debug port using NtQueryInformationProcess.
+        /// <param name="Syscall">specifies if we should use syscalls to call the WinAPI functions.</param>.
         /// </summary>
         /// <returns>Returns true if a debug port is detected, otherwise false.</returns>
-        public static bool NtQueryInformationProcessCheck_ProcessDebugPort()
+        public static bool NtQueryInformationProcessCheck_ProcessDebugPort(bool Syscall)
         {
             uint DebuggerPresent = 0;
             uint Size = sizeof(uint);
             if (Environment.Is64BitProcess)
                 Size = sizeof(uint) * 2;
-            NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, 0);
+            uint Result = 0;
+            if(Syscall)
+                Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, out Result);
+            else
+                NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 7, out DebuggerPresent, Size, 0);
             if (DebuggerPresent != 0)
                 return true;
             return false;
         }
 
         /// <summary>
         /// Checks if the process has a debug object handle using NtQueryInformationProcess.
+        /// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
         /// </summary>
         /// <returns>Returns true if a debug object handle is detected, otherwise false.</returns>
-        public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle()
+        public static bool NtQueryInformationProcessCheck_ProcessDebugObjectHandle(bool Syscall)
         {
             IntPtr hDebugObject = IntPtr.Zero;
             uint Size = sizeof(uint);
             if (Environment.Is64BitProcess)
                 Size = sizeof(uint) * 2;
-            NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0);
+
+            if (Syscall)
+                Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0);
+            else
+                NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, 0x1E, out hDebugObject, Size, 0);
             if (hDebugObject != IntPtr.Zero)
                 return true;
             return false;
@@ -221,18 +252,31 @@ public static string AntiDebugAttach()
         /// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
         public static bool FindWindowAntiDebug()
         {
+            string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "cheat engine", "cheatengine", "ida" };
             Process[] GetProcesses = Process.GetProcesses();
             foreach (Process GetWindow in GetProcesses)
             {
-                string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "cheat engine", "cheatengine", "ida" };
-                foreach (string BadWindows in BadWindowNames)
+                try
                 {
-                    if (GetWindow.MainWindowTitle.ToLower().Contains(BadWindows))
+                    if (GetWindow.MainWindowHandle != IntPtr.Zero)
                     {
-                        GetWindow.Close();
-                        return true;
+                        string title = GetWindow.MainWindowTitle;
+                        if (string.IsNullOrEmpty(title)) continue;
+
+                        foreach (string BadWindows in BadWindowNames)
+                        {
+                            if (title.IndexOf(BadWindows, StringComparison.OrdinalIgnoreCase) >= 0)
+                            {
+                                GetWindow.Close();
+                                return true;
+                            }
+                        }
                     }
                 }
+                catch
+                {
+                    continue;
+                }
             }
             return false;
         }
@@ -241,10 +285,10 @@ public static bool FindWindowAntiDebug()
         /// Checks if the foreground window belongs to a known debugger.
         /// </summary>
         /// <returns>Returns true if a known debugger window is detected, otherwise false.</returns>
-        public static bool GetForegroundWindowAntiDebug()
+        public static bool NtUserGetForegroundWindowAntiDebug()
         {
             string[] BadWindowNames = { "x32dbg", "x64dbg", "windbg", "ollydbg", "dnspy", "immunity debugger", "hyperdbg", "debug", "debugger", "cheat engine", "cheatengine", "ida" };
-            IntPtr HWND = GetForegroundWindow();
+            IntPtr HWND = NtUserGetForegroundWindow();
             if (HWND != IntPtr.Zero)
             {
                 int WindowLength = GetWindowTextLengthA(HWND);
@@ -254,7 +298,7 @@ public static bool GetForegroundWindowAntiDebug()
                     GetWindowTextA(HWND, WindowName, WindowLength + 1);
                     foreach (string BadWindows in BadWindowNames)
                     {
-                        if (WindowName.ToString().ToLower().Contains(BadWindows))
+                        if (Utils.Contains(WindowName.ToString().ToLower(), BadWindows))
                         {
                             return true;
                         }
@@ -353,16 +397,21 @@ public static bool HardwareRegistersBreakpointsDetection()
         {
             Structs.CONTEXT Context = new Structs.CONTEXT();
             Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
-            IntPtr CurrentThread = GetCurrentThread();
-            if (GetThreadContext(CurrentThread, ref Context))
+            foreach (ProcessThread Threads in Process.GetCurrentProcess().Threads)
             {
-                if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr4 != 0x00 || Context.Dr5 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00))
+                uint THREAD_GET_CONTEXT = 0x0008;
+                uint THREAD_QUERY_INFORMATION = 0x0040;
+                IntPtr hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION, false, Threads.Id);
+                if (GetThreadContext(hThread, ref Context))
                 {
-                    NtClose(CurrentThread);
-                    return true;
+                    if ((Context.Dr1 != 0x00 || Context.Dr2 != 0x00 || Context.Dr3 != 0x00 || Context.Dr6 != 0x00 || Context.Dr7 != 0x00))
+                    {
+                        NtClose(hThread);
+                        return true;
+                    }
                 }
+                NtClose(hThread);
             }
-            NtClose(CurrentThread);
             return false;
         }
 
@@ -386,15 +435,17 @@ private static string CleanPath(string Path)
 
         /// <summary>
         /// Checks if the parent process is a debugger by querying process information.
+        /// <param name="Syscall">specifies if we should use syscall to call the WinAPI functions.</param>
         /// </summary>
         /// <returns>Returns true if the parent process is a debugger, otherwise false.</returns>
-        public static bool ParentProcessAntiDebug()
+        public static bool ParentProcessAntiDebug(bool Syscall)
         {
             try
             {
                 Structs.PROCESS_BASIC_INFORMATION PBI = new Structs.PROCESS_BASIC_INFORMATION();
                 uint ProcessBasicInformation = 0;
-                if (NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0) == 0)
+                uint Result = Syscall ? Syscalls.SyscallNtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0) : NtQueryInformationProcess(Process.GetCurrentProcess().SafeHandle, ProcessBasicInformation, ref PBI, (uint)Marshal.SizeOf(typeof(Structs.PROCESS_BASIC_INFORMATION)), 0);
+                if (Result == 0)
                 {
                     int ParentPID = PBI.InheritedFromUniqueProcessId.ToInt32();
                     if (ParentPID != 0)
@@ -432,7 +483,8 @@ public static bool NtSetDebugFilterStateAntiDebug()
             return true;
         }
 
-        delegate int ExecutionDelegate();
+        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+        private delegate int ExecutionDelegate();
 
         /// <summary>
         /// Uses page guard to detect debugger presence by executing a function pointer.
@@ -471,5 +523,4 @@ public static bool PageGuardAntiDebug()
             return false;
         }
     }
-
-}
+}

AntiCrack-DotNet/AntiDllInjection.cs

@@ -23,50 +23,6 @@ internal sealed class AntiDllInjection
 
         #endregion
 
-
-        /// <summary>
-        /// Patches the LoadLibraryA function to prevent DLL injection.
-        /// </summary>
-        /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
-        public static string PatchLoadLibraryA()
-        {
-            IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
-            IntPtr LoadLibraryA = GetProcAddress(KernelModule, "LoadLibraryA");
-            byte[] HookedCode = { 0xC2, 0x04, 0x00 };
-            bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryA, HookedCode, 3, 0);
-            if (Status)
-                return "Success";
-            return "Failed";
-        }
-
-        /// <summary>
-        /// Patches the LoadLibraryW function to prevent DLL injection.
-        /// </summary>
-        /// <returns>Returns "Success" if the patching was successful, otherwise "Failed".</returns>
-        public static string PatchLoadLibraryW()
-        {
-            IntPtr KernelModule = GetModuleHandle("kernelbase.dll");
-            IntPtr LoadLibraryW = GetProcAddress(KernelModule, "LoadLibraryW");
-            byte[] HookedCode = { 0xC2, 0x04, 0x00 };
-            bool Status = WriteProcessMemory(Process.GetCurrentProcess().SafeHandle, LoadLibraryW, HookedCode, 3, 0);
-            if (Status)
-                return "Success";
-            return "Failed";
-        }
-
-        /// <summary>
-        /// Enables the binary image signature mitigation policy to only allow Microsoft-signed binaries.
-        /// </summary>
-        /// <returns>Returns "Success" if the policy was set successfully, otherwise "Failed".</returns>
-        public static string BinaryImageSignatureMitigationAntiDllInjection()
-        {
-            Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY OnlyMicrosoftBinaries = new Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY();
-            OnlyMicrosoftBinaries.MicrosoftSignedOnly = 1;
-            if (SetProcessMitigationPolicy(8, ref OnlyMicrosoftBinaries, Marshal.SizeOf(typeof(Structs.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY))))
-                return "Success";
-            return "Failed";
-        }
-
         /// <summary>
         /// Checks if there are any injected libraries in the current process.
         /// </summary>
@@ -98,7 +54,7 @@ public static string SetDllLoadPolicy()
             {
                 MicrosoftSignedOnly = 1
             };
-            if (SetProcessMitigationPolicy(0x10, ref policy, Marshal.SizeOf(policy)))
+            if (SetProcessMitigationPolicy(8, ref policy, Marshal.SizeOf(policy)))
                 return "Success";
             return "Failed";
         }