DEV Community

AdvDebug
AdvDebug

Posted on

2

AntiCrack-DotNet: Advanced Methods to prevent cracking.

Image description

A .NET Project which Contains some useful techniques to detect debugging and other harmful actions and bypass methods which can be used by crackers to analyze your assembly. (also feel free to open an issue for adding additional anti-debugging features, etc) with syscall support.

Anti-Debugging

  • NtUserGetForegroundWindow (looks for bad active window names to check if it's a known debugger)

  • Debugger.IsAttached

  • Hide Threads From Debugger

  • IsDebuggerPresent

  • NtSetDebugFilterState

  • Page Guard Breakpoints Detection

  • NtQueryInformationProcess: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle

  • NtClose: Invalid Handle, Protected Handle

  • Parent Process Checking (Checks if parent are explorer.exe or cmd.exe)

  • Detection of Hardware Breakpoints

  • FindWindow (looks for bad window names)

  • GetTickCount

  • OutputDebugString

  • Crashing Non-Managed Debuggers with a Debugger Breakpoint

  • OllyDbg Format String Exploit

  • Patching DbgUiRemoteBreakin and DbgBreakPoint (Anti-Debugger Attaching)

Anti Virtualization

  • Detecting Any.run

  • Detecting Triage

  • Detecting Qemu.

  • Detecting Parallels.

  • Detecting Sandboxie

  • Detecting Comodo Container

  • Detecting Qihoo360 Sandbox

  • Detecting Cuckoo Sandbox

  • Detecting VirtualBox and VMware

  • Detecting HyperV

  • Detecting Emulation

  • Checking For Blacklisted Usernames

  • Detecting KVM

  • Detecting Wine

  • Checking For Known Bad VM File Locations

  • Checking For Known Bad Process Names

  • Checking For Ports on the system (useful if the VM or the sandbox have no ports connected)

  • Checking for devices created by VMs or Sandboxes

Anti Dll Injection

  • Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.

  • Checking if any injected libraries are present (simple dlls path whitelist check)

Other Detections

  • Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses and it detects user-mode anti anti-debuggers like scyllahide, and it can also detect some sandboxes which uses hooking to monitor application behaviour/activity (like Sandboxie/Sandboxie Plus, Hybrid Analysis, Cuckoo Sandbox, and a lot of other online malware analysis websites/applications).

  • Detecting CLR Functions Hooking (like harmony hooks).

Image of Docusign

πŸ› οΈ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

πŸ‘‹ Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay