├── .gitignore
├── .vscode
├── launch.json
└── tasks.json
├── LICENSE.txt
├── README.md
├── appveyor.yml
├── logo.png
└── src
└── AntiDebugging
├── .idea
└── .idea.AntiDebugging
│ ├── .idea
│ ├── .gitignore
│ ├── encodings.xml
│ ├── indexLayout.xml
│ ├── misc.xml
│ └── vcs.xml
│ └── riderModule.iml
├── AntiDebugging.Demo
├── AntiDebugging.Demo.csproj
├── Program.cs
└── logo.ico
├── AntiDebugging.sln
├── AntiDebugging.sln.DotSettings
└── AntiDebugging
├── AntiDebug.cs
├── AntiDebugging.csproj
├── AntiDump.cs
├── Constants.cs
├── HardwareHelper.cs
├── ProtectionHelper.cs
├── Scanner.cs
├── SelfDebugger.cs
├── WinStructs
├── DebugEvent.cs
├── DebugEventType.cs
├── DebugObjectInformationClass.cs
├── NtStatus.cs
├── ProcessInfoClass.cs
├── SystemInformationClass.cs
├── SystemKernelDebuggerInformation.cs
├── ThreadAccess.cs
└── ThreadInformationClass.cs
└── logo.ico
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/.vscode/launch.json:
--------------------------------------------------------------------------------
1 | {
2 | // Use IntelliSense to find out which attributes exist for C# debugging
3 | // Use hover for the description of the existing attributes
4 | // For further information visit https://github.com/OmniSharp/omnisharp-vscode/blob/master/debugger-launchjson.md
5 | "version": "0.2.0",
6 | "configurations": [
7 | {
8 | "name": ".NET Core Launch (console)",
9 | "type": "coreclr",
10 | "request": "launch",
11 | "preLaunchTask": "build",
12 | // If you have changed target frameworks, make sure to update the program path.
13 | "program": "${workspaceFolder}/src/AntiDebugging/AntiDebugging.Demo/bin/Debug/netcoreapp3.1/AntiDebugging.Demo.dll",
14 | "args": [],
15 | "cwd": "${workspaceFolder}/src/AntiDebugging/AntiDebugging.Demo",
16 | // For more information about the 'console' field, see https://aka.ms/VSCode-CS-LaunchJson-Console
17 | "console": "internalConsole",
18 | "stopAtEntry": false
19 | },
20 | {
21 | "name": ".NET Core Attach",
22 | "type": "coreclr",
23 | "request": "attach",
24 | "processId": "${command:pickProcess}"
25 | }
26 | ]
27 | }
--------------------------------------------------------------------------------
/.vscode/tasks.json:
--------------------------------------------------------------------------------
1 | {
2 | "version": "2.0.0",
3 | "tasks": [
4 | {
5 | "label": "build",
6 | "command": "dotnet",
7 | "type": "process",
8 | "args": [
9 | "build",
10 | "${workspaceFolder}/src/AntiDebugging/AntiDebugging.Demo/AntiDebugging.Demo.csproj",
11 | "/property:GenerateFullPaths=true",
12 | "/consoleloggerparameters:NoSummary"
13 | ],
14 | "problemMatcher": "$msCompile"
15 | },
16 | {
17 | "label": "publish",
18 | "command": "dotnet",
19 | "type": "process",
20 | "args": [
21 | "publish",
22 | "${workspaceFolder}/src/AntiDebugging/AntiDebugging.Demo/AntiDebugging.Demo.csproj",
23 | "/property:GenerateFullPaths=true",
24 | "/consoleloggerparameters:NoSummary"
25 | ],
26 | "problemMatcher": "$msCompile"
27 | },
28 | {
29 | "label": "watch",
30 | "command": "dotnet",
31 | "type": "process",
32 | "args": [
33 | "watch",
34 | "run",
35 | "${workspaceFolder}/src/AntiDebugging/AntiDebugging.Demo/AntiDebugging.Demo.csproj",
36 | "/property:GenerateFullPaths=true",
37 | "/consoleloggerparameters:NoSummary"
38 | ],
39 | "problemMatcher": "$msCompile"
40 | }
41 | ]
42 | }
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | [](https://ci.appveyor.com/project/bezzad/downloader)
2 | [](https://www.nuget.org/packages/downloader)
3 | [](https://www.nuget.org/packages/downloader)
4 |
5 | 
6 |
7 | # Anti Debugging
8 |
9 | C# Anti-Debug and Anti-Dumping techniques using Win32/NT API functions. There are certain functions/methods like the anti-dump that were created by other people.
10 |
11 | ### Features at a glance
12 |
13 | * PoC: Prevent a debugger from attaching to managed .NET processes via a watcher process code pattern.
14 | * Anti Virtual Machine & VPS
15 | * Anti Dump - Clears headers and some secret magic ontop (WARNING! It breaks applications which are obfuscated)
16 | * Check for managed debugger
17 | * Check for unmanaged debugger
18 | * Check for remote debugger
19 | * Check debug port
20 | * Detach from debugger process
21 | * Check for kernel debugger
22 | * Hides current process OS thread ( managed threads soon )
23 | * Scan and Kill debuggers (ollydbg, x32dbg, x64dbg, Immunity, MegaDumper, etc)
24 |
25 | ### How to use
26 |
27 | Get it on [NuGet](https://www.nuget.org/packages/AntiDebugger):
28 |
29 | PM> Install-Package AntiDebugging
30 |
31 | Or via the .NET Core command line interface:
32 |
33 | dotnet add package AntiDebugging
34 |
35 |
--------------------------------------------------------------------------------
/appveyor.yml:
--------------------------------------------------------------------------------
1 | version: 1.2.{build}
2 | image: Visual Studio 2019
3 | configuration: Release
4 | platform: Any CPU
5 | before_build:
6 | - cmd: dotnet restore src\AntiDebugging\AntiDebugging.sln
7 | build:
8 | verbosity: normal
--------------------------------------------------------------------------------
/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bezzad/AntiDebugging/e70383636c46c96f8cc8181d6c3f0cfa97cd5f91/logo.png
--------------------------------------------------------------------------------
/src/AntiDebugging/.idea/.idea.AntiDebugging/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Rider ignored files
5 | /projectSettingsUpdater.xml
6 | /modules.xml
7 | /.idea.AntiDebugging.iml
8 | /contentModel.xml
9 | # Datasource local storage ignored files
10 | /dataSources/
11 | /dataSources.local.xml
12 | # Editor-based HTTP Client requests
13 | /httpRequests/
14 |
--------------------------------------------------------------------------------
/src/AntiDebugging/.idea/.idea.AntiDebugging/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/src/AntiDebugging/.idea/.idea.AntiDebugging/.idea/indexLayout.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/src/AntiDebugging/.idea/.idea.AntiDebugging/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/src/AntiDebugging/.idea/.idea.AntiDebugging/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/src/AntiDebugging/.idea/.idea.AntiDebugging/riderModule.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging.Demo/AntiDebugging.Demo.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | netcoreapp3.1
6 | latest
7 | Demo
8 | logo.ico
9 | false
10 |
11 |
12 |
13 | none
14 | none
15 | false
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging.Demo/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Reflection;
4 |
5 | namespace AntiDebugging.Demo
6 | {
7 | class Program
8 | {
9 | static void Main(string[] args)
10 | {
11 | var mainLibVersion = Assembly.GetAssembly(typeof(AntiDebug))?.GetName().Version?.ToString(3) ?? "1.0.0";
12 | Console.Title = $"Anti Debugging v{mainLibVersion}";
13 | Console.WriteLine($"Process {Process.GetCurrentProcess().Id} is running...");
14 |
15 | if (PerformChecks())
16 | {
17 | Environment.FailFast("Debugger Detected");
18 | }
19 | else
20 | {
21 | // AntiDump.ProtectDump();
22 | //
23 | // Console.WriteLine("Test: Attaching to process in runtime...");
24 | // var ppid = 0;
25 | // if (args != null && args.Length > 0)
26 | // {
27 | // int.TryParse(args[0], out ppid);
28 | // }
29 | //
30 | // SelfDebugger.DebugSelf(ppid);
31 | //
32 | // PerformChecks();
33 |
34 | Console.WriteLine();
35 | WriteColoredResult("Any debugger not found. Application run in a safe environment.", ConsoleColor.DarkGreen);
36 | }
37 |
38 | Console.ReadLine();
39 | }
40 |
41 | ///
42 | /// Perform basic checks, method 1
43 | /// Checks are very fast, there is no CPU overhead.
44 | ///
45 | public static bool PerformChecks()
46 | {
47 | var isProcessRemote = AntiDebug.CheckRemoteDebugger();
48 | var isManagedCodesAttached = AntiDebug.CheckDebuggerManagedPresent();
49 | var isUnManagedCodesAttached = AntiDebug.CheckDebuggerUnmanagedPresent();
50 | var checkDebugPort = AntiDebug.CheckDebugPort();
51 | var checkKernelDebugInformation = AntiDebug.CheckKernelDebugInformation();
52 | var detectEmulation = ProtectionHelper.DetectEmulation();
53 | var detectSandbox = ProtectionHelper.DetectSandbox();
54 | var detectVirtualMachine = ProtectionHelper.DetectVirtualMachine();
55 | var detachFromDebuggerProcess = AntiDebug.DetachFromDebuggerProcess();
56 | WriteBooleanResult($"{nameof(AntiDebug)}.{nameof(AntiDebug.CheckRemoteDebugger)}", isProcessRemote);
57 | WriteBooleanResult($"{nameof(AntiDebug)}.{nameof(AntiDebug.CheckDebuggerManagedPresent)}", isManagedCodesAttached);
58 | WriteBooleanResult($"{nameof(AntiDebug)}.{nameof(AntiDebug.CheckDebuggerUnmanagedPresent)}", isUnManagedCodesAttached);
59 | WriteBooleanResult($"{nameof(AntiDebug)}.{nameof(AntiDebug.CheckDebugPort)}", checkDebugPort);
60 | WriteBooleanResult($"{nameof(AntiDebug)}.{nameof(AntiDebug.CheckKernelDebugInformation)}", checkKernelDebugInformation);
61 | WriteBooleanResult($"{nameof(ProtectionHelper)}.{nameof(ProtectionHelper.DetectEmulation)}", detectEmulation);
62 | WriteBooleanResult($"{nameof(ProtectionHelper)}.{nameof(ProtectionHelper.DetectSandbox)}", detectSandbox);
63 | WriteBooleanResult($"{nameof(ProtectionHelper)}.{nameof(ProtectionHelper.DetectVirtualMachine)}", detectVirtualMachine);
64 | WriteBooleanResult($"{nameof(AntiDebug)}.{nameof(AntiDebug.DetachFromDebuggerProcess)}", detachFromDebuggerProcess);
65 | AntiDebug.HideOsThreads();
66 | Scanner.ScanAndKill();
67 |
68 | if (isProcessRemote || isManagedCodesAttached ||
69 | isUnManagedCodesAttached || checkDebugPort ||
70 | checkKernelDebugInformation || detectEmulation ||
71 | detectSandbox || detectVirtualMachine)
72 | {
73 | ProtectionHelper.FreezeMouse();
74 | ProtectionHelper.ShowCmd("Protector", "Active debugger found!", "C");
75 | return true;
76 | }
77 |
78 | return false;
79 | }
80 |
81 | protected static void WriteBooleanResult(string prop, bool value)
82 | {
83 | Console.Write($"{prop}: ");
84 | WriteColoredResult(value.ToString(), value ? ConsoleColor.Red : ConsoleColor.Green);
85 | }
86 | protected static void WriteColoredResult(string text, ConsoleColor color)
87 | {
88 | var originalColor = Console.ForegroundColor;
89 | Console.ForegroundColor = color;
90 | Console.WriteLine(text);
91 | Console.ForegroundColor = originalColor;
92 | }
93 | }
94 |
95 | }
96 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging.Demo/logo.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bezzad/AntiDebugging/e70383636c46c96f8cc8181d6c3f0cfa97cd5f91/src/AntiDebugging/AntiDebugging.Demo/logo.ico
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30128.74
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AntiDebugging", "AntiDebugging\AntiDebugging.csproj", "{A036B4E3-3169-429B-992E-A382D60AFD76}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AntiDebugging.Demo", "AntiDebugging.Demo\AntiDebugging.Demo.csproj", "{980B7E78-7C64-46DD-B3FB-CD5DA5C551AF}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {A036B4E3-3169-429B-992E-A382D60AFD76}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {A036B4E3-3169-429B-992E-A382D60AFD76}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {A036B4E3-3169-429B-992E-A382D60AFD76}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {A036B4E3-3169-429B-992E-A382D60AFD76}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {980B7E78-7C64-46DD-B3FB-CD5DA5C551AF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {980B7E78-7C64-46DD-B3FB-CD5DA5C551AF}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {980B7E78-7C64-46DD-B3FB-CD5DA5C551AF}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {980B7E78-7C64-46DD-B3FB-CD5DA5C551AF}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {85660965-8099-4D2D-B4DD-E49105287BFF}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging.sln.DotSettings:
--------------------------------------------------------------------------------
1 |
2 | True
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/AntiDebug.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Runtime.InteropServices;
4 | using AntiDebugging.WinStructs;
5 |
6 | namespace AntiDebugging
7 | {
8 | public static class AntiDebug
9 | {
10 | [DllImport("Kernel32.dll", SetLastError = true)]
11 | internal static extern bool DebugActiveProcess(int dwProcessId);
12 |
13 | [DllImport("Kernel32.dll", SetLastError = true)]
14 | internal static extern bool WaitForDebugEvent([Out] out DebugEvent lpDebugEvent, int dwMilliseconds);
15 |
16 | [DllImport("Kernel32.dll", SetLastError = true)]
17 | internal static extern bool ContinueDebugEvent(int dwProcessId, int dwThreadId, int dwContinueStatus);
18 |
19 | [DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
20 | [return: MarshalAs(UnmanagedType.Bool)]
21 | private static extern bool IsDebuggerPresent();
22 |
23 | [DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
24 | [return: MarshalAs(UnmanagedType.Bool)]
25 | private static extern bool CheckRemoteDebuggerPresent(SafeHandle hProcess, [MarshalAs(UnmanagedType.Bool)] ref bool isDebuggerPresent);
26 |
27 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
28 | internal static extern NtStatus NtQueryInformationProcess([In] IntPtr processHandle, [In] ProcessInfoClass processInformationClass, out IntPtr processInformation, [In] int processInformationLength, out int returnLength);
29 |
30 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
31 | internal static extern NtStatus NtClose([In] IntPtr handle);
32 |
33 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
34 | internal static extern NtStatus NtRemoveProcessDebug(IntPtr processHandle, IntPtr debugObjectHandle);
35 |
36 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
37 | internal static extern NtStatus NtSetInformationDebugObject([In] IntPtr debugObjectHandle, [In] DebugObjectInformationClass debugObjectInformationClass, [In] IntPtr debugObjectInformation, [In] int debugObjectInformationLength, [Out] out int returnLength);
38 |
39 | [DllImport("ntdll.dll", SetLastError = true, ExactSpelling = true)]
40 | internal static extern NtStatus NtQuerySystemInformation([In] SystemInformationClass systemInformationClass, IntPtr systemInformation, [In] int systemInformationLength, [Out] out int returnLength);
41 |
42 | [DllImport("ntdll.dll")]
43 | internal static extern NtStatus NtSetInformationThread(IntPtr threadHandle, ThreadInformationClass threadInformationClass, IntPtr threadInformation, int threadInformationLength);
44 |
45 | [DllImport("kernel32.dll")]
46 | static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
47 |
48 | [DllImport("kernel32.dll")]
49 | static extern uint SuspendThread(IntPtr hThread);
50 |
51 | [DllImport("kernel32.dll")]
52 | static extern int ResumeThread(IntPtr hThread);
53 |
54 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
55 | static extern bool CloseHandle(IntPtr handle);
56 |
57 | static readonly IntPtr InvalidHandleValue = new IntPtr(-1);
58 |
59 |
60 | ///
61 | /// Asks the CLR for the presence of an attached managed debugger,
62 | /// and never even bothers to check for the presence of a native debugger.
63 | ///
64 | public static bool CheckDebuggerManagedPresent()
65 | {
66 | return System.Diagnostics.Debugger.IsAttached;
67 | }
68 |
69 | ///
70 | /// Asks the kernel for the presence of an attached native debugger, and has no knowledge of managed debuggers.
71 | ///
72 | public static bool CheckDebuggerUnmanagedPresent()
73 | {
74 | return IsDebuggerPresent();
75 | }
76 |
77 | ///
78 | /// Checks whether a process is being debugged.
79 | ///
80 | ///
81 | /// The "remote" in CheckRemoteDebuggerPresent does not imply that the debugger
82 | /// necessarily resides on a different computer; instead, it indicates that the
83 | /// debugger resides in a separate and parallel process.
84 | ///
85 | public static bool CheckRemoteDebugger()
86 | {
87 | var isDebuggerPresent = false;
88 | var bApiRet = CheckRemoteDebuggerPresent(System.Diagnostics.Process.GetCurrentProcess().SafeHandle, ref isDebuggerPresent);
89 |
90 | return bApiRet && isDebuggerPresent;
91 | }
92 |
93 | public static bool CheckDebugPort()
94 | {
95 | var debugPort = new IntPtr(0);
96 | var status = NtQueryInformationProcess(Process.GetCurrentProcess().Handle,
97 | ProcessInfoClass.ProcessDebugPort, out debugPort,
98 | Marshal.SizeOf(debugPort), out var returnLength);
99 |
100 | if (status == NtStatus.Success)
101 | {
102 | if (debugPort == new IntPtr(-1))
103 | {
104 | Debug.WriteLine("DebugPort : {0:X}", debugPort);
105 | return true;
106 | }
107 | }
108 |
109 | return false;
110 | }
111 |
112 | public static bool DetachFromDebuggerProcess()
113 | {
114 | var dwFlags = 0U;
115 |
116 | unsafe
117 | {
118 | var ntStatus = NtQueryInformationProcess(Process.GetCurrentProcess().Handle, ProcessInfoClass.ProcessDebugObjectHandle, out var hDebugObject, IntPtr.Size, out _);
119 |
120 | if (ntStatus != NtStatus.Success)
121 | {
122 | return false;
123 | }
124 |
125 | ntStatus = NtSetInformationDebugObject(hDebugObject, DebugObjectInformationClass.DebugObjectFlags, new IntPtr(&dwFlags), Marshal.SizeOf(dwFlags), out _);
126 |
127 | if (ntStatus != NtStatus.Success)
128 | {
129 | return false;
130 | }
131 |
132 | ntStatus = NtRemoveProcessDebug(Process.GetCurrentProcess().Handle, hDebugObject);
133 |
134 | if (ntStatus != NtStatus.Success)
135 | {
136 | return false;
137 | }
138 |
139 | ntStatus = NtClose(hDebugObject);
140 |
141 | if (ntStatus != NtStatus.Success)
142 | {
143 | return false;
144 | }
145 | }
146 |
147 | return true;
148 | }
149 |
150 | public static bool CheckKernelDebugInformation()
151 | {
152 | SystemKernelDebuggerInformation pSkdi;
153 |
154 | int retLength;
155 | NtStatus ntStatus;
156 |
157 | unsafe
158 | {
159 | ntStatus = NtQuerySystemInformation(SystemInformationClass.SystemKernelDebuggerInformation, new IntPtr(&pSkdi),
160 | Marshal.SizeOf(pSkdi), out retLength);
161 |
162 | if (ntStatus == NtStatus.Success)
163 | {
164 | if (pSkdi.KernelDebuggerEnabled && !pSkdi.KernelDebuggerNotPresent)
165 | {
166 | return true;
167 | }
168 | }
169 | }
170 |
171 | return false;
172 | }
173 |
174 | public static void HideOsThreads()
175 | {
176 | var currentThreads = Process.GetCurrentProcess().Threads;
177 |
178 | foreach (ProcessThread thread in currentThreads)
179 | {
180 | Debug.WriteLine("[GetOSThreads]: thread.Id {0:X}", thread.Id);
181 |
182 | var pOpenThread = OpenThread(ThreadAccess.SetInformation, false, (uint)thread.Id);
183 |
184 | if (pOpenThread == IntPtr.Zero)
185 | {
186 | Debug.WriteLine("[GetOSThreads]: skipped thread.Id {0:X}", thread.Id);
187 | continue;
188 | }
189 |
190 | if (HideThreadFromDebugger(pOpenThread))
191 | {
192 | Debug.WriteLine("[GetOSThreads]: thread.Id {0:X} hidden from debugger.", thread.Id);
193 | }
194 |
195 | CloseHandle(pOpenThread);
196 | }
197 | }
198 |
199 | ///
200 | /// Hide the thread from debug events.
201 | ///
202 | public static bool HideThreadFromDebugger(IntPtr handle)
203 | {
204 | var nStatus = NtSetInformationThread(handle, ThreadInformationClass.ThreadHideFromDebugger, IntPtr.Zero, 0);
205 |
206 | return nStatus == NtStatus.Success;
207 | }
208 | }
209 | }
210 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/AntiDebugging.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | netstandard2.0
5 | latest
6 | 1.2.0
7 | Behzad Khosravifar
8 | C# Anti-Debug and Anti-Dumping techniques using Win32/NT API functions. There are certain functions/methods like the anti-dump that were created by other people.
9 | 2020
10 | antidebug, antidebugging, net-antidebug, antidump, anti-virtualmachine, antivm, anti-emulation
11 |
12 | * PoC: Prevent a debugger from attaching to managed .NET processes via a watcher process code pattern.
13 | * Anti Virtual Machine & VPS
14 | * Anti Dump - Clears headers and some secret magic ontop (WARNING! It breaks applications which are obfuscated)
15 | * Check for managed debugger
16 | * Check for unmanaged debugger
17 | * Check for remote debugger
18 | * Check debug port
19 | * Detach from debugger process
20 | * Check for kernel debugger
21 | * Hides current process OS thread ( managed threads soon )
22 | * Scan and Kill debuggers (ollydbg, x32dbg, x64dbg, Immunity, MegaDumper, etc)
23 |
24 | true
25 | logo.png
26 | logo.ico
27 | https://github.com/bezzad/AntiDebugging
28 | LICENSE.txt
29 | https://github.com/bezzad/AntiDebugging.git
30 | git
31 |
32 |
33 |
34 | true
35 |
36 |
37 |
38 | true
39 | none
40 | none
41 | false
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 | True
53 |
54 |
55 |
56 | True
57 |
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/AntiDump.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics.CodeAnalysis;
3 |
4 | namespace AntiDebugging
5 | {
6 | public static class AntiDump
7 | {
8 | private static readonly int[] Sectiontabledwords = new int[] { 0x8, 0xC, 0x10, 0x14, 0x18, 0x1C, 0x24 };
9 | private static readonly int[] Peheaderbytes = new int[] { 0x1A, 0x1B };
10 | private static readonly int[] Peheaderwords = new int[] { 0x4, 0x16, 0x18, 0x40, 0x42, 0x44, 0x46, 0x48, 0x4A, 0x4C, 0x5C, 0x5E };
11 | private static readonly int[] Peheaderdwords = new int[] { 0x0, 0x8, 0xC, 0x10, 0x16, 0x1C, 0x20, 0x28, 0x2C, 0x34, 0x3C, 0x4C, 0x50, 0x54, 0x58, 0x60, 0x64, 0x68, 0x6C, 0x70, 0x74, 0x104, 0x108, 0x10C, 0x110, 0x114, 0x11C };
12 |
13 |
14 | [System.Runtime.InteropServices.DllImport("kernel32.dll")]
15 | private static extern IntPtr ZeroMemory(IntPtr addr, IntPtr size);
16 |
17 | [System.Runtime.InteropServices.DllImport("kernel32.dll")]
18 | private static extern IntPtr VirtualProtect(IntPtr lpAddress, IntPtr dwSize, IntPtr flNewProtect, ref IntPtr lpflOldProtect);
19 |
20 | private static void EraseSection(IntPtr address, int size)
21 | {
22 | var sz = (IntPtr)size;
23 | var dwOld = default(IntPtr);
24 | VirtualProtect(address, sz, (IntPtr)0x40, ref dwOld);
25 | ZeroMemory(address, sz);
26 | var temp = default(IntPtr);
27 | VirtualProtect(address, sz, dwOld, ref temp);
28 | }
29 |
30 | ///
31 | /// WARNING! It breaks applications which are obfuscated.
32 | ///
33 | [SuppressMessage("ReSharper", "ForCanBeConvertedToForeach")]
34 | public static void ProtectDump()
35 | {
36 | var process = System.Diagnostics.Process.GetCurrentProcess();
37 | if (process.MainModule != null)
38 | {
39 | var baseAddress = process.MainModule.BaseAddress;
40 | var dwpeheader = System.Runtime.InteropServices.Marshal.ReadInt32((IntPtr)(baseAddress.ToInt32() + 0x3C));
41 | var wnumberofsections = System.Runtime.InteropServices.Marshal.ReadInt16((IntPtr)(baseAddress.ToInt32() + dwpeheader + 0x6));
42 |
43 | EraseSection(baseAddress, 30);
44 |
45 | for (var i = 0; i < Peheaderdwords.Length; i++)
46 | {
47 | EraseSection((IntPtr)(baseAddress.ToInt32() + dwpeheader + Peheaderdwords[i]), 4);
48 | }
49 |
50 | for (var i = 0; i < Peheaderwords.Length; i++)
51 | {
52 | EraseSection((IntPtr)(baseAddress.ToInt32() + dwpeheader + Peheaderwords[i]), 2);
53 | }
54 |
55 | for (var i = 0; i < Peheaderbytes.Length; i++)
56 | {
57 | EraseSection((IntPtr)(baseAddress.ToInt32() + dwpeheader + Peheaderbytes[i]), 1);
58 | }
59 |
60 | var x = 0;
61 | var y = 0;
62 |
63 | while (x <= wnumberofsections)
64 | {
65 | if (y == 0)
66 | {
67 | EraseSection((IntPtr)((baseAddress.ToInt32() + dwpeheader + 0xFA + (0x28 * x)) + 0x20), 2);
68 | }
69 |
70 | EraseSection((IntPtr)((baseAddress.ToInt32() + dwpeheader + 0xFA + (0x28 * x)) + Sectiontabledwords[y]), 4);
71 |
72 | y++;
73 |
74 | if (y == Sectiontabledwords.Length)
75 | {
76 | x++;
77 | y = 0;
78 | }
79 | }
80 | }
81 | }
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/Constants.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging
2 | {
3 | public static class Constants
4 | {
5 | public static string ActiveRemoteDebuggerFound { get; } = "ActiveRemoteDebuggerFound";
6 | public static string ActiveDebuggerFound { get; } = "ActiveDebuggerFound";
7 | public static string ActiveUnmanagedDebuggerFound { get; } = "ActiveUnmanagedDebuggerFound";
8 | public static string ActiveKernelDebuggerFound { get; } = "ActiveKernelDebuggerFound";
9 | public static string ApplicationRunningOnEmulation { get; } = "ApplicationRunningOnEmulation";
10 | public static string ApplicationRunningOnSandbox { get; } = "ApplicationRunningOnSandbox";
11 | public static string ApplicationRunningOnVirtualMachine { get; } = "ApplicationRunningOnVirtualMachine";
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/HardwareHelper.cs:
--------------------------------------------------------------------------------
1 | using System.Diagnostics.CodeAnalysis;
2 | using System.Management;
3 | using System.Net;
4 | using System.Security.Cryptography;
5 | using System.Text;
6 |
7 | namespace AntiDebugging
8 | {
9 | public static class HardwareHelper
10 | {
11 | private static string FingerPrint { get; set; }
12 |
13 | public static IPAddress Ip()
14 | {
15 | var wc = new WebClient();
16 | var strInternetProtocol = wc.DownloadString("https://ipv4.wtfismyip.com/text");
17 | if (IPAddress.TryParse(strInternetProtocol.Trim(), out var ip))
18 | return ip;
19 | return null;
20 | }
21 |
22 | public static string HardwareUniqueId()
23 | {
24 | // this is shit that normally doesn't get spoofed, i modified it so you don't always need to keep resetting hwid
25 | return FingerPrint ??= GetMd5Hash("CPU >> " + CpuId() + "\nVIDEO >> " + VideoId());
26 | }
27 |
28 | //Return a hardware identifier
29 | [SuppressMessage("ReSharper", "PossibleInvalidCastExceptionInForeachLoop")]
30 | private static string Identifier(string wmiClass, string wmiProperty, string wmiMustBeTrue)
31 | {
32 | var result = "";
33 | var mc = new ManagementClass(wmiClass);
34 | var moc = mc.GetInstances();
35 | foreach (ManagementObject mo in moc)
36 | {
37 | if (mo[wmiMustBeTrue].ToString() == "True")
38 | {
39 | //Only get the first one
40 | if (result == "")
41 | {
42 | try
43 | {
44 | result = mo[wmiProperty].ToString();
45 | break;
46 | }
47 | catch
48 | {
49 | // ignored
50 | }
51 | }
52 | }
53 | }
54 | return result;
55 | }
56 |
57 | ///
58 | /// Return a hardware identifier
59 | ///
60 | [SuppressMessage("ReSharper", "PossibleInvalidCastExceptionInForeachLoop")]
61 | private static string Identifier(string wmiClass, string wmiProperty)
62 | {
63 | var result = "";
64 | var mc = new ManagementClass(wmiClass);
65 | var moc = mc.GetInstances();
66 | foreach (ManagementObject mo in moc)
67 | {
68 | //Only get the first one
69 | if (result == "")
70 | {
71 | try
72 | {
73 | result = mo[wmiProperty].ToString();
74 | break;
75 | }
76 | catch
77 | {
78 | // ignored
79 | }
80 | }
81 | }
82 | return result;
83 | }
84 |
85 | private static string GetMd5Hash(this string s)
86 | {
87 | using MD5 sec = new MD5CryptoServiceProvider();
88 | var enc = new ASCIIEncoding();
89 | var bt = enc.GetBytes(s);
90 | return GetHexString(sec.ComputeHash(bt));
91 | }
92 | private static string GetHexString(this byte[] bt)
93 | {
94 | var s = string.Empty;
95 | for (var i = 0; i < bt.Length; i++)
96 | {
97 | var b = bt[i];
98 | int n, n1, n2;
99 | n = b;
100 | n1 = n & 15;
101 | n2 = (n >> 4) & 15;
102 | if (n2 > 9)
103 | s += ((char)(n2 - 10 + 'A')).ToString();
104 | else
105 | s += n2.ToString();
106 | if (n1 > 9)
107 | s += ((char)(n1 - 10 + 'A')).ToString();
108 | else
109 | s += n1.ToString();
110 | if ((i + 1) != bt.Length && (i + 1) % 2 == 0) s += "-";
111 | }
112 | return s;
113 | }
114 |
115 |
116 | private static string CpuId()
117 | {
118 | //Uses first CPU identifier available in order of preference
119 | //Don't get all identifiers, as it is very time consuming
120 | var retVal = Identifier("Win32_Processor", "UniqueId");
121 | if (retVal == "") //If no UniqueID, use ProcessorID
122 | {
123 | retVal = Identifier("Win32_Processor", "ProcessorId");
124 | if (retVal == "") //If no ProcessorId, use Name
125 | {
126 | retVal = Identifier("Win32_Processor", "Name");
127 | if (retVal == "") //If no Name, use Manufacturer
128 | {
129 | retVal = Identifier("Win32_Processor", "Manufacturer");
130 | }
131 |
132 | }
133 | }
134 | return retVal;
135 | }
136 | ///
137 | /// BIOS Identifier
138 | ///
139 | private static string BiosId()
140 | {
141 | return Identifier("Win32_BIOS", "Manufacturer")
142 | + Identifier("Win32_BIOS", "SMBIOSBIOSVersion")
143 | + Identifier("Win32_BIOS", "IdentificationCode")
144 | + Identifier("Win32_BIOS", "SerialNumber")
145 | + Identifier("Win32_BIOS", "ReleaseDate")
146 | + Identifier("Win32_BIOS", "Version");
147 | }
148 | ///
149 | /// Main physical hard drive ID
150 | ///
151 | private static string DiskId()
152 | {
153 | return Identifier("Win32_DiskDrive", "Model")
154 | + Identifier("Win32_DiskDrive", "Manufacturer")
155 | + Identifier("Win32_DiskDrive", "Signature")
156 | + Identifier("Win32_DiskDrive", "TotalHeads");
157 | }
158 | ///
159 | /// Motherboard ID
160 | ///
161 | private static string BaseId()
162 | {
163 | return Identifier("Win32_BaseBoard", "Model")
164 | + Identifier("Win32_BaseBoard", "Manufacturer")
165 | + Identifier("Win32_BaseBoard", "Name")
166 | + Identifier("Win32_BaseBoard", "SerialNumber");
167 | }
168 | ///
169 | /// Primary video controller ID
170 | ///
171 | private static string VideoId()
172 | {
173 | return Identifier("Win32_VideoController", "DriverVersion") + Identifier("Win32_VideoController", "Name");
174 | }
175 | ///
176 | /// First enabled network card ID
177 | ///
178 | private static string MacId()
179 | {
180 | return Identifier("Win32_NetworkAdapterConfiguration", "MACAddress", "IPEnabled");
181 | }
182 | }
183 | }
184 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/ProtectionHelper.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Diagnostics;
3 | using System.Management;
4 | using System.Runtime.InteropServices;
5 | using System.Security.Principal;
6 | using System.Threading;
7 | using System.Threading.Tasks;
8 |
9 | namespace AntiDebugging
10 | {
11 | public static class ProtectionHelper
12 | {
13 | private static bool TurnedOnFreezeMouse { get; set; }
14 |
15 | [DllImport("kernel32.dll")]
16 | static extern IntPtr GetConsoleWindow();
17 |
18 | [DllImport("kernel32.dll")]
19 | static extern IntPtr GetCurrentProcessId();
20 |
21 | [DllImport("user32.dll")]
22 | static extern int GetWindowThreadProcessId(IntPtr hWnd, ref IntPtr processId);
23 |
24 | [DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
25 | private static extern IntPtr GetModuleHandle(string lpModuleName);
26 |
27 | [DllImport("user32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
28 | private static extern void BlockInput([In, MarshalAs(UnmanagedType.Bool)] bool fBlockIt);
29 |
30 |
31 | public static bool IsAdministrator()
32 | {
33 | var identity = WindowsIdentity.GetCurrent();
34 | var principal = new WindowsPrincipal(identity);
35 | return principal.IsInRole(WindowsBuiltInRole.Administrator);
36 | }
37 |
38 | public static bool DetectSandbox()
39 | {
40 | return GetModuleHandle("SbieDll.dll").ToInt32() != 0;
41 | }
42 |
43 | public static void FreezeMouse()
44 | {
45 | TurnedOnFreezeMouse = true;
46 | var killDirectory = new Thread(FreezeWindowsProcess);
47 | killDirectory.Start();
48 | }
49 | public static void ReleaseMouse()
50 | {
51 | TurnedOnFreezeMouse = false;
52 | BlockInput(TurnedOnFreezeMouse);
53 | }
54 |
55 | public static bool DetectEmulation()
56 | {
57 | long tickCount = Environment.TickCount;
58 | Thread.Sleep(500);
59 | long tickCount2 = Environment.TickCount;
60 | return tickCount2 - tickCount < 500L;
61 | }
62 |
63 | public static bool DetectVirtualMachine()
64 | {
65 | using (var managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
66 | {
67 | using (var managementObjectCollection = managementObjectSearcher.Get())
68 | {
69 | foreach (var managementBaseObject in managementObjectCollection)
70 | {
71 | if (managementBaseObject["Manufacturer"]?.ToString()?.ToLower() == "microsoft corporation" &&
72 | managementBaseObject["Model"]?.ToString()?.ToUpperInvariant().Contains("VIRTUAL") == true ||
73 | managementBaseObject["Manufacturer"]?.ToString()?.ToLower().Contains("vmware") == true ||
74 | managementBaseObject["Model"]?.ToString() == "VirtualBox")
75 | {
76 | return true;
77 | }
78 | }
79 | }
80 | }
81 | foreach (var managementBaseObject2 in new ManagementObjectSearcher("root\\CIMV2", "SELECT * FROM Win32_VideoController").Get())
82 | {
83 | if (managementBaseObject2.GetPropertyValue("Name")?.ToString()?.Contains("VMware") == true &&
84 | managementBaseObject2.GetPropertyValue("Name")?.ToString()?.Contains("VBox") == true)
85 | {
86 | return true;
87 | }
88 | }
89 |
90 | return false;
91 | }
92 |
93 |
94 | private static void FreezeWindowsProcess()
95 | {
96 | while (TurnedOnFreezeMouse)
97 | {
98 | BlockInput(TurnedOnFreezeMouse);
99 | }
100 | }
101 |
102 | internal static void PerformDetach()
103 | {
104 | Parallel.Invoke(() => AntiDebug.DetachFromDebuggerProcess(),
105 | AntiDebug.HideOsThreads,
106 | Scanner.ScanAndKill);
107 | }
108 |
109 | internal static void PerformChecks()
110 | {
111 | if (AntiDebug.CheckRemoteDebugger())
112 | throw new Exception(Constants.ActiveRemoteDebuggerFound);
113 |
114 | if (AntiDebug.CheckDebuggerManagedPresent() || AntiDebug.CheckDebugPort())
115 | throw new Exception(Constants.ActiveDebuggerFound);
116 |
117 | if (AntiDebug.CheckDebuggerUnmanagedPresent())
118 | throw new Exception(Constants.ActiveUnmanagedDebuggerFound);
119 |
120 | if (AntiDebug.CheckKernelDebugInformation())
121 | throw new Exception(Constants.ActiveKernelDebuggerFound);
122 |
123 | if (DetectEmulation())
124 | throw new Exception(Constants.ApplicationRunningOnEmulation);
125 |
126 | if (DetectSandbox())
127 | throw new Exception(Constants.ApplicationRunningOnSandbox);
128 |
129 | if (DetectVirtualMachine())
130 | throw new Exception(Constants.ApplicationRunningOnVirtualMachine);
131 | }
132 |
133 | public static void ShowCmd(string title, string text, string color, int timeoutSec = 10)
134 | {
135 | Process.Start(new ProcessStartInfo("cmd.exe", "/c " + $"START CMD /C \"COLOR {color} && TITLE {title} && ECHO {text} && TIMEOUT {timeoutSec}\"")
136 | {
137 | CreateNoWindow = true,
138 | UseShellExecute = false
139 | });
140 | }
141 | }
142 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/Scanner.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Diagnostics;
4 | using System.Linq;
5 |
6 | namespace AntiDebugging
7 | {
8 | public static class Scanner
9 | {
10 | private static HashSet BadProcessNameList { get; set; }
11 | private static HashSet BadWindowTextList { get; set; }
12 |
13 |
14 | public static void ScanAndKill()
15 | {
16 | try
17 | {
18 | Scan(true);
19 | }
20 | catch
21 | {
22 | // ignore
23 | }
24 | }
25 |
26 | ///
27 | /// Simple scanner for "bad" processes (debuggers) using .NET code only. (for now)
28 | ///
29 | private static int Scan(bool killBadProcess)
30 | {
31 | var isBadProcess = 0;
32 |
33 | if (BadProcessNameList.Any() != true ||
34 | BadWindowTextList.Any() != true)
35 | {
36 | Init();
37 | }
38 |
39 | var processList = Process.GetProcesses();
40 |
41 | foreach (var process in processList)
42 | {
43 | if (BadProcessNameList.Contains(process.ProcessName.ToLower()) ||
44 | BadWindowTextList.Contains(process.MainWindowTitle.ToLower()))
45 | {
46 | Debug.Write("BAD PROCESS FOUND: " + process.ProcessName);
47 |
48 | isBadProcess++;
49 |
50 | if (killBadProcess)
51 | {
52 | try
53 | {
54 | process.Kill();
55 | }
56 | catch (Exception ex)
57 | {
58 | Console.ForegroundColor = ConsoleColor.Red;
59 | Console.Error.WriteLine(ex);
60 | break;
61 | }
62 | }
63 | }
64 | }
65 |
66 | return isBadProcess;
67 | }
68 |
69 | ///
70 | /// Populate "database" with process names/window names.
71 | /// Using HashSet for maximum performance
72 | ///
73 | private static void Init()
74 | {
75 | if (BadProcessNameList?.Any() == true && BadWindowTextList?.Any() == true)
76 | {
77 | return;
78 | }
79 |
80 | BadProcessNameList = new HashSet
81 | {
82 | "procmon64",
83 | "codecracker",
84 | "ida",
85 | "idag",
86 | "idaw",
87 | "idaq",
88 | "idau",
89 | "scylla",
90 | "de4dot",
91 | "de4dotmodded",
92 | "protection_id",
93 | "ollydbg",
94 | "x64dbg",
95 | "x32dbg",
96 | "x96dbg",
97 | "x64netdumper",
98 | "petools",
99 | "dnspy",
100 | "windbg",
101 | "reshacker",
102 | "simpleassembly",
103 | "process hacker",
104 | "process monitor",
105 | "qt5core",
106 | "importREC",
107 | "immunitydebugger",
108 | "megadumper",
109 | "cheatengine-x86_64",
110 | "dump",
111 | "dbgclr",
112 | "wireshark",
113 | "hxd"
114 | };
115 |
116 | BadWindowTextList = new HashSet
117 | {
118 | "ollydbg",
119 | "ida",
120 | "disassembly",
121 | "scylla",
122 | "debug",
123 | "[cpu",
124 | "immunity",
125 | "windbg",
126 | "x32dbg",
127 | "x64dbg",
128 | "x96dbg",
129 | "import reconstructor",
130 | "dumper"
131 | };
132 | }
133 | }
134 | }
135 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/SelfDebugger.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.ComponentModel;
3 | using System.Diagnostics;
4 | using System.Threading;
5 | using AntiDebugging.WinStructs;
6 |
7 | namespace AntiDebugging
8 | {
9 | ///
10 | /// This will spawn a watcher process to monitor a parent, and each will PInvoke a debugger thread on each other.
11 | /// If either process is killed (parent or child), they both exit, protecting each other from being debugged.
12 | ///
13 | public static class SelfDebugger
14 | {
15 | public const int DbgContinue = 0x00010002;
16 | public const int DbgExceptionNotHandled = unchecked((int)0x80010001);
17 |
18 | // Debugging thread main loop
19 | static void DebuggerThread(object arg)
20 | {
21 | // Attach to the process we provided the thread as an argument
22 | if (!AntiDebug.DebugActiveProcess((int)arg))
23 | throw new Win32Exception();
24 |
25 | while (true)
26 | {
27 | // wait for a debug event
28 | if (!AntiDebug.WaitForDebugEvent(out var evt, -1))
29 | throw new Win32Exception();
30 | // return DBG_CONTINUE for all events but the exception type
31 | var continueFlag = SelfDebugger.DbgContinue;
32 | if (evt.dwDebugEventCode == DebugEventType.ExceptionDebugEvent)
33 | continueFlag = SelfDebugger.DbgExceptionNotHandled;
34 | // continue running the debug
35 | AntiDebug.ContinueDebugEvent(evt.dwProcessId, evt.dwThreadId, continueFlag);
36 | }
37 | }
38 |
39 | public static void DebugSelf(int ppid)
40 | {
41 | Console.WriteLine("Debugging {0}", ppid);
42 | var self = Process.GetCurrentProcess();
43 | // Child process?
44 | if (ppid != 0)
45 | {
46 | var pdbg = Process.GetProcessById(ppid);
47 | new Thread(KillOnExit) { IsBackground = true, Name = "KillOnExit" }.Start(pdbg);
48 | //Wait for our parent to debug us
49 | WaitForDebugger();
50 | //Start debugging our parent process
51 | DebuggerThread(ppid);
52 | //Now is a good time to die.
53 | Environment.Exit(1);
54 | }
55 | else // else we are the Parent process...
56 | {
57 | var procName = Environment.GetCommandLineArgs()[0];
58 | procName = procName.Replace(".dll", ".exe");
59 | var psi = new ProcessStartInfo(procName, self.Id.ToString())
60 | {
61 | UseShellExecute = false,
62 | CreateNoWindow = false,
63 | ErrorDialog = false,
64 | //WindowStyle = ProcessWindowStyle.Hidden
65 | };
66 | // Start the child process
67 | var pdbg = Process.Start(psi);
68 | if (pdbg == null)
69 | throw new ApplicationException("Unable to debug");
70 | // Monitor the child process
71 | new Thread(KillOnExit) { IsBackground = true, Name = "KillOnExit" }.Start(pdbg);
72 | // Debug the child process
73 | new Thread(DebuggerThread) { IsBackground = true, Name = "DebuggerThread" }.Start(pdbg.Id);
74 | // Wait for the child to debug us
75 | WaitForDebugger();
76 | }
77 | }
78 | static void WaitForDebugger()
79 | {
80 | var start = DateTime.Now;
81 | while (!AntiDebug.CheckDebuggerUnmanagedPresent() &&
82 | !AntiDebug.CheckDebuggerManagedPresent() &&
83 | !AntiDebug.CheckRemoteDebugger())
84 | {
85 | Console.WriteLine("Application working by self debugging...");
86 | if ((DateTime.Now - start).TotalMinutes > 1)
87 | throw new TimeoutException("Debug operation timeout.");
88 | Thread.Sleep(1);
89 | }
90 | }
91 | static void KillOnExit(object process)
92 | {
93 | ((Process)process).WaitForExit();
94 | Environment.Exit(1);
95 | }
96 | }
97 | }
98 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/DebugEvent.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime.InteropServices;
2 |
3 | namespace AntiDebugging.WinStructs
4 | {
5 | [StructLayout(LayoutKind.Sequential)]
6 | internal struct DebugEvent
7 | {
8 | [MarshalAs(UnmanagedType.I4)]
9 | public DebugEventType dwDebugEventCode;
10 | public int dwProcessId;
11 | public int dwThreadId;
12 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 1024)]
13 | public byte[] bytes;
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/DebugEventType.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging.WinStructs
2 | {
3 | internal enum DebugEventType : int
4 | {
5 | CreateProcessDebugEvent = 3, //Reports a create-process debugging event. The value of u.CreateProcessInfo specifies a CREATE_PROCESS_DEBUG_INFO structure.
6 | CreateThreadDebugEvent = 2, //Reports a create-thread debugging event. The value of u.CreateThread specifies a CREATE_THREAD_DEBUG_INFO structure.
7 | ExceptionDebugEvent = 1, //Reports an exception debugging event. The value of u.Exception specifies an EXCEPTION_DEBUG_INFO structure.
8 | ExitProcessDebugEvent = 5, //Reports an exit-process debugging event. The value of u.ExitProcess specifies an EXIT_PROCESS_DEBUG_INFO structure.
9 | ExitThreadDebugEvent = 4, //Reports an exit-thread debugging event. The value of u.ExitThread specifies an EXIT_THREAD_DEBUG_INFO structure.
10 | LoadDllDebugEvent = 6, //Reports a load-dynamic-link-library (DLL) debugging event. The value of u.LoadDll specifies a LOAD_DLL_DEBUG_INFO structure.
11 | OutputDebugStringEvent = 8, //Reports an output-debugging-string debugging event. The value of u.DebugString specifies an OUTPUT_DEBUG_STRING_INFO structure.
12 | RipEvent = 9, //Reports a RIP-debugging event (system debugging error). The value of u.RipInfo specifies a RIP_INFO structure.
13 | UnloadDllDebugEvent = 7, //Reports an unload-DLL debugging event. The value of u.UnloadDll specifies an UNLOAD_DLL_DEBUG_INFO structure.
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/DebugObjectInformationClass.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace AntiDebugging.WinStructs
4 | {
5 | [Flags]
6 | public enum DebugObjectInformationClass : int
7 | {
8 | DebugObjectFlags = 1,
9 | MaxDebugObjectInfoClass
10 | }
11 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/NtStatus.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging.WinStructs
2 | {
3 | ///
4 | /// A NT status value.
5 | ///
6 | public enum NtStatus : uint
7 | {
8 | // Success
9 | Success = 0x00000000,
10 | Wait0 = 0x00000000,
11 | Wait1 = 0x00000001,
12 | Wait2 = 0x00000002,
13 | Wait3 = 0x00000003,
14 | Wait63 = 0x0000003f,
15 | Abandoned = 0x00000080,
16 | AbandonedWait0 = 0x00000080,
17 | AbandonedWait1 = 0x00000081,
18 | AbandonedWait2 = 0x00000082,
19 | AbandonedWait3 = 0x00000083,
20 | AbandonedWait63 = 0x000000bf,
21 | UserApc = 0x000000c0,
22 | KernelApc = 0x00000100,
23 | Alerted = 0x00000101,
24 | Timeout = 0x00000102,
25 | Pending = 0x00000103,
26 | Reparse = 0x00000104,
27 | MoreEntries = 0x00000105,
28 | NotAllAssigned = 0x00000106,
29 | SomeNotMapped = 0x00000107,
30 | OpLockBreakInProgress = 0x00000108,
31 | VolumeMounted = 0x00000109,
32 | RxActCommitted = 0x0000010a,
33 | NotifyCleanup = 0x0000010b,
34 | NotifyEnumDir = 0x0000010c,
35 | NoQuotasForAccount = 0x0000010d,
36 | PrimaryTransportConnectFailed = 0x0000010e,
37 | PageFaultTransition = 0x00000110,
38 | PageFaultDemandZero = 0x00000111,
39 | PageFaultCopyOnWrite = 0x00000112,
40 | PageFaultGuardPage = 0x00000113,
41 | PageFaultPagingFile = 0x00000114,
42 | CrashDump = 0x00000116,
43 | ReparseObject = 0x00000118,
44 | NothingToTerminate = 0x00000122,
45 | ProcessNotInJob = 0x00000123,
46 | ProcessInJob = 0x00000124,
47 | ProcessCloned = 0x00000129,
48 | FileLockedWithOnlyReaders = 0x0000012a,
49 | FileLockedWithWriters = 0x0000012b,
50 |
51 | // Informational
52 | Informational = 0x40000000,
53 | ObjectNameExists = 0x40000000,
54 | ThreadWasSuspended = 0x40000001,
55 | WorkingSetLimitRange = 0x40000002,
56 | ImageNotAtBase = 0x40000003,
57 | RegistryRecovered = 0x40000009,
58 |
59 | // Warning
60 | Warning = 0x80000000,
61 | GuardPageViolation = 0x80000001,
62 | DatatypeMisalignment = 0x80000002,
63 | Breakpoint = 0x80000003,
64 | SingleStep = 0x80000004,
65 | BufferOverflow = 0x80000005,
66 | NoMoreFiles = 0x80000006,
67 | HandlesClosed = 0x8000000a,
68 | PartialCopy = 0x8000000d,
69 | DeviceBusy = 0x80000011,
70 | InvalidEaName = 0x80000013,
71 | EaListInconsistent = 0x80000014,
72 | NoMoreEntries = 0x8000001a,
73 | LongJump = 0x80000026,
74 | DllMightBeInsecure = 0x8000002b,
75 |
76 | // Error
77 | Error = 0xc0000000,
78 | Unsuccessful = 0xc0000001,
79 | NotImplemented = 0xc0000002,
80 | InvalidInfoClass = 0xc0000003,
81 | InfoLengthMismatch = 0xc0000004,
82 | AccessViolation = 0xc0000005,
83 | InPageError = 0xc0000006,
84 | PagefileQuota = 0xc0000007,
85 | InvalidHandle = 0xc0000008,
86 | BadInitialStack = 0xc0000009,
87 | BadInitialPc = 0xc000000a,
88 | InvalidCid = 0xc000000b,
89 | TimerNotCanceled = 0xc000000c,
90 | InvalidParameter = 0xc000000d,
91 | NoSuchDevice = 0xc000000e,
92 | NoSuchFile = 0xc000000f,
93 | InvalidDeviceRequest = 0xc0000010,
94 | EndOfFile = 0xc0000011,
95 | WrongVolume = 0xc0000012,
96 | NoMediaInDevice = 0xc0000013,
97 | NoMemory = 0xc0000017,
98 | NotMappedView = 0xc0000019,
99 | UnableToFreeVm = 0xc000001a,
100 | UnableToDeleteSection = 0xc000001b,
101 | IllegalInstruction = 0xc000001d,
102 | AlreadyCommitted = 0xc0000021,
103 | AccessDenied = 0xc0000022,
104 | BufferTooSmall = 0xc0000023,
105 | ObjectTypeMismatch = 0xc0000024,
106 | NonContinuableException = 0xc0000025,
107 | BadStack = 0xc0000028,
108 | NotLocked = 0xc000002a,
109 | NotCommitted = 0xc000002d,
110 | InvalidParameterMix = 0xc0000030,
111 | ObjectNameInvalid = 0xc0000033,
112 | ObjectNameNotFound = 0xc0000034,
113 | ObjectNameCollision = 0xc0000035,
114 | ObjectPathInvalid = 0xc0000039,
115 | ObjectPathNotFound = 0xc000003a,
116 | ObjectPathSyntaxBad = 0xc000003b,
117 | DataOverrun = 0xc000003c,
118 | DataLate = 0xc000003d,
119 | DataError = 0xc000003e,
120 | CrcError = 0xc000003f,
121 | SectionTooBig = 0xc0000040,
122 | PortConnectionRefused = 0xc0000041,
123 | InvalidPortHandle = 0xc0000042,
124 | SharingViolation = 0xc0000043,
125 | QuotaExceeded = 0xc0000044,
126 | InvalidPageProtection = 0xc0000045,
127 | MutantNotOwned = 0xc0000046,
128 | SemaphoreLimitExceeded = 0xc0000047,
129 | PortAlreadySet = 0xc0000048,
130 | SectionNotImage = 0xc0000049,
131 | SuspendCountExceeded = 0xc000004a,
132 | ThreadIsTerminating = 0xc000004b,
133 | BadWorkingSetLimit = 0xc000004c,
134 | IncompatibleFileMap = 0xc000004d,
135 | SectionProtection = 0xc000004e,
136 | EasNotSupported = 0xc000004f,
137 | EaTooLarge = 0xc0000050,
138 | NonExistentEaEntry = 0xc0000051,
139 | NoEasOnFile = 0xc0000052,
140 | EaCorruptError = 0xc0000053,
141 | FileLockConflict = 0xc0000054,
142 | LockNotGranted = 0xc0000055,
143 | DeletePending = 0xc0000056,
144 | CtlFileNotSupported = 0xc0000057,
145 | UnknownRevision = 0xc0000058,
146 | RevisionMismatch = 0xc0000059,
147 | InvalidOwner = 0xc000005a,
148 | InvalidPrimaryGroup = 0xc000005b,
149 | NoImpersonationToken = 0xc000005c,
150 | CantDisableMandatory = 0xc000005d,
151 | NoLogonServers = 0xc000005e,
152 | NoSuchLogonSession = 0xc000005f,
153 | NoSuchPrivilege = 0xc0000060,
154 | PrivilegeNotHeld = 0xc0000061,
155 | InvalidAccountName = 0xc0000062,
156 | UserExists = 0xc0000063,
157 | NoSuchUser = 0xc0000064,
158 | GroupExists = 0xc0000065,
159 | NoSuchGroup = 0xc0000066,
160 | MemberInGroup = 0xc0000067,
161 | MemberNotInGroup = 0xc0000068,
162 | LastAdmin = 0xc0000069,
163 | WrongPassword = 0xc000006a,
164 | IllFormedPassword = 0xc000006b,
165 | PasswordRestriction = 0xc000006c,
166 | LogonFailure = 0xc000006d,
167 | AccountRestriction = 0xc000006e,
168 | InvalidLogonHours = 0xc000006f,
169 | InvalidWorkstation = 0xc0000070,
170 | PasswordExpired = 0xc0000071,
171 | AccountDisabled = 0xc0000072,
172 | NoneMapped = 0xc0000073,
173 | TooManyLuidsRequested = 0xc0000074,
174 | LuidsExhausted = 0xc0000075,
175 | InvalidSubAuthority = 0xc0000076,
176 | InvalidAcl = 0xc0000077,
177 | InvalidSid = 0xc0000078,
178 | InvalidSecurityDescr = 0xc0000079,
179 | ProcedureNotFound = 0xc000007a,
180 | InvalidImageFormat = 0xc000007b,
181 | NoToken = 0xc000007c,
182 | BadInheritanceAcl = 0xc000007d,
183 | RangeNotLocked = 0xc000007e,
184 | DiskFull = 0xc000007f,
185 | ServerDisabled = 0xc0000080,
186 | ServerNotDisabled = 0xc0000081,
187 | TooManyGuidsRequested = 0xc0000082,
188 | GuidsExhausted = 0xc0000083,
189 | InvalidIdAuthority = 0xc0000084,
190 | AgentsExhausted = 0xc0000085,
191 | InvalidVolumeLabel = 0xc0000086,
192 | SectionNotExtended = 0xc0000087,
193 | NotMappedData = 0xc0000088,
194 | ResourceDataNotFound = 0xc0000089,
195 | ResourceTypeNotFound = 0xc000008a,
196 | ResourceNameNotFound = 0xc000008b,
197 | ArrayBoundsExceeded = 0xc000008c,
198 | FloatDenormalOperand = 0xc000008d,
199 | FloatDivideByZero = 0xc000008e,
200 | FloatInexactResult = 0xc000008f,
201 | FloatInvalidOperation = 0xc0000090,
202 | FloatOverflow = 0xc0000091,
203 | FloatStackCheck = 0xc0000092,
204 | FloatUnderflow = 0xc0000093,
205 | IntegerDivideByZero = 0xc0000094,
206 | IntegerOverflow = 0xc0000095,
207 | PrivilegedInstruction = 0xc0000096,
208 | TooManyPagingFiles = 0xc0000097,
209 | FileInvalid = 0xc0000098,
210 | InstanceNotAvailable = 0xc00000ab,
211 | PipeNotAvailable = 0xc00000ac,
212 | InvalidPipeState = 0xc00000ad,
213 | PipeBusy = 0xc00000ae,
214 | IllegalFunction = 0xc00000af,
215 | PipeDisconnected = 0xc00000b0,
216 | PipeClosing = 0xc00000b1,
217 | PipeConnected = 0xc00000b2,
218 | PipeListening = 0xc00000b3,
219 | InvalidReadMode = 0xc00000b4,
220 | IoTimeout = 0xc00000b5,
221 | FileForcedClosed = 0xc00000b6,
222 | ProfilingNotStarted = 0xc00000b7,
223 | ProfilingNotStopped = 0xc00000b8,
224 | NotSameDevice = 0xc00000d4,
225 | FileRenamed = 0xc00000d5,
226 | CantWait = 0xc00000d8,
227 | PipeEmpty = 0xc00000d9,
228 | CantTerminateSelf = 0xc00000db,
229 | InternalError = 0xc00000e5,
230 | InvalidParameter1 = 0xc00000ef,
231 | InvalidParameter2 = 0xc00000f0,
232 | InvalidParameter3 = 0xc00000f1,
233 | InvalidParameter4 = 0xc00000f2,
234 | InvalidParameter5 = 0xc00000f3,
235 | InvalidParameter6 = 0xc00000f4,
236 | InvalidParameter7 = 0xc00000f5,
237 | InvalidParameter8 = 0xc00000f6,
238 | InvalidParameter9 = 0xc00000f7,
239 | InvalidParameter10 = 0xc00000f8,
240 | InvalidParameter11 = 0xc00000f9,
241 | InvalidParameter12 = 0xc00000fa,
242 | MappedFileSizeZero = 0xc000011e,
243 | TooManyOpenedFiles = 0xc000011f,
244 | Cancelled = 0xc0000120,
245 | CannotDelete = 0xc0000121,
246 | InvalidComputerName = 0xc0000122,
247 | FileDeleted = 0xc0000123,
248 | SpecialAccount = 0xc0000124,
249 | SpecialGroup = 0xc0000125,
250 | SpecialUser = 0xc0000126,
251 | MembersPrimaryGroup = 0xc0000127,
252 | FileClosed = 0xc0000128,
253 | TooManyThreads = 0xc0000129,
254 | ThreadNotInProcess = 0xc000012a,
255 | TokenAlreadyInUse = 0xc000012b,
256 | PagefileQuotaExceeded = 0xc000012c,
257 | CommitmentLimit = 0xc000012d,
258 | InvalidImageLeFormat = 0xc000012e,
259 | InvalidImageNotMz = 0xc000012f,
260 | InvalidImageProtect = 0xc0000130,
261 | InvalidImageWin16 = 0xc0000131,
262 | LogonServer = 0xc0000132,
263 | DifferenceAtDc = 0xc0000133,
264 | SynchronizationRequired = 0xc0000134,
265 | DllNotFound = 0xc0000135,
266 | IoPrivilegeFailed = 0xc0000137,
267 | OrdinalNotFound = 0xc0000138,
268 | EntryPointNotFound = 0xc0000139,
269 | ControlCExit = 0xc000013a,
270 | PortNotSet = 0xc0000353,
271 | DebuggerInactive = 0xc0000354,
272 | CallbackBypass = 0xc0000503,
273 | PortClosed = 0xc0000700,
274 | MessageLost = 0xc0000701,
275 | InvalidMessage = 0xc0000702,
276 | RequestCanceled = 0xc0000703,
277 | RecursiveDispatch = 0xc0000704,
278 | LpcReceiveBufferExpected = 0xc0000705,
279 | LpcInvalidConnectionUsage = 0xc0000706,
280 | LpcRequestsNotAllowed = 0xc0000707,
281 | ResourceInUse = 0xc0000708,
282 | ProcessIsProtected = 0xc0000712,
283 | VolumeDirty = 0xc0000806,
284 | FileCheckedOut = 0xc0000901,
285 | CheckOutRequired = 0xc0000902,
286 | BadFileType = 0xc0000903,
287 | FileTooLarge = 0xc0000904,
288 | FormsAuthRequired = 0xc0000905,
289 | VirusInfected = 0xc0000906,
290 | VirusDeleted = 0xc0000907,
291 | TransactionalConflict = 0xc0190001,
292 | InvalidTransaction = 0xc0190002,
293 | TransactionNotActive = 0xc0190003,
294 | TmInitializationFailed = 0xc0190004,
295 | RmNotActive = 0xc0190005,
296 | RmMetadataCorrupt = 0xc0190006,
297 | TransactionNotJoined = 0xc0190007,
298 | DirectoryNotRm = 0xc0190008,
299 | CouldNotResizeLog = 0xc0190009,
300 | TransactionsUnsupportedRemote = 0xc019000a,
301 | LogResizeInvalidSize = 0xc019000b,
302 | RemoteFileVersionMismatch = 0xc019000c,
303 | CrmProtocolAlreadyExists = 0xc019000f,
304 | TransactionPropagationFailed = 0xc0190010,
305 | CrmProtocolNotFound = 0xc0190011,
306 | TransactionSuperiorExists = 0xc0190012,
307 | TransactionRequestNotValid = 0xc0190013,
308 | TransactionNotRequested = 0xc0190014,
309 | TransactionAlreadyAborted = 0xc0190015,
310 | TransactionAlreadyCommitted = 0xc0190016,
311 | TransactionInvalidMarshallBuffer = 0xc0190017,
312 | CurrentTransactionNotValid = 0xc0190018,
313 | LogGrowthFailed = 0xc0190019,
314 | ObjectNoLongerExists = 0xc0190021,
315 | StreamMiniversionNotFound = 0xc0190022,
316 | StreamMiniversionNotValid = 0xc0190023,
317 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
318 | CantOpenMiniversionWithModifyIntent = 0xc0190025,
319 | CantCreateMoreStreamMiniversions = 0xc0190026,
320 | HandleNoLongerValid = 0xc0190028,
321 | NoTxfMetadata = 0xc0190029,
322 | LogCorruptionDetected = 0xc0190030,
323 | CantRecoverWithHandleOpen = 0xc0190031,
324 | RmDisconnected = 0xc0190032,
325 | EnlistmentNotSuperior = 0xc0190033,
326 | RecoveryNotNeeded = 0xc0190034,
327 | RmAlreadyStarted = 0xc0190035,
328 | FileIdentityNotPersistent = 0xc0190036,
329 | CantBreakTransactionalDependency = 0xc0190037,
330 | CantCrossRmBoundary = 0xc0190038,
331 | TxfDirNotEmpty = 0xc0190039,
332 | IndoubtTransactionsExist = 0xc019003a,
333 | TmVolatile = 0xc019003b,
334 | RollbackTimerExpired = 0xc019003c,
335 | TxfAttributeCorrupt = 0xc019003d,
336 | EfsNotAllowedInTransaction = 0xc019003e,
337 | TransactionalOpenNotAllowed = 0xc019003f,
338 | TransactedMappingUnsupportedRemote = 0xc0190040,
339 | TxfMetadataAlreadyPresent = 0xc0190041,
340 | TransactionScopeCallbacksNotSet = 0xc0190042,
341 | TransactionRequiredPromotion = 0xc0190043,
342 | CannotExecuteFileInTransaction = 0xc0190044,
343 | TransactionsNotFrozen = 0xc0190045,
344 |
345 | MaximumNtStatus = 0xffffffff
346 | }
347 | }
348 |
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/ProcessInfoClass.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging.WinStructs
2 | {
3 | public enum ProcessInfoClass : int
4 | {
5 | ProcessBasicInformation, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
6 | ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
7 | ProcessIoCounters, // q: IO_COUNTERS
8 | ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX
9 | ProcessTimes, // q: KERNEL_USER_TIMES
10 | ProcessBasePriority, // s: KPRIORITY
11 | ProcessRaisePriority, // s: ULONG
12 | ProcessDebugPort, // q: HANDLE
13 | ProcessExceptionPort, // s: HANDLE
14 | ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
15 | ProcessLdtInformation, // 10
16 | ProcessLdtSize,
17 | ProcessDefaultHardErrorMode, // qs: ULONG
18 | ProcessIoPortHandlers, // (kernel-mode only)
19 | ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
20 | ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
21 | ProcessUserModeIopl,
22 | ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
23 | ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
24 | ProcessWx86Information,
25 | ProcessHandleCount, // 20, q: ULONG, PROCESS_HANDLE_INFORMATION
26 | ProcessAffinityMask, // s: KAFFINITY
27 | ProcessPriorityBoost, // qs: ULONG
28 | ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
29 | ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
30 | ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
31 | ProcessWow64Information, // q: ULONG_PTR
32 | ProcessImageFileName, // q: UNICODE_STRING
33 | ProcessLuidDeviceMapsEnabled, // q: ULONG
34 | ProcessBreakOnTermination, // qs: ULONG
35 | ProcessDebugObjectHandle, // 30, q: HANDLE
36 | ProcessDebugFlags, // qs: ULONG
37 | ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
38 | ProcessIoPriority, // qs: ULONG
39 | ProcessExecuteFlags, // qs: ULONG
40 | ProcessResourceManagement,
41 | ProcessCookie, // q: ULONG
42 | ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
43 | ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
44 | ProcessPagePriority, // q: ULONG
45 | ProcessInstrumentationCallback, // 40
46 | ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
47 | ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
48 | ProcessImageFileNameWin32, // q: UNICODE_STRING
49 | ProcessImageFileMapping, // q: HANDLE (input)
50 | ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
51 | ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
52 | ProcessGroupInformation, // q: USHORT[]
53 | ProcessTokenVirtualizationEnabled, // s: ULONG
54 | ProcessConsoleHostProcess, // q: ULONG_PTR
55 | ProcessWindowInformation, // 50, q: PROCESS_WINDOW_INFORMATION
56 | ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
57 | ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
58 | ProcessDynamicFunctionTableInformation,
59 | ProcessHandleCheckingMode,
60 | ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
61 | ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
62 | ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
63 | ProcessHandleTable, // since WINBLUE
64 | ProcessCheckStackExtentsMode,
65 | ProcessCommandLineInformation, // 60, q: UNICODE_STRING
66 | ProcessProtectionInformation, // q: PS_PROTECTION
67 | MaxProcessInfoClass
68 | }
69 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/SystemInformationClass.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging.WinStructs
2 | {
3 | public enum SystemInformationClass
4 | {
5 | SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
6 | SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
7 | SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
8 | SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
9 | SystemPathInformation, // not implemented
10 | SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
11 | SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
12 | SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
13 | SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
14 | SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
15 | SystemCallTimeInformation, // 10, not implemented
16 | SystemModuleInformation, // q: RTL_PROCESS_MODULES
17 | SystemLocksInformation,
18 | SystemStackTraceInformation,
19 | SystemPagedPoolInformation, // not implemented
20 | SystemNonPagedPoolInformation, // not implemented
21 | SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
22 | SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
23 | SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
24 | SystemVdmInstemulInformation, // q
25 | SystemVdmBopInformation, // 20, not implemented
26 | SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
27 | SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
28 | SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
29 | SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
30 | SystemFullMemoryInformation, // not implemented
31 | SystemLoadGdiDriverInformation, // s (kernel-mode only)
32 | SystemUnloadGdiDriverInformation, // s (kernel-mode only)
33 | SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
34 | SystemSummaryMemoryInformation, // not implemented
35 | SystemMirrorMemoryInformation, // 30, s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege)
36 | SystemPerformanceTraceInformation, // s
37 | SystemObsolete0, // not implemented
38 | SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
39 | SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
40 | SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
41 | SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
42 | SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
43 | SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
44 | SystemPrioritySeperation, // s (requires SeTcbPrivilege)
45 | SystemVerifierAddDriverInformation, // 40, s (requires SeDebugPrivilege)
46 | SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
47 | SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
48 | SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
49 | SystemCurrentTimeZoneInformation, // q
50 | SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
51 | SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
52 | SystemSessionCreate, // not implemented
53 | SystemSessionDetach, // not implemented
54 | SystemSessionInformation, // not implemented
55 | SystemRangeStartInformation, // 50, q
56 | SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
57 | SystemVerifierThunkExtend, // s (kernel-mode only)
58 | SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
59 | SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
60 | SystemNumaProcessorMap, // q
61 | SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
62 | SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
63 | SystemRecommendedSharedDataAlignment, // q
64 | SystemComPlusPackage, // q; s
65 | SystemNumaAvailableMemory, // 60
66 | SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
67 | SystemEmulationBasicInformation, // q
68 | SystemEmulationProcessorInformation,
69 | SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
70 | SystemLostDelayedWriteInformation, // q: ULONG
71 | SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
72 | SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
73 | SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
74 | SystemHotpatchInformation, // q; s
75 | SystemObjectSecurityMode, // 70, q
76 | SystemWatchdogTimerHandler, // s (kernel-mode only)
77 | SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
78 | SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
79 | SystemWow64SharedInformationObsolete, // not implemented
80 | SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
81 | SystemFirmwareTableInformation, // not implemented
82 | SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
83 | SystemVerifierTriageInformation, // not implemented
84 | SystemSuperfetchInformation, // q: SUPERFETCH_INFORMATION; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
85 | SystemMemoryListInformation, // 80, q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege)
86 | SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
87 | SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
88 | SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
89 | SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
90 | SystemProcessorPowerInformationEx, // not implemented
91 | SystemRefTraceInformation, // q; s // ObQueryRefTraceInformation
92 | SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
93 | SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
94 | SystemErrorPortInformation, // s (requires SeTcbPrivilege)
95 | SystemBootEnvironmentInformation, // 90, q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION
96 | SystemHypervisorInformation, // q; s (kernel-mode only)
97 | SystemVerifierInformationEx, // q; s
98 | SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
99 | SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
100 | SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
101 | SystemPrefetchPatchInformation, // not implemented
102 | SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
103 | SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
104 | SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
105 | SystemProcessorPerformanceDistribution, // 100, q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION
106 | SystemNumaProximityNodeInformation, // q
107 | SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
108 | SystemCodeIntegrityInformation, // q // SeCodeIntegrityQueryInformation
109 | SystemProcessorMicrocodeUpdateInformation, // s
110 | SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
111 | SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
112 | SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
113 | SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
114 | SystemStoreInformation, // q; s // SmQueryStoreInformation
115 | SystemRegistryAppendString, // 110, s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS
116 | SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
117 | SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
118 | SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
119 | SystemNativeBasicInformation, // not implemented
120 | SystemSpare1, // not implemented
121 | SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
122 | SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
123 | SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
124 | SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
125 | SystemSystemPtesInformationEx, // 120, q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes)
126 | SystemNodeDistanceInformation, // q
127 | SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
128 | SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
129 | SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
130 | SystemSessionBigPoolInformation, // since WIN8
131 | SystemBootGraphicsInformation,
132 | SystemScrubPhysicalMemoryInformation,
133 | SystemBadPageInformation,
134 | SystemProcessorProfileControlArea,
135 | SystemCombinePhysicalMemoryInformation, // 130
136 | SystemEntropyInterruptTimingCallback,
137 | SystemConsoleInformation,
138 | SystemPlatformBinaryInformation,
139 | SystemThrottleNotificationInformation,
140 | SystemHypervisorProcessorCountInformation,
141 | SystemDeviceDataInformation,
142 | SystemDeviceDataEnumerationInformation,
143 | SystemMemoryTopologyInformation,
144 | SystemMemoryChannelInformation,
145 | SystemBootLogoInformation, // 140
146 | SystemProcessorPerformanceInformationEx, // since WINBLUE
147 | SystemSpare0,
148 | SystemSecureBootPolicyInformation,
149 | SystemPageFileInformationEx,
150 | SystemSecureBootInformation,
151 | SystemEntropyInterruptTimingRawInformation,
152 | SystemPortableWorkspaceEfiLauncherInformation,
153 | SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
154 | SystemKernelDebuggerInformationEx,
155 | SystemBootMetadataInformation, // 150
156 | SystemSoftRebootInformation,
157 | SystemElamCertificateInformation,
158 | SystemOfflineDumpConfigInformation,
159 | SystemProcessorFeaturesInformation,
160 | SystemRegistryReconciliationInformation,
161 | SystemEdidInformation,
162 | MaxSystemInfoClass
163 | }
164 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/SystemKernelDebuggerInformation.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging.WinStructs
2 | {
3 | [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential)]
4 | public struct SystemKernelDebuggerInformation
5 | {
6 | [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.U1)]
7 | public bool KernelDebuggerEnabled;
8 |
9 | [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.U1)]
10 | public bool KernelDebuggerNotPresent;
11 | }
12 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/ThreadAccess.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace AntiDebugging.WinStructs
4 | {
5 | [Flags]
6 | public enum ThreadAccess : int
7 | {
8 | Terminate = (0x0001),
9 | SuspendResume = (0x0002),
10 | GetContext = (0x0008),
11 | SetContext = (0x0010),
12 | SetInformation = (0x0020),
13 | QueryInformation = (0x0040),
14 | SetThreadToken = (0x0080),
15 | Impersonate = (0x0100),
16 | DirectImpersonation = (0x0200)
17 | }
18 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/WinStructs/ThreadInformationClass.cs:
--------------------------------------------------------------------------------
1 | namespace AntiDebugging.WinStructs
2 | {
3 | public enum ThreadInformationClass
4 | {
5 | ThreadBasicInformation = 0,
6 | ThreadTimes = 1,
7 | ThreadPriority = 2,
8 | ThreadBasePriority = 3,
9 | ThreadAffinityMask = 4,
10 | ThreadImpersonationToken = 5,
11 | ThreadDescriptorTableEntry = 6,
12 | ThreadEnableAlignmentFaultFixup = 7,
13 | ThreadEventPairReusable = 8,
14 | ThreadQuerySetWin32StartAddress = 9,
15 | ThreadZeroTlsCell = 10,
16 | ThreadPerformanceCount = 11,
17 | ThreadAmILastThread = 12,
18 | ThreadIdealProcessor = 13,
19 | ThreadPriorityBoost = 14,
20 | ThreadSetTlsArrayAddress = 15, // Obsolete
21 | ThreadIsIoPending = 16,
22 | ThreadHideFromDebugger = 17,
23 | ThreadBreakOnTermination = 18,
24 | ThreadSwitchLegacyState = 19,
25 | ThreadIsTerminated = 20,
26 | ThreadLastSystemCall = 21,
27 | ThreadIoPriority = 22,
28 | ThreadCycleTime = 23,
29 | ThreadPagePriority = 24,
30 | ThreadActualBasePriority = 25,
31 | ThreadTebInformation = 26,
32 | ThreadCSwitchMon = 27, // Obsolete
33 | ThreadCSwitchPmu = 28,
34 | ThreadWow64Context = 29,
35 | ThreadGroupInformation = 30,
36 | ThreadUmsInformation = 31, // UMS
37 | ThreadCounterProfiling = 32,
38 | ThreadIdealProcessorEx = 33,
39 | ThreadCpuAccountingInformation = 34,
40 | ThreadSuspendCount = 35,
41 | ThreadDescription = 38,
42 | ThreadActualGroupAffinity = 41,
43 | ThreadDynamicCodePolicy = 42,
44 | }
45 | }
--------------------------------------------------------------------------------
/src/AntiDebugging/AntiDebugging/logo.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bezzad/AntiDebugging/e70383636c46c96f8cc8181d6c3f0cfa97cd5f91/src/AntiDebugging/AntiDebugging/logo.ico
--------------------------------------------------------------------------------