1 comment

[ 3.7 ms ] story [ 14.1 ms ] thread
AntiCrack-DotNet is a project containing advanced techniques to prevent various malicious actions in your C# software, which is becoming more useful as AOT is being developed more and more.

anti-debug techniques (with syscall support to avoid anti anti-debuggers like scyllahide):

- NtUserGetForegroundWindow (looks for bad active window names to check if it's a known debugger)

- Debugger.IsAttached

- Hide Threads From Debugger

- IsDebuggerPresent

- PEB.BeingDebugged

- PEB.NtGlobalFlag

- NtSetDebugFilterState

- Page Guard Breakpoints Detection

- NtQueryInformationProcess: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle

- NtClose: Invalid Handle, Protected Handle

- Parent Process Checking (Checks if parent are explorer.exe or cmd.exe)

- Detection of Hardware Breakpoints

- FindWindow (looks for bad window names)

- GetTickCount

- OutputDebugString

- Crashing Non-Managed Debuggers with a Debugger Breakpoint

- OllyDbg Format String Exploit

- Patching DbgUiRemoteBreakin and DbgBreakPoint (Anti-Debugger Attaching)

Anti-Virtualization:

- Detecting Any.run

- Detecting Triage

- Detecting Qemu.

- Detecting Parallels.

- Detecting Sandboxie

- Detecting Comodo Container

- Detecting Qihoo360 Sandbox

- Detecting Cuckoo Sandbox

- Detecting VirtualBox and VMware

- Detecting HyperV

- Detecting Emulation

- Checking For Blacklisted Usernames

- Detecting KVM

- Detecting Wine

- Checking For Known Bad VM File Locations

- Checking For Known Bad Process Names

- Checking For Ports on the system (useful if the VM or the sandbox have no ports connected)

- Checking for devices created by VMs or Sandboxes

- Checking if AVX x64/x86 instructions are properly implemented to see if we are in an emulator.

- Checking for RDRAND x64/x86 instruction to see if it's properly implemented which could indicate an emulator.

- Checking for flags manipulation (for x64 and x86) checks to see if it's correctly handled.

Anti Injection:

- Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.

- Checking if any injected libraries are present (simple dlls path whitelist check)

- Thread Injection Detection

- Using PEB to change the main module info of the program which is main module name and module base address at runtime.

- Detecting process hollowing in our program by checking suspicious image base address.

Other Detections:

- Detecting if Unsigned Drivers are Allowed to Load

- Detecting if Test-Signed Drivers are Allowed to Load

- Detecting if Kernel Debugging are Enabled on the System

- Detecting if Secure Boot are Enabled on the System

- Detecting if Virtualization-Based Security is Enabled.

- Detecting if Memory Integrity Protection is Enabled.

- Detecting if the current assembly has been invoked.

Hooks Detection:

- Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses and it detects user-mode anti anti-debuggers like scyllahide, and it can also detect some sandboxes which uses hooking to monitor application behaviour/activity (like Sandboxie/Sandboxie Plus, Hybrid analysis, Cuckoo Sandbox, and a lot of other online malware analysis websites/applications).

- Basic detection for stealthy page guard hooking.

- Detecting CLR Functions Hooking (like harmony hooks).