-
Notifications
You must be signed in to change notification settings - Fork 0
/
Security.cs
228 lines (193 loc) · 10.4 KB
/
Security.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
using System.Diagnostics;
using System.Management;
using System.Runtime.InteropServices;
namespace Protect
{
public class Security
{
[DllImport("kernel32.dll", SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
private static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent);
[DllImport("kernel32.dll")]
private static extern IntPtr VirtualProtect(IntPtr lpAddress, IntPtr dwSize, IntPtr flNewProtect, ref IntPtr lpflOldProtect);
[DllImport("kernel32.dll")]
private static extern IntPtr ZeroMemory(IntPtr addr, IntPtr size);
[DllImport("kernel32.dll", SetLastError = true)]
private static extern void DebugActiveProcessStop(int processId);
private struct PE
{
static public int[] SectionTabledWords = new int[] { 0x8, 0xC, 0x10, 0x14, 0x18, 0x1C, 0x24 };
static public int[] Bytes = new int[] { 0x1A, 0x1B };
static public int[] Words = new int[] { 0x4, 0x16, 0x18, 0x40, 0x42, 0x44, 0x46, 0x48, 0x4A, 0x4C, 0x5C, 0x5E };
static public int[] dWords = new int[] { 0x0, 0x8, 0xC, 0x10, 0x16, 0x1C, 0x20, 0x28, 0x2C, 0x34, 0x3C, 0x4C, 0x50, 0x54, 0x58, 0x60, 0x64, 0x68, 0x6C, 0x70, 0x74, 0x104, 0x108, 0x10C, 0x110, 0x114, 0x11C };
}
/// <summary>
/// This method checks whether a debugger is present in the current process,
/// and if so, stops it from attaching to the process. Returns a boolean value indicating whether a debugger was detected and stopped.
/// Disabling debuggers can make debugging your own code more difficult, and may not prevent all types of debugging or reverse engineering.
/// Use with caution and carefully consider the risks and benefits of this method.
/// </summary>
/// <returns>True if a debugger was detected and stopped, false otherwise.</returns>
public static bool DisableDebugger()
{
bool isDebuggerPresent;
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent);
if (isDebuggerPresent)
{
DebugActiveProcessStop(Process.GetCurrentProcess().Id);
return true;
}
return false;
}
/// <summary>
/// This method erases a section of memory at the specified address,
/// by changing the memory protection, zeroing out the memory, and then restoring the original protection.
/// </summary>
/// <param name="address">The address of the section of memory to erase.</param>
/// <param name="size">The size of the section of memory to erase, in bytes.</param>
private static void EraseSection(IntPtr address, int size)
{
var sz = (IntPtr)size;
var dwOld = default;
VirtualProtect(address, sz, (IntPtr)0x40, ref dwOld);
ZeroMemory(address, sz);
IntPtr temp = default;
VirtualProtect(address, sz, dwOld, ref temp);
}
/// <summary>
/// Detect the presence of certain web sniffing tools in the current process,
/// by checking for the presence of specific modules in the process's loaded modules.
/// </summary>
/// <returns>True if the current process contains a web sniffing tool, otherwise false.</returns>
public static bool WebSniffers()
{
if (GetModuleHandle("HTTPDebuggerBrowser.dll") != IntPtr.Zero ||
GetModuleHandle("FiddlerCore4.dll") != IntPtr.Zero ||
GetModuleHandle("RestSharp.dll") != IntPtr.Zero ||
GetModuleHandle("Titanium.Web.Proxy.dll") != IntPtr.Zero)
{
return true;
}
return false;
}
/// <summary>
/// Check whether the current process is being debugged by a debugger,
/// by calling the CheckRemoteDebuggerPresent function and examining the return value.
/// </summary>
/// <returns>True if the current process is being debugged, otherwise false.</returns>
public static bool AntiDebug()
{
bool isDebuggerPresent;
CheckRemoteDebuggerPresent(Process.GetCurrentProcess().Handle, ref isDebuggerPresent);
if (isDebuggerPresent)
return true;
return false;
}
/// <summary>
/// Detect whether the current process is running under the Sandboxie software,
/// by checking for the presence of the "SbieDll.dll" module in the process's loaded modules.
/// </summary>
/// <returns>True if the current process is running under Sandboxie, otherwise false.</returns>
public static bool Sandboxie()
{
if (GetModuleHandle("SbieDll.dll").ToInt32() != 0)
return true;
return false;
}
/// <summary>
/// Emulation(); performs a short delay of 500 milliseconds using Thread.Sleep,
/// then checks whether the delay was accurately achieved using Environment.TickCount.
/// If the delay was not accurate, it returns true, otherwise it returns false.
/// This method is useful for checking the accuracy of the system clock and the Thread.Sleep method.
/// </summary>
/// <returns>True if the delay was not accurate, otherwise false.</returns>
public static bool Emulation()
{
var tickCount = Environment.TickCount;
Thread.Sleep(500);
var tickCount2 = Environment.TickCount;
if ((tickCount2 - tickCount) < 500L)
return true;
return false;
}
/// <summary>
/// Detect whether the current system is running on a virtual machine.
/// </summary>
/// <returns>True if a virtual machine is detected, otherwise false.</returns>
public static bool DetectVM()
{
using (var managementObjectSearcher = new ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
using (var managementObjectCollection = managementObjectSearcher.Get())
foreach (var managementBaseObject in managementObjectCollection)
if ((managementBaseObject["Manufacturer"].ToString().ToLower() == "microsoft corporation" && managementBaseObject["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) || managementBaseObject["Manufacturer"].ToString().ToLower().Contains("vmware") || managementBaseObject["Model"].ToString() == "VirtualBox")
return true;
foreach (var managementBaseObject2 in new ManagementObjectSearcher("root\\CIMV2", "SELECT * FROM Win32_VideoController").Get())
if (managementBaseObject2.GetPropertyValue("Name").ToString().Contains("VMware") && managementBaseObject2.GetPropertyValue("Name").ToString().Contains("VBox"))
return true;
return false;
}
/// <summary>
/// This method performs low-level memory manipulation to erase certain sections of a process's memory to make it more difficult to dump.
/// </summary>
/// <returns>True if the memory manipulation was successful, otherwise false.</returns>
public static bool AntiDump()
{
try
{
var process = Process.GetCurrentProcess();
var base_address = process.MainModule.BaseAddress;
var dwpeheader = Marshal.ReadInt32(base_address + 0x3C);
var wnumberofsections = Marshal.ReadInt16(base_address + dwpeheader + 0x6);
EraseSection(base_address, 30);
for (int i = 0; i < PE.dWords.Length; i++)
EraseSection(base_address + dwpeheader + PE.dWords[i], 4);
for (int i = 0; i < PE.Words.Length; i++)
EraseSection(base_address + dwpeheader + PE.Words[i], 2);
for (int i = 0; i < PE.Bytes.Length; i++)
EraseSection(base_address + dwpeheader + PE.Bytes[i], 1);
int x = 0;
int y = 0;
while (x <= wnumberofsections)
{
if (y == 0)
EraseSection(base_address + dwpeheader + 0xFA + (0x28 * x) + 0x20, 2);
EraseSection(base_address + dwpeheader + 0xFA + (0x28 * x) + PE.SectionTabledWords[y], 4);
y++;
if (y == PE.SectionTabledWords.Length)
{
x++;
y = 0;
}
}
return true;
}
catch
{
return false;
}
}
/// <summary>
/// This method checks whether the file "dnSpy.xml" exists in the user's AppData\Roaming folder, and returns a boolean value indicating whether it was found.
/// If the file exists, this suggests that the program dnSpy is or has been installed on the system.
/// This information can be useful for detecting potential security risks, identifying software dependencies, or other purposes.
/// </summary>
/// <returns>True if the file was found, false otherwise.</returns>
public static bool CheckDnSpyInstallation()
{
var filePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "dnSpy", "dnSpy.xml");
return File.Exists(filePath);
}
/// <summary>
/// This method checks whether the directory "C:\Users\[username]\AppData\Roaming\Hex-Rays" exists, and returns a boolean value indicating whether it was found.
/// If the directory exists, this suggests that IDA Pro has been installed on the system, since this folder is created during the installation process.
/// This information can be useful for detecting potential security risks, identifying software dependencies, or other purposes.
/// </summary>
/// <returns>True if the directory was found, false otherwise.</returns>
public static bool CheckIDAProInstallation()
{
var directoryPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Hex-Rays");
return Directory.Exists(directoryPath);
}
}
}