-
Notifications
You must be signed in to change notification settings - Fork 22
/
Copy pathmain.cpp
165 lines (148 loc) · 4.43 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
#include <Windows.h>
#include <iostream>
#include "classic_antidbg.h"
#include "classic_antivm.h"
#include "neutrino_checks.h"
#include "kernelmode_antidbg.h"
#include "procmon_check.h"
#include "ntdll_undoc.h"
//#define SINGLE_STEPPING_CHECK
int main();
bool checkProcessDebugFlags()
{
// ProcessDebugFlags
const int ProcessDebugFlags = 0x1f;
auto _NtQueryInformationProcess = reinterpret_cast<decltype(&NtQueryInformationProcess)>(GetProcAddress(GetModuleHandleA("ntdll"), "NtQueryInformationProcess"));
// Other Vars
NTSTATUS Status;
DWORD NoDebugInherit = 0;
Status = _NtQueryInformationProcess(GetCurrentProcess(), ProcessDebugFlags, &NoDebugInherit, sizeof(DWORD), NULL);
std::cout << "ProcessDebugFlags: " << std::hex << NoDebugInherit << "\n";
return (Status == 0 && NoDebugInherit == 0) ? true : false;
}
bool clearProcessDebugFlags()
{
// ProcessDebugFlags
const int ProcessDebugFlags = 0x1f;
auto _NtSetInformationProcess = reinterpret_cast<decltype(&NtSetInformationProcess)>(GetProcAddress(GetModuleHandleA("ntdll"), "NtSetInformationProcess"));
// Other Vars
NTSTATUS Status;
DWORD NoDebugInherit = 1;
Status = _NtSetInformationProcess(GetCurrentProcess(), ProcessDebugFlags, &NoDebugInherit, sizeof(DWORD));
return (Status == 0);
}
#ifndef _WIN64
bool exec_int2d()
{
__try
{
__asm xor eax, eax;
__asm int 0x2d;
__asm nop;
return true;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
}
#endif
// from: https://anti-debug.checkpoint.com/techniques/process-memory.html#anti-step-over
bool CheckForSpecificByte(BYTE cByte, PVOID pMemory, SIZE_T nMemorySize = 0)
{
PBYTE pBytes = (PBYTE)pMemory;
for (SIZE_T i = 0; ; i++)
{
// Break on RET (0xC3) if we don't know the function's size
if (((nMemorySize > 0) && (i >= nMemorySize)) ||
((nMemorySize == 0) && (pBytes[i] == 0xC3)))
break;
if (pBytes[i] == cByte)
return true;
}
return false;
}
bool IsCCSet()
{
PVOID functionsToCheck[] = {
&main
};
for (auto funcAddr : functionsToCheck)
{
if (CheckForSpecificByte(0xCC, funcAddr))
return true;
}
return false;
}
int main()
{
if (clearProcessDebugFlags()) {
std::cout << "Flag cleared!\n";
}
bool is_detected = false;
if (IsCCSet()) {
is_detected = true;
std::cout << "[*] Software breakpoints detected!\n";
}
#ifndef _WIN64
if (exec_int2d()) {
is_detected = true;
std::cout << "[*] Debugger detected by 2D interrupt\n";
}
#endif
antidbg_timer_check();
if (checkProcessDebugFlags()) {
is_detected = true;
std::cout << "[*] Debugger detected by ProcessDebugFlags!\n";
}
if (exception_is_dbg()) {
is_detected = true;
std::cout << "[*] Debugger detected by Exception check!\n";
}
if (hardware_bp_is_dbg()) {
is_detected = true;
std::cout << "[*] Debugger detected by Hardware Breakpoints!\n";
}
if (is_debugger_api()) {
is_detected = true;
std::cout << "[*] Debugger detected by API check!\n";
}
if (antidbg_timer_check()) {
is_detected = true;
std::cout << "[*] Debugger detected by time check!\n";
}
#ifdef SINGLE_STEPPING_CHECK
if (is_single_stepping()) {
is_detected = true;
std::cout << "Single stepping detected!\n";
}
#endif
// Anti-VM
if (cpuid_bit_check()) {
std::cout << "[*] VM Detected by CPUID Check!\n";
}
if (cpuid_brand_check()) {
std::cout << "[*] VM Detected by Brand ID!\n";
}
if (find_by_neutrino_checks()) {
is_detected = true;
std::cout << "[*] Analysis detected by Neutrino set of checks\n";
}
t_kdb_mode kdb_mode = is_kernelmode_dbg_enabled();
if (kdb_mode == KDB_LOCAL_ENABLED || kdb_mode == KDB_REMOTE_ENABLED) {
is_detected = true;
std::cout << "[*] Kernelmode debugging enabled!\n";
}
if (is_procmon_sc_present()) {
is_detected = true;
std::cout << "[*] ProcMon service is present!\n";
}
if (is_detected) {
MessageBoxA(NULL, "Analysis environment detected!", "Detected", MB_ICONEXCLAMATION | MB_OK);
}
else {
MessageBoxA(NULL, "No analysis environment detected!", "Not Detected", MB_ICONINFORMATION | MB_OK);
}
system("pause");
return 0;
}