1. Все файлы исключительно загружать на наш сервер в формате .rar или .zip, темы где будут указаны ссылки для загрузки файлов будут удалены.

[C#] AntiDebag

Тема в разделе "C / C# / C++", создана пользователем Hanter, 5 янв 2017.

  1. Hanter
    Статус
    Оффлайн
    Сообщения:
    20
    Симпатии:
    12
    Код:
    using Microsoft.Win32;
    using System;
    using System.Diagnostics;
    using System.Management;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    using System.Threading;
    using System.Windows.Forms;
     
    public class ProtectionSettings
    {
        public int Check_Timeout = 1000;
        public bool VirtualMachine;
        public bool Debugging;
        public bool Emulation;
        public bool Snooping;
        public bool Sandbox;
        public string[] Snooper_Titles = new string[] { "wireshark", "ilspy", "dnspy", "ollydbg", "de4dot", "megadumper" };
    }
    public class Protection
    {
        private ProtectionSettings _settings;
        public ProtectionSettings Settings
        {
            get { return _settings; }
            set { _settings = value; }
        }
        private bool _running = false;
     
        #region Threads
        private Thread AntiDebuggingThread;
        private Thread AntiSnooperThread;
        #endregion
     
        #region API
        [DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, [MarshalAs(UnmanagedType.Bool)]ref bool isDebuggerPresent);
        [DllImport("kernel32.dll")]
        private static extern bool IsDebuggerPresent();
        [DllImport("kernel32.dll")]
        private static extern IntPtr GetModuleHandle(string module);
        [DllImport("user32.dll", SetLastError = true)]
        private static extern IntPtr FindWindow(string lpClassName, IntPtr ZeroOnly);
        [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
        private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
        [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern uint GetFileAttributes(string lpFileName);
        #endregion
     
        public bool Running
        {
            get { return _running; }
            set { _running = value; }
        }
     
        public Protection(ProtectionSettings settings)
        {
            this.Settings = settings;
        }
     
        public void Start()
        {
            if (Running) return;
     
            //Do one time checks
            if(Settings.VirtualMachine)
            {
                if(isProcessVirtualized())
                {
                    spoofCrash();
                }
            }
            if (Settings.Debugging)
            {
                if (isDebugged())
                {
                    endlessLoop(); //endless loop on first check, but crash if we're on thread (somebody attached a debugger while running)
                }
            }
            if (Settings.Sandbox)
            {
                if (isProcessInSandbox(Application.ExecutablePath))
                {
                    spoofCrash();
                }
            }
            if(Settings.Emulation )
            {
                if(isEmulated())
                {
                    endlessLoop();
                }
            }
            if (Settings.Snooping)
            {
                checkSnooping();
            }
     
            //Start continous checks
            AntiDebuggingThread = new Thread(debuggerThread);
            AntiDebuggingThread.Start();
     
            AntiSnooperThread = new Thread(snooperThread);
            AntiSnooperThread.Start();
     
            Running = true;
        }
        public void Stop()
        {
            if (!Running) return;
     
            if (AntiDebuggingThread != null)
            {
                AntiDebuggingThread = null;
            }
     
            if (AntiSnooperThread != null)
            {
                AntiSnooperThread = null;
            }
            Running = false;
        }
     
        #region ProtectionMethods
        private void spoofCrash()
        {
            GC.Collect();
            Environment.FailFast(null);
        }
        private void endlessLoop() //simple but undetected by malwr.com and virustotal
        {
            Application.Run();
        }
        #endregion
     
        #region Checks
        private bool isDebugged()
        {
            bool flag = false;
     
            //Managed
            if (Debugger.IsAttached) flag = true;
     
            if (Debugger.IsLogging()) flag = true;
     
            //Unmanaged
            bool remotedbg = false;
            CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref remotedbg);
            if (remotedbg) flag = true;
     
            if (IsDebuggerPresent()) flag = true;
     
            if (flag)
            {
                Debug.Print("Debugger detected, eternal loop");
            }
     
            return flag;
        }
        private bool isProcessInSandbox(string startupPath)
        {
            if ((int)GetModuleHandle("SbieDLL.dll") != 0)
                return true;
     
            if (Process.GetCurrentProcess().ProcessName == "mlwr_smpl")
                return true;
     
            if (Environment.MachineName.StartsWith("placehol-"))
                return true;
     
            switch (WindowsIdentity.GetCurrent().Name.ToString().ToUpper())
            {
                case "USER": return true;
                case "SANDBOX": return true;
                case "VIRUS": return true;
                case "MALWARE": return true;
                case "SCHMIDTI": return true;
                case "CURRENTUSER": return true;
            }
     
            string sPath = startupPath.ToUpper();
     
            if (sPath == "C:\\FILE.EXE")
                return true;
     
            if (sPath.Contains("\\VIRUS"))
                return true;
     
            if (sPath.Contains("SANDBOX"))
                return true;
     
            if (sPath.Contains("SAMPLE"))
                return true;
     
            if ((int)FindWindow("Afx:400000:0", (IntPtr)0) != 0)
                return true;
     
            return false;
        }
        private bool isEmulated()
        {
            long tickCount = Environment.TickCount;
            Thread.Sleep(500);
            long tickCount2 = Environment.TickCount;
            if (((tickCount2 - tickCount) < 500L))
            {
                return true;
            }
            return false;
        }
        private bool isProcessVirtualized()
        {
            if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VBOX")) { return true; }
            if (readRegistryKey("HARDWARE\\Description\\System", "SystemBiosVersion").ToUpper().Contains("VBOX")) { return true; }
            if (readRegistryKey("HARDWARE\\Description\\System", "VideoBiosVersion").ToUpper().Contains("VIRTUALBOX")) { return true; }
            if (readRegistryKey("SOFTWARE\\Oracle\\VirtualBox Guest Additions", "") == "noValueButYesKey") { return true; }
            if (GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys") != (uint)4294967295) { return true; }
     
            if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE")) { return true; }
            if (readRegistryKey("SOFTWARE\\VMware, Inc.\\VMware Tools", "") == "noValueButYesKey") { return true; }
            if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE")) { return true; }
            if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE")) { return true; }
            if (readRegistryKey("SYSTEM\\ControlSet001\\Services\\Disk\\Enum", "0").ToUpper().Contains("vmware".ToUpper())) { return true; }
            if (readRegistryKey("SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", "DriverDesc").ToUpper().Contains("VMWARE")) { return true; }
            if (readRegistryKey("SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings", "Device Description").ToUpper().Contains("VMWARE")) { return true; }
            if (readRegistryKey("SOFTWARE\\VMware, Inc.\\VMware Tools", "InstallPath").ToUpper().Contains("C:\\PROGRAM FILES\\VMWARE\\VMWARE TOOLS\\")) { return true; }
            if (GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys") != (uint)4294967295) { return true; }
            if (GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys") != (uint)4294967295) { return true; }
     
            if (GetProcAddress((IntPtr)GetModuleHandle("kernel32.dll"), "wine_get_unix_file_name") != (IntPtr)0) { return true; }
     
            if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("QEMU")) { return true; }
            if (readRegistryKey("HARDWARE\\Description\\System", "SystemBiosVersion").ToUpper().Contains("QEMU")) { return true; }
     
            ManagementScope scope = new ManagementScope("\\\\.\\ROOT\\cimv2");
            ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_VideoController");
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query);
            ManagementObjectCollection queryCollection = searcher.Get();
            foreach (ManagementObject m in queryCollection)
            {
                if (m["Description"].ToString() == "VM Additions S3 Trio32/64") { return true; }
                if (m["Description"].ToString() == "S3 Trio32/64") { return true; }
                if (m["Description"].ToString() == "VirtualBox Graphics Adapter") { return true; }
                if (m["Description"].ToString() == "VMware SVGA II") { return true; }
                if (m["Description"].ToString().ToUpper().Contains("VMWARE")) { return true; }
                if (m["Description"].ToString() == "") { return true; }
            }
     
            return false;
        }
        private  string readRegistryKey(string key, string value)
        {
            RegistryKey registryKey;
            registryKey = Registry.LocalMachine.OpenSubKey(key, false);
            if (registryKey != null)
            {
                object rkey = registryKey.GetValue(value, (object)(string)"noValueButYesKey");
                if (rkey.GetType() == typeof(string))
                {
                    return rkey.ToString();
                }
                if (registryKey.GetValueKind(value) == RegistryValueKind.String || registryKey.GetValueKind(value) == RegistryValueKind.ExpandString)
                {
                    return rkey.ToString();
                }
                if (registryKey.GetValueKind(value) == RegistryValueKind.DWord)
                {
                    return Convert.ToString((Int32)rkey);
                }
                if (registryKey.GetValueKind(value) == RegistryValueKind.QWord)
                {
                    return Convert.ToString((Int64)rkey);
                }
                if (registryKey.GetValueKind(value) == RegistryValueKind.Binary)
                {
                    return Convert.ToString((byte[])rkey);
                }
                if (registryKey.GetValueKind(value) == RegistryValueKind.MultiString)
                {
                    return string.Join("", (string[])rkey);
                }
                return "noValueButYesKey";
            }
     
            return "noKey";
        }
        private void checkSnooping()
        {
            foreach (Process process in Process.GetProcesses())
            {
                string fixedname = process.MainWindowTitle.ToLower().Trim();
                foreach (string name in Settings.Snooper_Titles)
                {
                    if (fixedname.Contains(name))
                    {
                        try
                        {
                            process.Kill();
                            Debug.Print("Snooper process found and killed");
                        }
                        catch (Exception ex) //We couldn't kill it, crash the app to prevent snooping
                        {                     //Todo: check if the app was already killed? and if that was the reason why we got exception
                                              //Then there's no need to crash
                            spoofCrash();
                        }
                    }
                }
            }
        }
        private void snooperThread()
        {
            while (Settings.Snooping)
            {
                checkSnooping();
                Thread.Sleep(Settings.Check_Timeout);
            }
        }
        private void debuggerThread()
        {
            while (Settings.Debugging)
            {
                if (isDebugged())
                {
                    spoofCrash();
                }
                Thread.Sleep(Settings.Check_Timeout);
            }
        }
        #endregion
    }