You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+19-1Lines changed: 19 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,6 +13,10 @@ A .NET Project which Contains some useful techniques to detect debugging and oth
13
13
14
14
* IsDebuggerPresent
15
15
16
+
* PEB.BeingDebugged
17
+
18
+
* PEB.NtGlobalFlag
19
+
16
20
* NtSetDebugFilterState
17
21
18
22
* Page Guard Breakpoints Detection
@@ -75,12 +79,24 @@ A .NET Project which Contains some useful techniques to detect debugging and oth
75
79
76
80
* Checking for devices created by VMs or Sandboxes
77
81
82
+
* Checking if AVX x64/x86 instructions are properly implemented to see if we are in an emulator.
83
+
84
+
* Checking for RDRAND x64/x86 instruction to see if it's properly implemented which could indicate an emulator.
85
+
86
+
* Checking for flags manipulation (for x64 and x86) checks to see if it's correctly handled.
87
+
78
88
## Anti Dll Injection
79
89
80
90
* Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.
81
91
82
92
* Checking if any injected libraries are present (simple dlls path whitelist check)
83
93
94
+
* Thread Injection Detection
95
+
96
+
* Using PEB to change the main module info of the program which is main module name and module base address at runtime.
97
+
98
+
* Detecting process hollowing in our program by checking suspicious image base address.
99
+
84
100
## Other Detections
85
101
* Detecting if Unsigned Drivers are Allowed to Load
86
102
@@ -99,7 +115,9 @@ A .NET Project which Contains some useful techniques to detect debugging and oth
99
115
## Hooks Detection
100
116
* Detecting Most Anti Anti-Debugging Hooking Methods on Common Anti-Debugging Functions by checking for Bad Instructions on Functions Addresses and it detects user-mode anti anti-debuggers like scyllahide, and it can also detect some sandboxes which uses hooking to monitor application behaviour/activity (like <ahref="https://github.com/sandboxie-plus/Sandboxie">Sandboxie/Sandboxie Plus</a>, <ahref="https://www.hybrid-analysis.com">Hybrid Analysis</a>, <ahref="https://cuckoosandbox.org/index.html">Cuckoo Sandbox</a>, and a lot of other online malware analysis websites/applications).
101
117
118
+
* Basic detection for stealthy page guard hooking.
This Project are created for educational purposes only, also this project are licensed under MIT License.
123
+
This Project are created for educational purposes only, also this project are licensed under MIT License. you can use the code however you please, just please use it responsibly (NOT for malware) (e.g. you are developing an anti-cheat).
0 commit comments