AntiCrack-DotNet: Advanced Methods to prevent cracking.

AdvDebug — Thu, 05 Dec 2024 12:43:20 +0000

A .NET Project which Contains some useful techniques to detect debugging and other harmful actions and bypass methods which can be used by crackers to analyze your assembly. (also feel free to open an issue for adding additional anti-debugging features, etc) with syscall support.

Anti-Debugging

NtUserGetForegroundWindow (looks for bad active window names to check if it's a known debugger)
Debugger.IsAttached
Hide Threads From Debugger
IsDebuggerPresent
NtSetDebugFilterState
Page Guard Breakpoints Detection
NtQueryInformationProcess: ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle
NtClose: Invalid Handle, Protected Handle
Parent Process Checking (Checks if parent are explorer.exe or cmd.exe)
Detection of Hardware Breakpoints
FindWindow (looks for bad window names)
GetTickCount
OutputDebugString
Crashing Non-Managed Debuggers with a Debugger Breakpoint
OllyDbg Format String Exploit
Patching DbgUiRemoteBreakin and DbgBreakPoint (Anti-Debugger Attaching)

Anti Virtualization

Detecting Any.run
Detecting Triage
Detecting Qemu.
Detecting Parallels.
Detecting Sandboxie
Detecting Comodo Container
Detecting Qihoo360 Sandbox
Detecting Cuckoo Sandbox
Detecting VirtualBox and VMware
Detecting HyperV
Detecting Emulation
Checking For Blacklisted Usernames
Detecting KVM
Detecting Wine
Checking For Known Bad VM File Locations
Checking For Known Bad Process Names
Checking For Ports on the system (useful if the VM or the sandbox have no ports connected)
Checking for devices created by VMs or Sandboxes

Anti Dll Injection

Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.
Checking if any injected libraries are present (simple dlls path whitelist check)

Other Detections

Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses and it detects user-mode anti anti-debuggers like scyllahide, and it can also detect some sandboxes which uses hooking to monitor application behaviour/activity (like Sandboxie/Sandboxie Plus, Hybrid Analysis, Cuckoo Sandbox, and a lot of other online malware analysis websites/applications).
Detecting CLR Functions Hooking (like harmony hooks).

De4py: Advanced python reverse engineering

AdvDebug — Sat, 18 May 2024 13:07:07 +0000

De4py is an advanced Python deobfuscator with a beautiful user interface and a set of powerful features. It’s designed to help malware analysts and reverse engineers tackle obfuscated Python files and more.

Here are some key features of De4py:

Deobfuscation: De4py supports popular obfuscators like Jawbreaker, BlankOBF, PlusOBF, Wodx, Hyperion, and pyobfuscate.com obfuscator. It helps you unravel the obfuscated code and understand its true functionality.
Pycode Execution: You can execute Python code directly within the process. This feature is handy when dealing with programs that have licensing checks or other conditional behavior.
Strings Dump: Extract strings from the Python process memory, which can be useful for analyzing webhooks or other data stored in memory.
Removing Exit Function: De4py can remove the exit function, preventing the program from terminating prematurely (useful for debugging).
Getting All Functions: Retrieve a list of all functions within the Python process. Useful for modifying functions in memory.
Pyshell GUI: A custom GUI allows you to execute Python code within the desired process.
GUI and Console Support: De4py offers both console and GUI modes. The GUI provides a more user-friendly experience.
File Analyzer: Detects if a Python program is packed (e.g., using pyinstaller) and attempts to unpack it. It also identifies suspicious strings (IPs, websites, specific keywords) within the file.
Behavior Monitoring: Monitors Python processes for file handles, process interactions, memory reads/writes, and socket activity. It can even decrypt OpenSSL-encrypted content.
Plugins System: Customize the theme or add custom deobfuscators using plugins.
API System: Use De4py’s features (deobfuscator engine and pyshell) in your own tools.