AntiCrack DotNet

A C# Project which Contains some Anti-Cracking, anti memory injection techniques, etc. (also feel free to open an issue for adding additional anti-debugging features, etc)

Anti Debugging

• GetForegroundWindow (looks for bad active window names to check if it's a known debugger)

• Debugger.IsAttached

• Hide Threads From Debugger

• IsDebuggerPresent

• NtSetDebugFilterState

• Page Guard Breakpoints Detection

• NtQueryInformationProcess: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle

• NtClose: Invalid Handle, Protected Handle

• Parent Process Checking (Checks if parent are explorer.exe or cmd.exe)

• Detection of Hardware Breakpoints

• FindWindow (looks for bad window names)

• GetTickCount

• OutputDebugString

• Crashing Non-Managed Debuggers with a Debugger Breakpoint

• OllyDbg Format String Exploit

• Patching DbgUiRemoteBreakin and DbgBreakPoint (Anti-Debugger Attaching)

Anti Virtualization

• Detecting Sandboxie

• Detecting Comodo Container

• Detecting Qihoo360 Sandbox

• Detecting Cuckoo Sandbox

• Detecting VirtualBox and VMware

• Detecting HyperV

• Detecting Emulation

• Checking For Blacklisted Usernames

• Detecting KVM

• Detecting Wine

• Checking For Known Bad VM File Locations

• Checking For Known Bad Process Names

• Checking For Ports on the system (useful if the VM or the sandbox have no ports connected)

• Making Sandboxie Crash Your Application (this exploit no longer works, it's patched by sandboxie, that's what i get for making things public :), now it works only with older versions of sandboxie)

• Checking for devices created by VMs or Sandboxes

Anti Dll Injection

• Patching LoadLibraryA

• Patching LoadLibraryW

• Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.

• Checking if any injected libraries are present (simple dlls path whitelist check)

Other Detections

• Detecting if Unsigned Drivers are Allowed to Load

• Detecting if Test-Signed Drivers are Allowed to Load

• Detecting if Kernel Debugging are Enabled on the System

• Detecting if Secure Boot are Enabled on the System

Hooks Detection

• Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64) and it detects user-mode anti anti-debuggers like scyllahide, and it can also detect some sandboxes which uses hooking to monitor application behaviour/activity (like Sandboxie/Sandboxie Plus, Hybrid Analysis, Cuckoo Sandbox, and a lot of other online malware analysis websites/applications).

Notice

This Project are created for educational purposes only, also this project are licensed under MIT License.