├── .gitattributes
├── .gitignore
├── AntiNET2.sln
├── AntiNET2
├── AntiNET2.csproj
├── App.config
├── Core
│ ├── Extensions
│ │ ├── ByteArrayExtensions.cs
│ │ └── ModuleExtensions.cs
│ ├── Helpers
│ │ ├── ByteScan.cs
│ │ └── LevenshteinDistance.cs
│ ├── Models
│ │ ├── AssemblySettings.cs
│ │ ├── Database
│ │ │ ├── PInvokeEntry.cs
│ │ │ ├── ReflectionEntry.cs
│ │ │ ├── SignatureEntry.cs
│ │ │ └── StringEntry.cs
│ │ ├── Detection.cs
│ │ ├── IDetectionEntry.cs
│ │ ├── IDetectionProcess.cs
│ │ └── Reason.cs
│ └── Providers
│ │ ├── Database
│ │ ├── DatabaseInfo.cs
│ │ └── DetectionDatabase.cs
│ │ └── DetectionEngines
│ │ ├── Managed
│ │ ├── PInvokeDetection.cs
│ │ ├── ReflectionDetection.cs
│ │ ├── ResourceDetection.cs
│ │ └── StringDetection.cs
│ │ └── Native
│ │ ├── EOFDetection.cs
│ │ ├── SectionDetection.cs
│ │ └── SignatureDetection.cs
├── Properties
│ └── AssemblyInfo.cs
├── Scanner.cs
└── packages.config
├── AntiNETCLI
├── AntiNETCLI.csproj
├── App.config
├── Program.cs
└── Properties
│ └── AssemblyInfo.cs
├── CONTRIBUTERS.md
├── Dependencies
└── dnlib.dll
├── LICENSE.md
├── README.md
└── TODO.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 |
7 | # Standard to msysgit
8 | *.doc diff=astextplain
9 | *.DOC diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot diff=astextplain
13 | *.DOT diff=astextplain
14 | *.pdf diff=astextplain
15 | *.PDF diff=astextplain
16 | *.rtf diff=astextplain
17 | *.RTF diff=astextplain
18 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | artifacts/
46 |
47 | *_i.c
48 | *_p.c
49 | *_i.h
50 | *.ilk
51 | *.meta
52 | *.obj
53 | *.pch
54 | *.pdb
55 | *.pgc
56 | *.pgd
57 | *.rsp
58 | *.sbr
59 | *.tlb
60 | *.tli
61 | *.tlh
62 | *.tmp
63 | *.tmp_proj
64 | *.log
65 | *.vspscc
66 | *.vssscc
67 | .builds
68 | *.pidb
69 | *.svclog
70 | *.scc
71 |
72 | # Chutzpah Test files
73 | _Chutzpah*
74 |
75 | # Visual C++ cache files
76 | ipch/
77 | *.aps
78 | *.ncb
79 | *.opendb
80 | *.opensdf
81 | *.sdf
82 | *.cachefile
83 | *.VC.db
84 | *.VC.VC.opendb
85 |
86 | # Visual Studio profiler
87 | *.psess
88 | *.vsp
89 | *.vspx
90 | *.sap
91 |
92 | # TFS 2012 Local Workspace
93 | $tf/
94 |
95 | # Guidance Automation Toolkit
96 | *.gpState
97 |
98 | # ReSharper is a .NET coding add-in
99 | _ReSharper*/
100 | *.[Rr]e[Ss]harper
101 | *.DotSettings.user
102 |
103 | # JustCode is a .NET coding add-in
104 | .JustCode
105 |
106 | # TeamCity is a build add-in
107 | _TeamCity*
108 |
109 | # DotCover is a Code Coverage Tool
110 | *.dotCover
111 |
112 | # NCrunch
113 | _NCrunch_*
114 | .*crunch*.local.xml
115 | nCrunchTemp_*
116 |
117 | # MightyMoose
118 | *.mm.*
119 | AutoTest.Net/
120 |
121 | # Web workbench (sass)
122 | .sass-cache/
123 |
124 | # Installshield output folder
125 | [Ee]xpress/
126 |
127 | # DocProject is a documentation generator add-in
128 | DocProject/buildhelp/
129 | DocProject/Help/*.HxT
130 | DocProject/Help/*.HxC
131 | DocProject/Help/*.hhc
132 | DocProject/Help/*.hhk
133 | DocProject/Help/*.hhp
134 | DocProject/Help/Html2
135 | DocProject/Help/html
136 |
137 | # Click-Once directory
138 | publish/
139 |
140 | # Publish Web Output
141 | *.[Pp]ublish.xml
142 | *.azurePubxml
143 | # TODO: Comment the next line if you want to checkin your web deploy settings
144 | # but database connection strings (with potential passwords) will be unencrypted
145 | *.pubxml
146 | *.publishproj
147 |
148 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
149 | # checkin your Azure Web App publish settings, but sensitive information contained
150 | # in these scripts will be unencrypted
151 | PublishScripts/
152 |
153 | # NuGet Packages
154 | *.nupkg
155 | # The packages folder can be ignored because of Package Restore
156 | **/packages/*
157 | # except build/, which is used as an MSBuild target.
158 | !**/packages/build/
159 | # Uncomment if necessary however generally it will be regenerated when needed
160 | #!**/packages/repositories.config
161 | # NuGet v3's project.json files produces more ignoreable files
162 | *.nuget.props
163 | *.nuget.targets
164 |
165 | # Microsoft Azure Build Output
166 | csx/
167 | *.build.csdef
168 |
169 | # Microsoft Azure Emulator
170 | ecf/
171 | rcf/
172 |
173 | # Windows Store app package directories and files
174 | AppPackages/
175 | BundleArtifacts/
176 | Package.StoreAssociation.xml
177 | _pkginfo.txt
178 |
179 | # Visual Studio cache files
180 | # files ending in .cache can be ignored
181 | *.[Cc]ache
182 | # but keep track of directories ending in .cache
183 | !*.[Cc]ache/
184 |
185 | # Others
186 | ClientBin/
187 | ~$*
188 | *~
189 | *.dbmdl
190 | *.dbproj.schemaview
191 | *.pfx
192 | *.publishsettings
193 | node_modules/
194 | orleans.codegen.cs
195 |
196 | # Since there are multiple workflows, uncomment next line to ignore bower_components
197 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
198 | #bower_components/
199 |
200 | # RIA/Silverlight projects
201 | Generated_Code/
202 |
203 | # Backup & report files from converting an old project file
204 | # to a newer Visual Studio version. Backup files are not needed,
205 | # because we have git ;-)
206 | _UpgradeReport_Files/
207 | Backup*/
208 | UpgradeLog*.XML
209 | UpgradeLog*.htm
210 |
211 | # SQL Server files
212 | *.mdf
213 | *.ldf
214 |
215 | # Business Intelligence projects
216 | *.rdl.data
217 | *.bim.layout
218 | *.bim_*.settings
219 |
220 | # Microsoft Fakes
221 | FakesAssemblies/
222 |
223 | # GhostDoc plugin setting file
224 | *.GhostDoc.xml
225 |
226 | # Node.js Tools for Visual Studio
227 | .ntvs_analysis.dat
228 |
229 | # Visual Studio 6 build log
230 | *.plg
231 |
232 | # Visual Studio 6 workspace options file
233 | *.opt
234 |
235 | # Visual Studio LightSwitch build output
236 | **/*.HTMLClient/GeneratedArtifacts
237 | **/*.DesktopClient/GeneratedArtifacts
238 | **/*.DesktopClient/ModelManifest.xml
239 | **/*.Server/GeneratedArtifacts
240 | **/*.Server/ModelManifest.xml
241 | _Pvt_Extensions
242 |
243 | # Paket dependency manager
244 | .paket/paket.exe
245 | paket-files/
246 |
247 | # FAKE - F# Make
248 | .fake/
249 |
250 | # JetBrains Rider
251 | .idea/
252 | *.sln.iml
253 |
254 | # =========================
255 | # Operating System Files
256 | # =========================
257 |
258 | # OSX
259 | # =========================
260 |
261 | .DS_Store
262 | .AppleDouble
263 | .LSOverride
264 |
265 | # Thumbnails
266 | ._*
267 |
268 | # Files that might appear in the root of a volume
269 | .DocumentRevisions-V100
270 | .fseventsd
271 | .Spotlight-V100
272 | .TemporaryItems
273 | .Trashes
274 | .VolumeIcon.icns
275 |
276 | # Directories potentially created on remote AFP share
277 | .AppleDB
278 | .AppleDesktop
279 | Network Trash Folder
280 | Temporary Items
281 | .apdisk
282 |
283 | # Windows
284 | # =========================
285 |
286 | # Windows image file caches
287 | Thumbs.db
288 | ehthumbs.db
289 |
290 | # Folder config file
291 | Desktop.ini
292 |
293 | # Recycle Bin used on file shares
294 | $RECYCLE.BIN/
295 |
296 | # Windows Installer files
297 | *.cab
298 | *.msi
299 | *.msm
300 | *.msp
301 |
302 | # Windows shortcuts
303 | *.lnk
304 |
--------------------------------------------------------------------------------
/AntiNET2.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AntiNET2", "AntiNET2\AntiNET2.csproj", "{D3E5408C-57FE-43F9-AA38-B10BD6390D80}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AntiNETCLI", "AntiNETCLI\AntiNETCLI.csproj", "{B3ED1DBF-32FA-40AC-ACE2-B57FDD4A1C0C}"
9 | EndProject
10 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{DDEA06F7-8287-4B40-B4FD-BC3F074A918F}"
11 | ProjectSection(SolutionItems) = preProject
12 | CONTRIBUTERS.md = CONTRIBUTERS.md
13 | README.md = README.md
14 | TODO.md = TODO.md
15 | EndProjectSection
16 | EndProject
17 | Global
18 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
19 | Debug|Any CPU = Debug|Any CPU
20 | Release|Any CPU = Release|Any CPU
21 | EndGlobalSection
22 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
23 | {D3E5408C-57FE-43F9-AA38-B10BD6390D80}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
24 | {D3E5408C-57FE-43F9-AA38-B10BD6390D80}.Debug|Any CPU.Build.0 = Debug|Any CPU
25 | {D3E5408C-57FE-43F9-AA38-B10BD6390D80}.Release|Any CPU.ActiveCfg = Release|Any CPU
26 | {D3E5408C-57FE-43F9-AA38-B10BD6390D80}.Release|Any CPU.Build.0 = Release|Any CPU
27 | {B3ED1DBF-32FA-40AC-ACE2-B57FDD4A1C0C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
28 | {B3ED1DBF-32FA-40AC-ACE2-B57FDD4A1C0C}.Debug|Any CPU.Build.0 = Debug|Any CPU
29 | {B3ED1DBF-32FA-40AC-ACE2-B57FDD4A1C0C}.Release|Any CPU.ActiveCfg = Release|Any CPU
30 | {B3ED1DBF-32FA-40AC-ACE2-B57FDD4A1C0C}.Release|Any CPU.Build.0 = Release|Any CPU
31 | EndGlobalSection
32 | GlobalSection(SolutionProperties) = preSolution
33 | HideSolutionNode = FALSE
34 | EndGlobalSection
35 | EndGlobal
36 |
--------------------------------------------------------------------------------
/AntiNET2/AntiNET2.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {D3E5408C-57FE-43F9-AA38-B10BD6390D80}
8 | Library
9 | Properties
10 | AntiNET2
11 | AntiNET2
12 | v4.5
13 | 512
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 | true
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 | ..\Dependencies\dnlib.dll
41 |
42 |
43 | ..\packages\Newtonsoft.Json.9.0.1\lib\net45\Newtonsoft.Json.dll
44 | True
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
94 |
--------------------------------------------------------------------------------
/AntiNET2/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Extensions/ByteArrayExtensions.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Helpers;
2 | using AntiNET2.Core.Models;
3 | using System;
4 | using System.Collections.Generic;
5 | using System.Linq;
6 | using System.Text;
7 | using System.Threading.Tasks;
8 |
9 | namespace AntiNET2.Core.Extensions
10 | {
11 | public static class ByteArrayExtensions
12 | {
13 | public static int SigDetection(this byte[] array, AssemblySettings _asm, string type)
14 | {
15 | string singular = type;
16 | if (type.EndsWith("s"))
17 | {
18 | singular = type.Remove(type.Length - 2);
19 | }
20 | int d = 0;
21 | // GZip
22 | if (array[0] == 0x1f && array[1] == 0x8b)
23 | {
24 | _asm.AddDetection(type, new Reason(type, singular + " has GZip magic number. Could be malicious packed content."));
25 | d++;
26 | }
27 | // Pkzip .zip
28 | if (array[0] == 0x50 && array[1] == 0x4b && array[2] == 0x03 && array[3] == 0x04)
29 | {
30 | _asm.AddDetection(type, new Reason(type, singular + " has PKZip magic number. Could be malicious packed content."));
31 | d++;
32 | }
33 | // Rar
34 | if (array[0] == 0x52 && array[1] == 0x61 && array[2] == 0x72 && array[3] == 0x21 && array[4] == 0x1A && array[5] == 0x07 && array[6] == 0x00)
35 | {
36 | _asm.AddDetection(type, new Reason(type, singular + " has RAR magic number. Could be malicious packed content."));
37 | d++;
38 | }
39 | // Exe
40 | if (array[0] == 0x4D && array[1] == 0x5A)
41 | {
42 | _asm.AddDetection(type, new Reason(type, singular + " has EXE magic number. Could be malicious content."));
43 | d++;
44 | }
45 | return d;
46 | }
47 |
48 | public static long IndexOf(this byte[] file, string sig)
49 | {
50 | return ByteScan.GetIndexOfSig(file, sig);
51 | }
52 |
53 | #region Testing Index Of
54 |
55 | public static unsafe long IndexOf(this byte[] haystack, byte[] needle, long startOffset = 0)
56 | {
57 | fixed (byte* h = haystack) fixed (byte* n = needle)
58 | {
59 | for (byte* hNext = h + startOffset, hEnd = h + haystack.LongLength + 1 - needle.LongLength, nEnd = n + needle.LongLength; hNext < hEnd; hNext++)
60 | for (byte* hInc = hNext, nInc = n; *nInc == *hInc; hInc++)
61 | if (++nInc == nEnd)
62 | return hNext - h;
63 | return -1;
64 | }
65 | }
66 |
67 | // string like
68 | // 4D 5A 9? 00 03 is sig
69 | // Hex is 2 chars, so need to work on that
70 | public static long IndexOfTest(this byte[] search, string sig)
71 | {
72 | string[] sigParts = sig.Split(' ');
73 | int count = search.Length - sig.Replace(" ", "").Length + 1;
74 |
75 | for (int i = 0; i < count; i++)
76 | {
77 | // Problem with this is that it will not work if the first part contains ?
78 | /*if (search[i].ToString("X2") != sigParts[0])
79 | {
80 | continue;
81 | }*/
82 | int j = 0;
83 | for (int a = 0; a < sigParts.Length; a++)
84 | {
85 | string part = sigParts[a];
86 |
87 | string testMatch = search[i + a].ToString("X2");
88 |
89 |
90 | if (testMatch == part || part == "??")
91 | {
92 | j++;
93 | continue;
94 | }
95 | if (part[0] == '?')
96 | {
97 | if (testMatch[1] == part[1])
98 | j++;
99 | }
100 | else if (part[1] == '?')
101 | {
102 | if (testMatch[0] == part[0])
103 | j++;
104 | }
105 | else
106 | {
107 | // No match, break
108 | break;
109 | }
110 | }
111 | if (j == sigParts.Length)
112 | return i;
113 | }
114 | return -1;
115 | }
116 |
117 | // Credits to github.com/BahNahNah
118 | // Slower, sadly
119 | public static unsafe long IndexOfTest2(this byte[] search, string sig)
120 | {
121 | var pattern = sig.Split(' ').Select(x =>
122 | {
123 | if (x == "??")
124 | return '?';
125 | return (char)Convert.ToByte(x, 16);
126 | }).ToArray();
127 |
128 | fixed (byte* scrArrayPtr = &search[0])
129 | {
130 | var scrEnum = scrArrayPtr;
131 | for (var end = (scrArrayPtr + (search.Length - sig.Length + 1)); scrEnum <= end; scrEnum++)
132 | {
133 | bool found = true;
134 | fixed (char* mPtr = &pattern[0])
135 | {
136 | var mEnum = mPtr;
137 | for (var mEnd = mPtr + pattern.Length; mEnum != mEnd; mEnum++)
138 | {
139 | if (*mEnum == '?')
140 | {
141 | continue;
142 | }
143 | string left = (*mEnum).ToString();
144 | string right = (*scrEnum).ToString("X");
145 | if (left != right)
146 | //if (*(byte*)mEnum != *scrEnum)
147 | {
148 | found = false;
149 | break;
150 | }
151 | }
152 | }
153 | if (found)
154 | return (int)(scrEnum - scrArrayPtr);
155 | scrEnum++;
156 | }
157 |
158 | }
159 | return -1;
160 | }
161 | // Credits to github.com/BahNahNah
162 | static unsafe int GetIndexOfScan(byte[] search, byte[] pattern, string match)
163 | {
164 |
165 | if (search.Length == 0 || pattern.Length != match.Length || pattern.Length == 0)
166 | return 0;
167 |
168 | fixed (byte* scrArrayPtr = &search[0])
169 | {
170 | var scrEnum = scrArrayPtr;
171 | var end = (scrArrayPtr + (search.Length - pattern.Length + 1));
172 |
173 | while (scrEnum != end)
174 | {
175 | bool found = true;
176 | for (int pIndex = 0; pIndex < pattern.Length; pIndex++)
177 | {
178 |
179 | if (match[pIndex] != '?')
180 | {
181 | if (*(scrEnum + pIndex) != pattern[pIndex])
182 | {
183 | found = false;
184 | break;
185 | }
186 | }
187 | }
188 | if (found)
189 | return (int)(scrEnum - scrArrayPtr);
190 | scrEnum++;
191 | }
192 | }
193 | return -1;
194 | }
195 | #endregion
196 | }
197 | }
198 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Extensions/ModuleExtensions.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Extensions
8 | {
9 | class ModuleExtensions
10 | {
11 | }
12 | }
13 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Helpers/ByteScan.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Linq;
3 | using Newtonsoft.Json;
4 | using Newtonsoft.Json.Serialization;
5 |
6 | namespace AntiNET2.Core.Helpers
7 | {
8 | ///
9 | /// BahNahNah
10 | ///
11 | public static unsafe class ByteScan
12 | {
13 | ///
14 | /// Example sig:
15 | /// 01 02 ?3 04
16 | /// will match with
17 | /// 01 02 A3 04
18 | /// 01 02 03 04
19 | /// but not with
20 | /// 01 02 3A 04
21 | /// A0 02 3A 04
22 | /// etc.
23 | ///
24 | /// Bytes to scan
25 | /// Byte sig
26 | /// Index of scan array where pattern match. -1 on failure.
27 | public static int GetIndexOfSig(byte[] scan, string sig) => CompileSig(sig).Scan(scan);
28 | public static Sig CompileSig(string sig)
29 | {
30 | var cArray = sig.Split(' ').Select(c => {
31 | ushort flag = 0;
32 | if (c == "??")
33 | {
34 | return flag;
35 | }
36 | if (c[0] != '?')
37 | { //LEFT
38 | flag |= 0xF0;
39 | }
40 | if (c[1] != '?')
41 | { //RIGHT
42 | flag |= 0x0F;
43 | }
44 | c = c.Replace('?', '0');
45 | flag |= (ushort)((Convert.ToByte(c, 16) & flag) << 8);
46 | return flag;
47 | }).ToArray();
48 | return new Sig(cArray);
49 | }
50 |
51 | public class Sig
52 | {
53 | [JsonProperty("SigFlags")]
54 | private ushort[] SigFlags;
55 |
56 | public Sig(ushort[] _sc)
57 | {
58 | SigFlags = _sc;
59 | }
60 |
61 | public int Scan(byte[] scan)
62 | {
63 | if (scan.Length < SigFlags.Length)
64 | return -1;
65 |
66 | fixed (byte* scrArrayPtr = &scan[0])
67 | {
68 | var scrEnum = scrArrayPtr;
69 | var end = (scrArrayPtr + (scan.Length - SigFlags.Length + 1));
70 |
71 | while (scrEnum != end)
72 | {
73 | bool found = true;
74 | for (int pIndex = 0; pIndex < SigFlags.Length; pIndex++)
75 | {
76 | ushort flag = SigFlags[pIndex];
77 | var current = *(scrEnum + pIndex);
78 | if (((current & flag) ^ (flag >> 8)) != 0)
79 | {
80 | found = false;
81 | break;
82 | }
83 | }
84 | if (found)
85 | return (int)(scrEnum - scrArrayPtr);
86 | scrEnum++;
87 | }
88 | }
89 | return -1;
90 | }
91 | }
92 | }
93 | }
--------------------------------------------------------------------------------
/AntiNET2/Core/Helpers/LevenshteinDistance.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Helpers
8 | {
9 | ///
10 | /// Contains approximate string matching
11 | ///
12 | public static class LevenshteinDistance
13 | {
14 | ///
15 | /// Compute the distance between two strings.
16 | ///
17 | public static int Compute(string s, string t)
18 | {
19 | int n = s.Length;
20 | int m = t.Length;
21 | int[,] d = new int[n + 1, m + 1];
22 |
23 | // Step 1
24 | if (n == 0)
25 | {
26 | return m;
27 | }
28 |
29 | if (m == 0)
30 | {
31 | return n;
32 | }
33 |
34 | // Step 2
35 | for (int i = 0; i <= n; d[i, 0] = i++)
36 | {
37 | }
38 |
39 | for (int j = 0; j <= m; d[0, j] = j++)
40 | {
41 | }
42 |
43 | // Step 3
44 | for (int i = 1; i <= n; i++)
45 | {
46 | //Step 4
47 | for (int j = 1; j <= m; j++)
48 | {
49 | // Step 5
50 | int cost = (t[j - 1] == s[i - 1]) ? 0 : 1;
51 |
52 | // Step 6
53 | d[i, j] = Math.Min(
54 | Math.Min(d[i - 1, j] + 1, d[i, j - 1] + 1),
55 | d[i - 1, j - 1] + cost);
56 | }
57 | }
58 | // Step 7
59 | return d[n, m];
60 | }
61 | }
62 | }
63 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/AssemblySettings.cs:
--------------------------------------------------------------------------------
1 | using dnlib.DotNet;
2 | using dnlib.PE;
3 | using System;
4 | using System.Collections.Generic;
5 | using System.Linq;
6 | using System.Text;
7 | using System.Threading.Tasks;
8 |
9 | namespace AntiNET2.Core.Models
10 | {
11 | public class AssemblySettings
12 | {
13 | public ModuleDefMD Module { get; set; }
14 | public PEImage NativeImage { get; set; }
15 |
16 | public List TotalDetections { get; set; } = new List();
17 |
18 | public void AddDetection(string type, Reason r)
19 | {
20 | var typeDetection = TotalDetections.Where(x => x.DetectionType == type).FirstOrDefault();
21 | if (typeDetection == null)
22 | {
23 | TotalDetections.Add(new Detection() { DetectionType = type, DetectionReasons = new List() { r }, TotalDetections = 1 });
24 | }
25 | else
26 | {
27 | typeDetection.DetectionReasons.Add(r);
28 | typeDetection.TotalDetections++;
29 | }
30 |
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/Database/PInvokeEntry.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models.Database
8 | {
9 | public class PInvokeEntry : IDetectionEntry
10 | {
11 | public string Category { get; set; }
12 | public string Description { get; set; }
13 | public object Tag { get; set; }
14 | public string Trigger { get; set; }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/Database/ReflectionEntry.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models.Database
8 | {
9 | public class ReflectionEntry : IDetectionEntry
10 | {
11 | public string Category { get; set; }
12 | public string Description { get; set; }
13 | public object Tag { get; set; }
14 | public string Trigger { get; set; }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/Database/SignatureEntry.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models.Database
8 | {
9 | public class SignatureEntry : IDetectionEntry
10 | {
11 | public string Category { get; set; }
12 | public string Description { get; set; }
13 | public string Trigger { get; set; }
14 | public object Tag { get; set; }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/Database/StringEntry.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models.Database
8 | {
9 | public class StringEntry : IDetectionEntry
10 | {
11 | public string Category { get; set; }
12 | public string Description { get; set; }
13 | public object Tag { get; set; }
14 | public string Trigger { get; set; }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/Detection.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models
8 | {
9 | public class Detection
10 | {
11 | public string DetectionType = string.Empty;
12 | public int TotalDetections = 0;
13 |
14 | public List DetectionReasons = new List();
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/IDetectionEntry.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models
8 | {
9 | public interface IDetectionEntry
10 | {
11 | string Category { get; set; }
12 | string Description { get; set; }
13 | string Trigger { get; set; }
14 | object Tag { get; set; }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/IDetectionProcess.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models
8 | {
9 | interface IDetectionProcess
10 | {
11 | int Detect(AssemblySettings asm);
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Models/Reason.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 |
7 | namespace AntiNET2.Core.Models
8 | {
9 | public class Reason
10 | {
11 | public string ReasonType { get; }
12 | public string Message { get; }
13 | public Reason(string type, string msg)
14 | {
15 | ReasonType = type;
16 | Message = msg;
17 | }
18 | public override string ToString()
19 | {
20 | return string.Format("{0} - {1}", ReasonType, Message);
21 | }
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/Database/DatabaseInfo.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models.Database;
2 | using System;
3 | using System.Collections.Generic;
4 | using System.Linq;
5 | using System.Text;
6 | using System.Threading.Tasks;
7 |
8 | namespace AntiNET2.Core.Providers.Database
9 | {
10 | internal class DatabaseInfo
11 | {
12 | public List Calls { get; set; }
13 | public List Strings { get; set; }
14 | public List Natives { get; set; }
15 | public List Signatures { get; set; }
16 | }
17 | }
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/Database/DetectionDatabase.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Helpers;
2 | using AntiNET2.Core.Models;
3 | using AntiNET2.Core.Models.Database;
4 | using AntiNET2.Core.Providers.Database;
5 | using Newtonsoft.Json;
6 | using Newtonsoft.Json.Linq;
7 | using System;
8 | using System.Collections.Generic;
9 | using System.Diagnostics;
10 | using System.IO;
11 | using System.Linq;
12 | using System.Text;
13 | using System.Threading.Tasks;
14 |
15 | namespace AntiNET2.Core.Providers.Database
16 | {
17 | ///
18 | /// Credits to BahNahNah for curing the eye melting mess!
19 | ///
20 | public static class DetectionDatabase
21 | {
22 |
23 | public static List Calls => Database.Calls;
24 | public static List Strings => Database.Strings;
25 | public static List Natives => Database.Natives;
26 | public static List Signatures => Database.Signatures;
27 |
28 | private static DatabaseInfo Database;
29 |
30 | static DetectionDatabase()
31 | {
32 | if (!File.Exists("db.json"))
33 | {
34 | Database = new DatabaseInfo();
35 | CreateData();
36 | Save();
37 | }
38 | else
39 | {
40 | Database = JsonConvert.DeserializeObject(File.ReadAllText("db.json"));
41 | }
42 |
43 | // This has to happen no matter whether it is just created, or just loaded
44 | // Multiple methods like this will more than likely be made for other things that require 'Tag' to be used.
45 | LoadSignatures();
46 | }
47 |
48 | public static void Save() => File.WriteAllText("db.json", JsonConvert.SerializeObject(Database));
49 |
50 | private static void CreateData()
51 | {
52 | Database.Calls = new List();
53 | Database.Signatures = new List();
54 | Database.Natives = new List();
55 | Database.Strings = new List();
56 |
57 | /*for (int i = 0; i < 5000; i++)
58 | {
59 | Signatures.Add(new SignatureEntry() { Trigger = "0E 1F BA 0E ?? B4 09 CD ?? B8 01 ?? CD 21", Category = "Test", Description = "Test1" });
60 | Signatures.Add(new SignatureEntry() { Trigger = "?? 29 D6 F4 3F 14 DE AB F1 84 9B 6A E3 1B ?? 02 ?? 7A AF B6 13 4E E3 83 B9", Category = "Test", Description = "Test2" });
61 | Signatures.Add(new SignatureEntry() { Trigger = "4D 5A 90 0? 03", Category = "Test", Description = "Test3" });
62 | }*/
63 | }
64 |
65 | public static void AddDetection(IDetectionEntry entry)
66 | {
67 | if (entry is ReflectionEntry)
68 | {
69 | Database.Calls.Add(entry as ReflectionEntry);
70 | }
71 | else if (entry is SignatureEntry)
72 | {
73 | Database.Signatures.Add(entry as SignatureEntry);
74 | }
75 | else if (entry is PInvokeEntry)
76 | {
77 | Database.Natives.Add(entry as PInvokeEntry);
78 | }
79 | else if (entry is StringEntry)
80 | {
81 | Database.Strings.Add(entry as StringEntry);
82 | }
83 | }
84 |
85 | private static void LoadSignatures()
86 | {
87 | for (int i = 0; i < Signatures.Count; i++)
88 | {
89 | if (Signatures[i].Tag == null)
90 | {
91 | Signatures[i].Tag = ByteScan.CompileSig(Signatures[i].Trigger);
92 | }
93 | else if (Signatures[i].Tag.GetType().Name != "Sig")
94 | {
95 | string contents = ((JToken)Signatures[i].Tag).ToString();
96 | ByteScan.Sig sg = JsonConvert.DeserializeObject(contents);
97 | Signatures[i].Tag = sg;
98 | }
99 | }
100 | }
101 | }
102 | }
103 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Managed/PInvokeDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using AntiNET2.Core.Models.Database;
3 | using AntiNET2.Core.Providers.Database;
4 | using dnlib.DotNet;
5 | using dnlib.DotNet.Emit;
6 | using System;
7 | using System.Collections.Generic;
8 | using System.Linq;
9 | using System.Text;
10 | using System.Threading.Tasks;
11 |
12 | namespace AntiNET2.Core.Providers.DetectionEngines.Managed
13 | {
14 | public class PInvokeDetection : IDetectionProcess
15 | {
16 | public AssemblySettings _asm;
17 | private List commonUsed = new List() { "kernel32.dll", "gdi32.dll", "user32.dll", "mscoree.dll" };
18 |
19 | public int Detect(AssemblySettings asm)
20 | {
21 | _asm = asm;
22 |
23 | int d = 0;
24 |
25 | foreach (TypeDef td in asm.Module.GetTypes())
26 | {
27 | foreach (MethodDef md in td.Methods)
28 | {
29 | if (!md.IsPinvokeImpl)
30 | continue;
31 |
32 | d += ProcessMethod(md);
33 | }
34 | }
35 |
36 |
37 | return d;
38 | }
39 | private int ProcessMethod(MethodDef md)
40 | {
41 | int d = 0;
42 |
43 | if (!commonUsed.Contains(md.ImplMap.Module.Name.ToString()))
44 | {
45 | _asm.AddDetection("PInvoke", new Reason("PInvoke", string.Format("Uncommon PInvoke dll referenced: {0}", md.ImplMap.Module.Name.ToString())));
46 | d++;
47 | return d;
48 | }
49 |
50 | foreach (PInvokeEntry pEntry in DetectionDatabase.Natives)
51 | {
52 | if (md.ImplMap.Name.StartsWith(pEntry.Trigger, StringComparison.InvariantCultureIgnoreCase))
53 | {
54 | _asm.AddDetection(pEntry.Category, new Reason(pEntry.Category, pEntry.Description));
55 | d++;
56 | }
57 | }
58 |
59 | return d;
60 | }
61 | }
62 | }
63 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Managed/ReflectionDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using AntiNET2.Core.Models.Database;
3 | using AntiNET2.Core.Providers.Database;
4 | using dnlib.DotNet;
5 | using dnlib.DotNet.Emit;
6 | using System;
7 | using System.Collections.Generic;
8 | using System.Linq;
9 | using System.Text;
10 | using System.Threading.Tasks;
11 |
12 | namespace AntiNET2.Core.Providers.DetectionEngines.Managed
13 | {
14 | public class ReflectionDetection : IDetectionProcess
15 | {
16 | public AssemblySettings _asm;
17 | public int Detect(AssemblySettings asm)
18 | {
19 | _asm = asm;
20 |
21 | int d = 0;
22 |
23 | foreach (TypeDef td in asm.Module.GetTypes())
24 | {
25 | foreach (MethodDef md in td.Methods)
26 | {
27 | if (!md.HasBody)
28 | continue;
29 |
30 | d += ProcessMethod(md);
31 | }
32 | }
33 |
34 |
35 | return d;
36 | }
37 | private int ProcessMethod(MethodDef md)
38 | {
39 | int d = 0;
40 | foreach (Instruction inst in md.Body.Instructions)
41 | {
42 | if (inst.OpCode == OpCodes.Calli)
43 | {
44 | // You shouldn't ever come across calli when an obfuscator isn't present... no?
45 | _asm.AddDetection("Call", new Reason("Call", "Calli Present, could be a sign of hiding behind an obfuscator"));
46 | d++;
47 | }
48 |
49 | if (inst.OpCode != OpCodes.Call && inst.OpCode != OpCodes.Callvirt)
50 | {
51 | continue;
52 | }
53 |
54 | foreach (ReflectionEntry callEntry in DetectionDatabase.Calls)
55 | {
56 | if (inst.ToString().ToLower().Contains(callEntry.Trigger.ToLower()))
57 | {
58 | _asm.AddDetection(callEntry.Category, new Reason(callEntry.Category, callEntry.Description));
59 | d++;
60 | }
61 | }
62 | }
63 | return d;
64 | }
65 | }
66 | }
67 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Managed/ResourceDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using dnlib.DotNet;
3 | using System;
4 | using System.Collections;
5 | using System.Collections.Generic;
6 | using System.Drawing;
7 | using System.Linq;
8 | using System.Resources;
9 | using System.Text;
10 | using System.Threading.Tasks;
11 | using AntiNET2.Core.Extensions;
12 | using AntiNET2.Core.Helpers;
13 |
14 | namespace AntiNET2.Core.Providers.DetectionEngines.Managed
15 | {
16 | public class ResourceDetection : IDetectionProcess
17 | {
18 | private Random r = new Random();
19 | private AssemblySettings _asm;
20 |
21 | private Dictionary sizeHandler = new Dictionary();
22 |
23 | private List manifestNames = new List();
24 | private List readerNames = new List();
25 |
26 | public int Detect(AssemblySettings asm)
27 | {
28 | _asm = asm;
29 | ModuleDefMD mod = asm.Module;
30 |
31 | int d = 0;
32 |
33 | foreach (Resource res in mod.Resources)
34 | {
35 | manifestNames.Add(res.Name);
36 | }
37 |
38 | foreach (Resource res in mod.Resources)
39 | {
40 | if (res.ResourceType != ResourceType.Embedded)
41 | continue;
42 |
43 | EmbeddedResource ebr = res as EmbeddedResource;
44 |
45 | TypeDef assoc = GetAssociatedType(mod, ebr.Name);
46 |
47 | if (assoc == null)
48 | {
49 | asm.AddDetection("Resources", new Reason("Resources", "Associated type with the resource was not found"));
50 | d++;
51 | }
52 |
53 | ResourceReader reader = null;
54 |
55 | try
56 | {
57 | reader = new ResourceReader(ebr.GetResourceStream());
58 | }
59 | catch (Exception)
60 | {
61 | // Probably null or such
62 | }
63 |
64 | if (reader == null)
65 | {
66 | asm.AddDetection("Resources", new Reason("Resources", "Resource is a manifest resource, could contain malicious details."));
67 | d++;
68 |
69 | if (ebr.GetResourceData().Length > 32)
70 | {
71 | d += ByteTests(ebr.GetResourceData(), ebr);
72 | }
73 |
74 | d += NameTests(ebr.Name, ebr, manifestNames);
75 |
76 | }
77 | else
78 | {
79 | foreach (DictionaryEntry a in reader)
80 | {
81 | readerNames.Add((string)a.Key);
82 | }
83 |
84 | foreach (DictionaryEntry a in reader)
85 | {
86 | if (a.Value is byte[])
87 | {
88 | byte[] b = a.Value as byte[];
89 |
90 | d += ByteTests(b, ebr);
91 | }
92 | if (a.Value is Bitmap)
93 | {
94 | // Icon check, icons generally have the same width & height
95 |
96 | Bitmap bit = a.Value as Bitmap;
97 |
98 | if (bit.Size.Height != bit.Size.Width)
99 | {
100 |
101 | asm.AddDetection("Resources", new Reason("Resources", "Bitmap Resource was not equal dimensions, could be steganography."));
102 | d++;
103 | }
104 |
105 | }
106 | d += NameTests(a.Key as string, ebr, readerNames);
107 |
108 | }
109 | }
110 | readerNames.Clear();
111 | }
112 |
113 | return d;
114 | }
115 |
116 | private int ByteTests(byte[] array, EmbeddedResource ebr)
117 | {
118 | int d = 0;
119 | if (array.Length > 300000)
120 | {
121 | _asm.AddDetection("Resources", new Reason("Resources", "Large resource was found, larger than 300KB"));
122 | d++;
123 | }
124 | if (sizeHandler.ContainsKey(array.Length))
125 | {
126 | _asm.AddDetection("Resources", new Reason("Resources", "Another resource has the same data/length."));
127 | d++;
128 | }
129 | else
130 | {
131 | sizeHandler.Add(array.Length, ebr);
132 | }
133 |
134 | if (array.Length > 8)
135 | {
136 | d += array.SigDetection(_asm, "Resources");
137 | }
138 | return d;
139 | }
140 |
141 | private int NameTests(string resEntryName, EmbeddedResource ebr, List testAgainst)
142 | {
143 | int d = 0;
144 | string cToReader = testAgainst[r.Next(testAgainst.Count - 1)];
145 | if (cToReader != resEntryName)
146 | {
147 | int readerComp = LevenshteinDistance.Compute(ebr.Name, cToReader);
148 |
149 | if (readerComp < 5)
150 | {
151 | _asm.AddDetection("Resources", new Reason("Resources", "Resource naming was consistent across others. Could mean split resources."));
152 | d++;
153 | }
154 | }
155 | return d;
156 | }
157 |
158 | private TypeDef GetAssociatedType(ModuleDefMD mod, string name)
159 | {
160 | foreach (TypeDef td in mod.Types)
161 | {
162 | if (td.FullName.Contains(name.Replace(".resources", "")))
163 | {
164 | return td;
165 | }
166 | }
167 | return null;
168 | }
169 | }
170 | }
171 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Managed/StringDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using AntiNET2.Core.Models.Database;
3 | using AntiNET2.Core.Providers.Database;
4 | using dnlib.DotNet;
5 | using dnlib.DotNet.Emit;
6 | using System;
7 | using System.Collections.Generic;
8 | using System.Linq;
9 | using System.Text;
10 | using System.Threading.Tasks;
11 |
12 | namespace AntiNET2.Core.Providers.DetectionEngines.Managed
13 | {
14 | public class StringDetection : IDetectionProcess
15 | {
16 | private AssemblySettings _asm;
17 | public int Detect(AssemblySettings asm)
18 | {
19 | _asm = asm;
20 | int d = 0;
21 |
22 | foreach (TypeDef td in asm.Module.GetTypes())
23 | {
24 | foreach (MethodDef md in td.Methods)
25 | {
26 | if (!md.HasBody)
27 | continue;
28 | d += ProcessMethod(md);
29 | }
30 | }
31 |
32 | return d;
33 | }
34 | private int ProcessMethod(MethodDef md)
35 | {
36 | int d = 0;
37 | foreach (Instruction inst in md.Body.Instructions)
38 | {
39 | if (inst.OpCode == OpCodes.Ldstr)
40 | {
41 | string data = inst.Operand as string;
42 | foreach (StringEntry pEntry in DetectionDatabase.Strings)
43 | {
44 | if (data.ToLower().Contains(pEntry.Trigger.ToLower()))
45 | {
46 | _asm.AddDetection("ManagedStrings", new Reason("ManagedStrings", pEntry.Description));
47 | d++;
48 | }
49 | }
50 | }
51 | }
52 | return d;
53 | }
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Native/EOFDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using dnlib.DotNet;
3 | using dnlib.PE;
4 | using System;
5 | using System.Collections.Generic;
6 | using System.IO;
7 | using System.Linq;
8 | using System.Text;
9 | using System.Threading.Tasks;
10 | using AntiNET2.Core.Extensions;
11 |
12 | namespace AntiNET2.Core.Providers.DetectionEngines.Native
13 | {
14 | public class EOFDetection : IDetectionProcess
15 | {
16 | private PEImage mod;
17 | public int Detect(AssemblySettings asm)
18 | {
19 | int d = 0;
20 |
21 | mod = asm.NativeImage;
22 |
23 | var lastSec = mod.ImageSectionHeaders.Last();
24 |
25 | var eofOffset = lastSec.PointerToRawData + lastSec.SizeOfRawData;
26 |
27 | using (var pe = mod.CreateFullStream())
28 | {
29 | // Check whether it's got EOF anyway
30 | if (pe.Length <= eofOffset)
31 | {
32 | return d;
33 |
34 | }
35 | if (pe.Length > eofOffset + 8)
36 | {
37 | pe.Position = eofOffset;
38 | byte[] eof = pe.ReadBytes(8);
39 |
40 | d += eof.SigDetection(asm, "End of File");
41 | }
42 | asm.AddDetection("End of File", new Reason("End of File", "End of File data detected, could be storage for malicious content or settings"));
43 | d++;
44 | }
45 |
46 | return d;
47 | }
48 | }
49 | }
50 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Native/SectionDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using dnlib.PE;
3 | using System;
4 | using System.Collections.Generic;
5 | using System.Linq;
6 | using System.Text;
7 | using System.Threading.Tasks;
8 |
9 | namespace AntiNET2.Core.Providers.DetectionEngines.Native
10 | {
11 | public class SectionDetection : IDetectionProcess
12 | {
13 |
14 | private PEImage mod;
15 | public int Detect(AssemblySettings asm)
16 | {
17 | int d = 0;
18 | mod = asm.NativeImage;
19 |
20 |
21 | // Check for starting with .
22 | // Check for only top section headers
23 | // .rsrc, .text, .data, .rdata, .reloc, .idata, .tls, .bss
24 |
25 |
26 |
27 | foreach (var sect in mod.ImageSectionHeaders)
28 | {
29 | string dispName = sect.DisplayName;
30 | uint attrs = sect.Characteristics;
31 |
32 | if (!dispName.StartsWith("."))
33 | {
34 | asm.AddDetection("Sections", new Reason("Sections", string.Format("Section {0} does not start with a dot. Could be invalid section.", dispName)));
35 | d++;
36 | }
37 | bool hasInvalidAttrs = false;
38 | switch (dispName)
39 | {
40 | case ".text":
41 | if (attrs != 0x60000020)
42 | {
43 | hasInvalidAttrs = true;
44 | }
45 | break;
46 | case ".rsrc":
47 | case ".rdata":
48 | if (attrs != 0x40000040)
49 | {
50 | hasInvalidAttrs = true;
51 | }
52 | break;
53 | case ".idata":
54 | case ".data":
55 | if (attrs != 0xC0000040)
56 | {
57 | hasInvalidAttrs = true;
58 | }
59 | break;
60 | case ".reloc":
61 | if (attrs != 0x42000040)
62 | {
63 | hasInvalidAttrs = true;
64 | }
65 | break;
66 | case ".bss":
67 | if (attrs != 0xC0000080)
68 | {
69 | hasInvalidAttrs = true;
70 | }
71 | break;
72 | default:
73 | asm.AddDetection("Sections", new Reason("Sections", string.Format("Section {0} is not a common section name. Could contain malicious content.", dispName)));
74 | d++;
75 | break;
76 |
77 | }
78 | if (hasInvalidAttrs)
79 | {
80 | asm.AddDetection("Sections", new Reason("Sections", string.Format("Section {0} does not have the correct attributes. Could be spoofed.", dispName)));
81 | }
82 |
83 | }
84 |
85 | return d;
86 | }
87 | }
88 | }
89 |
--------------------------------------------------------------------------------
/AntiNET2/Core/Providers/DetectionEngines/Native/SignatureDetection.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using AntiNET2.Core.Models.Database;
3 | using AntiNET2.Core.Providers.Database;
4 | using AntiNET2.Core.Extensions;
5 |
6 | using dnlib.DotNet;
7 | using dnlib.DotNet.Emit;
8 | using System;
9 | using System.Collections.Generic;
10 | using System.IO;
11 | using System.Linq;
12 | using System.Text;
13 | using System.Threading.Tasks;
14 | using System.Diagnostics;
15 | using static AntiNET2.Core.Helpers.ByteScan;
16 |
17 | namespace AntiNET2.Core.Providers.DetectionEngines.Native
18 | {
19 | public class SignatureDetection : IDetectionProcess
20 | {
21 | private AssemblySettings _asm;
22 | public int Detect(AssemblySettings asm)
23 | {
24 | _asm = asm;
25 | int d = 0;
26 |
27 |
28 | //asm.NativeImage.UnsafeDisableMemoryMappedIO();
29 | try
30 | {
31 | byte[] file = File.ReadAllBytes(asm.NativeImage.FileName);
32 |
33 | foreach (SignatureEntry sig in DetectionDatabase.Signatures)
34 | {
35 | long sigIndex = ((Sig)sig.Tag).Scan(file);
36 | if (sigIndex == -1)
37 | {
38 | continue;
39 | }
40 | // Should I insert the sig Category here instead of "Signature"?
41 | asm.AddDetection("Signature", new Reason("Signature", string.Format("Matched {0} ({2}) at offset 0x{1}", sig.Trigger, sigIndex.ToString("X2"), sig.Description)));
42 | d++;
43 | }
44 |
45 | }
46 | catch (Exception)
47 | {
48 | // File access issue?
49 | asm.AddDetection("Signature", new Reason("Signature", "Error when processing signatures"));
50 | d++;
51 | }
52 |
53 | return d;
54 | }
55 |
56 | }
57 | }
58 |
--------------------------------------------------------------------------------
/AntiNET2/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("AntiNET2")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("Microsoft")]
12 | [assembly: AssemblyProduct("AntiNET2")]
13 | [assembly: AssemblyCopyright("Copyright © Microsoft 2017")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("a9e94c24-bc8a-44c6-9c03-569025236466")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/AntiNET2/Scanner.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2.Core.Models;
2 | using AntiNET2.Core.Providers.Database;
3 | using AntiNET2.Core.Providers.DetectionEngines.Managed;
4 | using AntiNET2.Core.Providers.DetectionEngines.Native;
5 | using dnlib.DotNet;
6 | using dnlib.PE;
7 | using System;
8 | using System.Collections.Generic;
9 | using System.Diagnostics;
10 | using System.Linq;
11 | using System.Text;
12 | using System.Threading.Tasks;
13 |
14 | namespace AntiNET2
15 | {
16 | public static class Scanner
17 | {
18 | public static List Scan(string file, out int detectionCount)
19 | {
20 |
21 | AssemblySettings asmSettings = new AssemblySettings();
22 | bool isNet = true;
23 | try
24 | {
25 | asmSettings.Module = ModuleDefMD.Load(file);
26 | }
27 | catch (Exception)
28 | {
29 | isNet = false;
30 | }
31 |
32 | if (!isNet)
33 | {
34 | try
35 | {
36 | asmSettings.NativeImage = new PEImage(file);
37 |
38 | }
39 | catch (Exception ex)
40 | {
41 | // Cannot continue execution
42 | Console.WriteLine(ex);
43 | Console.ReadLine();
44 | detectionCount = 0;
45 | return new List();
46 | }
47 | }
48 | else
49 | {
50 | asmSettings.NativeImage = asmSettings.Module.MetaData.PEImage as PEImage;
51 | }
52 |
53 | List dp = new List();
54 |
55 | if (isNet)
56 | {
57 | dp.Add(new ResourceDetection());
58 | dp.Add(new StringDetection());
59 | dp.Add(new ReflectionDetection());
60 | dp.Add(new PInvokeDetection());
61 | }
62 |
63 | dp.Add(new EOFDetection());
64 | dp.Add(new SectionDetection());
65 | dp.Add(new SignatureDetection());
66 |
67 | int totalDetections = dp.Sum(x => x.Detect(asmSettings));
68 |
69 | DetectionDatabase.Save();
70 |
71 | detectionCount = totalDetections;
72 |
73 | return asmSettings.TotalDetections;
74 |
75 | }
76 | }
77 | }
78 |
--------------------------------------------------------------------------------
/AntiNET2/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/AntiNETCLI/AntiNETCLI.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {B3ED1DBF-32FA-40AC-ACE2-B57FDD4A1C0C}
8 | Exe
9 | Properties
10 | AntiNETCLI
11 | AntiNETCLI
12 | v4.5.2
13 | 512
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 | ..\Dependencies\dnlib.dll
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 | {D3E5408C-57FE-43F9-AA38-B10BD6390D80}
58 | AntiNET2
59 |
60 |
61 |
62 |
69 |
--------------------------------------------------------------------------------
/AntiNETCLI/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/AntiNETCLI/Program.cs:
--------------------------------------------------------------------------------
1 | using AntiNET2;
2 | using AntiNET2.Core.Models;
3 | using AntiNET2.Core.Models.Database;
4 | using AntiNET2.Core.Providers;
5 | using AntiNET2.Core.Providers.Database;
6 | using AntiNET2.Core.Providers.DetectionEngines.Managed;
7 | using AntiNET2.Core.Providers.DetectionEngines.Native;
8 | using dnlib.DotNet;
9 | using dnlib.PE;
10 | using System;
11 | using System.Collections.Generic;
12 | using System.Diagnostics;
13 | using System.Linq;
14 | using System.Text;
15 | using System.Threading.Tasks;
16 |
17 | namespace AntiNETCLI
18 | {
19 | class Program
20 | {
21 | static void Main(string[] args)
22 | {
23 | Stopwatch sw = new Stopwatch();
24 |
25 | Console.Title = "AntiNET - \"False positive? Never!!1\"";
26 |
27 | // Trigger the db loading because it'll be counted in the time otherwise :s
28 | if (AntiNET2.Core.Providers.Database.DetectionDatabase.Calls == null)
29 | {
30 | }
31 |
32 | //AddDets();
33 |
34 | int totalDetections = 0;
35 | sw.Start();
36 | List TotalDetections = Scanner.Scan(args[0], out totalDetections);
37 | sw.Stop();
38 |
39 | Console.WriteLine("Total Detection: {0}", totalDetections);
40 |
41 | /*var grouped = TotalDetections.GroupBy(x => x.DetectionType).ToDictionary(x => x.Key);
42 | foreach (var pair in grouped)
43 | {
44 | foreach (var x in pair.Value)
45 | {
46 | x.DetectionReasons.ForEach(y => Console.WriteLine(y));
47 | }
48 | }*/
49 |
50 |
51 | // When you try to code, but can't, and then try half linq it...
52 | // :'(
53 |
54 | var grouped = TotalDetections.GroupBy(x => x.DetectionType).ToDictionary(x => x.Key);
55 | foreach (var pair in grouped)
56 | {
57 | foreach (var x in pair.Value)
58 | {
59 | var z = x.DetectionReasons.GroupBy(a => a.ReasonType).ToDictionary(a => a.Key);
60 | foreach (var p2 in z)
61 | {
62 | Console.WriteLine(p2.Key);
63 | Dictionary counts = new Dictionary();
64 |
65 | foreach (var x2 in p2.Value)
66 | {
67 | if (counts.ContainsKey(x2.Message))
68 | {
69 | counts[x2.Message]++;
70 | }
71 | else
72 | {
73 | counts.Add(x2.Message, 1);
74 | }
75 |
76 | }
77 | foreach (var b in counts)
78 | {
79 | Console.WriteLine("\t{0}x {1}", b.Value, b.Key);
80 | }
81 | }
82 | }
83 | }
84 |
85 | Console.WriteLine("Total time taken for scanning: {0}", sw.Elapsed.TotalSeconds);
86 |
87 | Console.ReadKey();
88 | }
89 |
90 | static void AddDets()
91 | {
92 | PInvokeEntry p = new PInvokeEntry()
93 | {
94 | Category = "Dynamic Calls",
95 | Description = "Get Process Address",
96 | Trigger = "GetProcAddress",
97 | Tag = "DynCalls"
98 | };
99 | DetectionDatabase.AddDetection(p);
100 | p = new PInvokeEntry()
101 | {
102 | Category = "Memory",
103 | Description = "Read Process Memory",
104 | Trigger = "ReadProcessMemory",
105 | Tag = "Mem"
106 | };
107 | DetectionDatabase.AddDetection(p);
108 | p = new PInvokeEntry()
109 | {
110 | Category = "Memory",
111 | Description = "Write Process Memory",
112 | Trigger = "WriteProcessMemory",
113 | Tag = "Mem"
114 | };
115 | DetectionDatabase.AddDetection(p);
116 | p = new PInvokeEntry()
117 | {
118 | Category = "Thread",
119 | Description = "Resume Thread",
120 | Trigger = "ResumeThread",
121 | Tag = "Threads"
122 | };
123 | DetectionDatabase.AddDetection(p);
124 | p = new PInvokeEntry()
125 | {
126 | Category = "Process",
127 | Description = "Create new process",
128 | Trigger = "CreateProcess",
129 | Tag = "Procs"
130 | };
131 | DetectionDatabase.AddDetection(p);
132 | p = new PInvokeEntry()
133 | {
134 | Category = "Process",
135 | Description = "Open process",
136 | Trigger = "OpenProcess",
137 | Tag = "Procs"
138 | };
139 | DetectionDatabase.AddDetection(p);
140 | p = new PInvokeEntry()
141 | {
142 | Category = "Memory",
143 | Description = "Protect Memory",
144 | Trigger = "VirtualProtect",
145 | Tag = "Mem"
146 | };
147 | DetectionDatabase.AddDetection(p);
148 | p = new PInvokeEntry()
149 | {
150 | Category = "Memory",
151 | Description = "Allocate Memory",
152 | Trigger = "VirtualAlloc",
153 | Tag = "Mem"
154 | };
155 | DetectionDatabase.AddDetection(p);
156 | p = new PInvokeEntry()
157 | {
158 | Category = "Process",
159 | Description = "Terminate process",
160 | Trigger = "TerminateProcess",
161 | Tag = "Procs"
162 | };
163 | DetectionDatabase.AddDetection(p);
164 | p = new PInvokeEntry()
165 | {
166 | Category = "Anti-Debug",
167 | Description = "Output to debugger",
168 | Trigger = "OutputDebugString",
169 | Tag = "Debug"
170 | };
171 | DetectionDatabase.AddDetection(p);
172 | p = new PInvokeEntry()
173 | {
174 | Category = "Anti-Debug",
175 | Description = "Check if debugger present",
176 | Trigger = "IsDebuggerPresent",
177 | Tag = "Debug"
178 | };
179 | DetectionDatabase.AddDetection(p);
180 | p = new PInvokeEntry()
181 | {
182 | Category = "Process",
183 | Description = "Set Critical Process",
184 | Trigger = "RtlSetProcessIsCritical",
185 | Tag = "Procs"
186 | };
187 | DetectionDatabase.AddDetection(p);
188 | p = new PInvokeEntry()
189 | {
190 | Category = "Dynamic Calls",
191 | Description = "Load External Library",
192 | Trigger = "LoadLibrary",
193 | Tag = "DynCalls"
194 | };
195 | DetectionDatabase.AddDetection(p);
196 | p = new PInvokeEntry()
197 | {
198 | Category = "Thread",
199 | Description = "Set thread context",
200 | Trigger = "SetThreadContext",
201 | Tag = "Threads"
202 | };
203 | DetectionDatabase.AddDetection(p);
204 | p = new PInvokeEntry()
205 | {
206 | Category = "Thread",
207 | Description = "Set thread context x64",
208 | Trigger = "Wow64SetThreadContext",
209 | Tag = "Threads"
210 | };
211 | DetectionDatabase.AddDetection(p);
212 | p = new PInvokeEntry()
213 | {
214 | Category = "Hook",
215 | Description = "Low level Windows Hook",
216 | Trigger = "SetWindowsHook",
217 | Tag = "Hooks"
218 | };
219 | DetectionDatabase.AddDetection(p);
220 |
221 |
222 |
223 | ReflectionEntry r = new ReflectionEntry()
224 | {
225 | Trigger = "System.AppDomain::Load",
226 | Description = "Loading Assembly (Appdomain)",
227 | Category = "Load",
228 | Tag = "Load"
229 | };
230 | DetectionDatabase.AddDetection(r);
231 | r = new ReflectionEntry()
232 | {
233 | Trigger = "System.Reflection.Assembly::Load",
234 | Description = "Loading Assembly",
235 | Category = "Load",
236 | Tag = "Load"
237 | };
238 | DetectionDatabase.AddDetection(r);
239 | r = new ReflectionEntry()
240 | {
241 | Trigger = "System.Runtime.CompilerServices.RuntimeHelpers",
242 | Description = "Loading Assembly by Invoke (RuntimeHelpers)",
243 | Category = "Load",
244 | Tag = "Load"
245 | };
246 | DetectionDatabase.AddDetection(r);
247 | r = new ReflectionEntry()
248 | {
249 | Trigger = "System.Reflection.Assembly::get_EntryPoint",
250 | Description = "Getting Assembly EntryPoint",
251 | Category = "Invoke",
252 | Tag = "Invoke"
253 | };
254 | DetectionDatabase.AddDetection(r);
255 | r = new ReflectionEntry()
256 | {
257 | Trigger = "System.Reflection.MethodBase::Invoke",
258 | Description = "Invoking method with MethodBase",
259 | Category = "Invoke",
260 | Tag = "Invoke"
261 | };
262 | DetectionDatabase.AddDetection(r);
263 | r = new ReflectionEntry()
264 | {
265 | Trigger = "System.Type::InvokeMember",
266 | Description = "Invoking method with Type.InvokeMember",
267 | Category = "Invoke",
268 | Tag = "Invoke"
269 | };
270 | DetectionDatabase.AddDetection(r);
271 | r = new ReflectionEntry()
272 | {
273 | Trigger = "Microsoft.VisualBasic.CompilerServices.NewLateBinding::",
274 | Description = "Late binding to invoke data",
275 | Category = "Invoke",
276 | Tag = "Invoke"
277 | };
278 | DetectionDatabase.AddDetection(r);
279 | r = new ReflectionEntry()
280 | {
281 | Trigger = "Microsoft.VisualBasic.CompilerServices.Operators::OrObject",
282 | Description = "Or Object is used with NewLateBinding",
283 | Category = "Invoke",
284 | Tag = "Invoke"
285 | };
286 | DetectionDatabase.AddDetection(r);
287 | r = new ReflectionEntry()
288 | {
289 | Trigger = "System.Reflection.Module::ResolveSignature",
290 | Description = "Resolve signature to byte array (store data)",
291 | Category = "Resources",
292 | Tag = "Resources"
293 | };
294 | DetectionDatabase.AddDetection(r);
295 | r = new ReflectionEntry()
296 | {
297 | Trigger = "System.Reflection.Module::ResolveMethod",
298 | Description = "Resolve a method from MD Token",
299 | Category = "Invoke",
300 | Tag = "Invoke"
301 | };
302 | DetectionDatabase.AddDetection(r);
303 | r = new ReflectionEntry()
304 | {
305 | Trigger = "System.Type::GetMethod",
306 | Description = "Gets Method(s) from a type",
307 | Category = "Invoke",
308 | Tag = "Invoke"
309 | };
310 | DetectionDatabase.AddDetection(r);
311 | r = new ReflectionEntry()
312 | {
313 | Trigger = "System.Module::GetTypes",
314 | Description = "Gets Type(s) from a Module",
315 | Category = "Invoke",
316 | Tag = "Invoke"
317 | };
318 | DetectionDatabase.AddDetection(r);
319 | r = new ReflectionEntry()
320 | {
321 | Trigger = "System.Reflection.Emit.OpCodes",
322 | Description = "Initializing CIL related data",
323 | Category = "Dynamic",
324 | Tag = "Dynamic"
325 | };
326 | DetectionDatabase.AddDetection(r);
327 | r = new ReflectionEntry()
328 | {
329 | Trigger = "System.Reflection.Emit.ILGenerator",
330 | Description = "Using IL Generator",
331 | Category = "Dynamic",
332 | Tag = "Dynamic"
333 | };
334 | DetectionDatabase.AddDetection(r);
335 | r = new ReflectionEntry()
336 | {
337 | Trigger = "System.Runtime.InteropServices.Marshal::Alloc",
338 | Description = "Marshal Memory Allocation",
339 | Category = "Dynamic",
340 | Tag = "Dynamic"
341 | };
342 | DetectionDatabase.AddDetection(r);
343 | r = new ReflectionEntry()
344 | {
345 | Trigger = "System.Runtime.InteropServices.GCHandle::Alloc",
346 | Description = "GC Handle Allocation",
347 | Category = "Dynamic",
348 | Tag = "Dynamic"
349 | };
350 | DetectionDatabase.AddDetection(r);
351 | r = new ReflectionEntry()
352 | {
353 | Trigger = "System.Resources.ResourceManager::.ctor",
354 | Description = "Initializing ResourceManager",
355 | Category = "Resources",
356 | Tag = "Resources"
357 | };
358 | DetectionDatabase.AddDetection(r);
359 | r = new ReflectionEntry()
360 | {
361 | Trigger = "System.Resources.ResourceManager::GetObject",
362 | Description = "Getting Object from Resource Manager",
363 | Category = "Resources",
364 | Tag = "Resources"
365 | };
366 | DetectionDatabase.AddDetection(r);
367 | r = new ReflectionEntry()
368 | {
369 | Trigger = "System.Reflection.Assembly::GetManifestResource",
370 | Description = "Getting Resource from Assembly",
371 | Category = "Resources",
372 | Tag = "Resources"
373 | };
374 | DetectionDatabase.AddDetection(r);
375 | r = new ReflectionEntry()
376 | {
377 | Trigger = "System.Reflection.Assembly::GetManifestResource",
378 | Description = "Getting Resource from Assembly",
379 | Category = "Resources",
380 | Tag = "Resources"
381 | };
382 | DetectionDatabase.AddDetection(r);
383 | r = new ReflectionEntry()
384 | {
385 | Trigger = "System.Reflection.Assembly::GetManifestResourceNames",
386 | Description = "Getting Resource Names from Assembly",
387 | Category = "Resources",
388 | Tag = "Resources"
389 | };
390 | DetectionDatabase.AddDetection(r);
391 | }
392 | }
393 | }
394 |
--------------------------------------------------------------------------------
/AntiNETCLI/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("AntiNETCLI")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("AntiNETCLI")]
13 | [assembly: AssemblyCopyright("Copyright © 2017")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("b3ed1dbf-32fa-40ac-ace2-b57fdd4a1c0c")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/CONTRIBUTERS.md:
--------------------------------------------------------------------------------
1 | 1. [BahNahNah](https://github.com/BahNahNah)
--------------------------------------------------------------------------------
/Dependencies/dnlib.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Panthere/AntiNET/ce0fb4ed845a70f5ffaa99bce7e35a91ee6167f1/Dependencies/dnlib.dll
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 Panthere
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AntiNET
2 | A little project I am working on
3 |
4 | Supposed to help find malware or something
5 |
6 | # Features
7 | - Managed, and native detection engines
8 | - Scantime only
9 | - Some neat things
10 | - Whatever else
11 |
--------------------------------------------------------------------------------
/TODO.md:
--------------------------------------------------------------------------------
1 | - Whether the detections found are a threat - 'Analysis Engine' could be a name
2 | - Refactor code
3 | - Create Database Editor
4 | - More Detection Engines for managed/native
--------------------------------------------------------------------------------