Add files via upload

Author: EvilBytecode

AntiDebug/CheckBlacklistedWindowsNames.py

@@ -0,0 +1,42 @@
+import ctypes
+
+def CheckTitles():
+    user32 = ctypes.windll.user32
+    EnumWindows = user32.EnumWindows
+    EnumWindowsProc = ctypes.WINFUNCTYPE(ctypes.c_bool, ctypes.POINTER(ctypes.c_int), ctypes.POINTER(ctypes.c_int))
+    GetWindowText = user32.GetWindowTextW
+    GetWindowTextLength = user32.GetWindowTextLengthW
+    IsWindowVisible = user32.IsWindowVisible
+
+    forbidden_titles = {
+        "proxifier", "graywolf", "extremedumper", "zed", "exeinfope", "dnspy",
+        "titanHide", "ilspy", "titanhide", "x32dbg", "codecracker", "simpleassembly",
+        "process hacker 2", "pc-ret", "http debugger", "Centos", "process monitor",
+        "debug", "ILSpy", "reverse", "simpleassemblyexplorer", "process", "de4dotmodded",
+        "dojandqwklndoqwd-x86", "sharpod", "folderchangesview", "fiddler", "die", "pizza",
+        "crack", "strongod", "ida -", "brute", "dump", "StringDecryptor", "wireshark",
+        "debugger", "httpdebugger", "gdb", "kdb", "x64_dbg", "windbg", "x64netdumper",
+        "petools", "scyllahide", "megadumper", "reversal", "ksdumper v1.1 - by equifox",
+        "dbgclr", "HxD", "monitor", "peek", "ollydbg", "ksdumper", "http", "wpe pro", "dbg",
+        "httpanalyzer", "httpdebug", "PhantOm", "kgdb", "james", "x32_dbg", "proxy", "phantom",
+        "mdbg", "WPE PRO", "system explorer", "de4dot", "X64NetDumper", "protection_id",
+        "charles", "systemexplorer", "pepper", "hxd", "procmon64", "MegaDumper", "ghidra", "xd",
+        "0harmony", "dojandqwklndoqwd", "hacker", "process hacker", "SAE", "mdb", "checker",
+        "harmony", "Protection_ID", "PETools", "scyllaHide", "x96dbg", "systemexplorerservice",
+        "folder", "mitmproxy", "dbx", "sniffer", "Process Hacker", "Process Explorer",
+        "Sysinternals", "www.sysinternals.com", "binary ninja"
+    }
+
+
+    def foreach_window(hwnd, lParam):
+        length = GetWindowTextLength(hwnd)
+        buff = ctypes.create_unicode_buffer(length + 1)
+        GetWindowText(hwnd, buff, length + 1)
+        title = buff.value
+
+        if IsWindowVisible(hwnd) and title.lower() in forbidden_titles:
+            return True
+        return False
+
+    found_forbidden = EnumWindows(EnumWindowsProc(foreach_window), 0)
+    return found_forbidden

AntiDebug/CheckInternetConnection.py

@@ -0,0 +1,10 @@
+import socket
+
+def check_connection():
+    try:
+        socket.create_connection(("google.com", 80), timeout=5)
+        return True, None
+    except socket.error as ex:
+        error_message = f"Error checking internet connection: {ex}"
+        print(f"[DEBUG] {error_message}")
+        return False, Exception(error_message)

AntiDebug/ComputerUptime.py

@@ -0,0 +1,16 @@
+import ctypes
+
+kernel32 = ctypes.windll.kernel32
+getTickCount = kernel32.GetTickCount
+getTickCount.restype = ctypes.c_ulong
+
+def GetUptimeInSeconds():
+    uptime = getTickCount()
+    return int(uptime / 1000)
+
+def CheckUptime(durationInSeconds):
+    uptime = GetUptimeInSeconds()
+    if uptime < durationInSeconds:
+        return True, None
+    else:
+        return False, None

AntiDebug/IsDebuggerPresent.py

@@ -0,0 +1,6 @@
+import ctypes
+
+kernel32 = ctypes.windll.kernel32
+
+def is_debugger_present():
+    return kernel32.IsDebuggerPresent() != 0

AntiDebug/KillBadProcesses.py

@@ -0,0 +1,14 @@
+import subprocess
+
+def KillBadProcesses():
+    processes_to_kill = [
+        "taskmgr.exe", "process.exe", "processhacker.exe", "ksdumper.exe", "fiddler.exe",
+        "httpdebuggerui.exe", "wireshark.exe", "httpanalyzerv7.exe", "fiddler.exe", "decoder.exe",
+        "regedit.exe", "procexp.exe", "dnspy.exe", "vboxservice.exe", "burpsuit.exe",
+        "DbgX.Shell.exe", "ILSpy.exe", "ollydbg.exe", "x32dbg.exe", "x64dbg.exe", "gdb.exe",
+        "idaq.exe", "idag.exe", "idaw.exe", "ida64.exe", "idag64.exe", "idaw64.exe",
+        "idaq64.exe", "windbg.exe", "ollydbg.exe", "immunitydebugger.exe", "windasm.exe"
+    ]
+
+    for process in processes_to_kill:
+        subprocess.run(["taskkill", "/F", "/IM", process], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

AntiDebug/ParentAntiDebug.py

@@ -0,0 +1,52 @@
+import ctypes,os,pathlib,sys
+
+PROCESS_QUERY_INFORMATION = 0x0400
+MAX_PATH = 260 
+
+class PROCESS_BASIC_INFORMATION(ctypes.Structure):
+    _fields_ = [
+        ("Reserved1", ctypes.c_void_p),
+        ("PebBaseAddress", ctypes.c_void_p),
+        ("Reserved2", ctypes.c_void_p * 2),
+        ("UniqueProcessId", ctypes.c_ulong),
+        ("InheritedFromUniqueProcessId", ctypes.c_void_p)
+    ]
+
+ntdll = ctypes.WinDLL("ntdll.dll")
+ntquery = ntdll.NtQueryInformationProcess
+ntquery.argtypes = [ctypes.c_void_p, ctypes.c_uint32, ctypes.POINTER(PROCESS_BASIC_INFORMATION), ctypes.c_uint32, ctypes.POINTER(ctypes.c_uint32)]
+
+def NtQueryProc(handle, class_type):
+    proc_basic_info = PROCESS_BASIC_INFORMATION()
+    return_length = ctypes.c_uint32()
+    status = ntquery(handle, class_type, ctypes.byref(proc_basic_info), ctypes.sizeof(proc_basic_info), ctypes.byref(return_length))
+    if status != 0x0:
+        raise ctypes.WinError(ctypes.get_last_error())
+    return proc_basic_info
+
+def QueryImageName(handle):
+    name_buffer = ctypes.create_unicode_buffer(MAX_PATH)
+    size = ctypes.c_uint32(MAX_PATH)
+    if not ctypes.windll.kernel32.QueryFullProcessImageNameW(handle, 0, name_buffer, ctypes.byref(size)):
+        raise ctypes.WinError(ctypes.get_last_error())
+    return name_buffer.value
+
+def CurrentProcName():
+    return pathlib.Path(os.path.abspath(sys.argv[0])).name
+
+def ParentAntiDebug():
+    try:
+        current_process = ctypes.windll.kernel32.GetCurrentProcess()
+        proc_info = NtQueryProc(current_process, 0)
+        parent_process = ctypes.windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION, False, proc_info.InheritedFromUniqueProcessId)
+        if not parent_process:
+            raise ctypes.WinError(ctypes.get_last_error())
+        parent_process_name = QueryImageName(parent_process)
+        ctypes.windll.kernel32.CloseHandle(parent_process)
+        if not (parent_process_name.endswith("explorer.exe") or parent_process_name.endswith("cmd.exe")):
+            return True
+        else:
+            return False
+    except Exception as e:
+        print(f"Error: {e}")
+        return False

AntiDebug/RemoteDebugger.py

@@ -0,0 +1,9 @@
+import ctypes
+
+kernel32 = ctypes.windll.kernel32
+
+def CheckRemoteDebugger():
+    process_handle = kernel32.GetCurrentProcess()
+    is_debugger_detected = ctypes.c_int(0)
+    kernel32.CheckRemoteDebuggerPresent(process_handle, ctypes.byref(is_debugger_detected))
+    return is_debugger_detected.value != 0

AntiVirtulization/KVMCheck.py

@@ -0,0 +1,13 @@
+import os
+import glob
+
+def CheckForKVM():
+    bad_drivers_list = ["balloon.sys", "netkvm.sys", "vioinput*", "viofs.sys", "vioser.sys"]
+    system32_folder = os.path.join(os.getenv("SystemRoot", ""), "System32")
+
+    for driver in bad_drivers_list:
+        files = glob.glob(os.path.join(system32_folder, driver))
+        if files:
+            return True, None
+
+    return False, None

AntiVirtulization/MonitorMetrics.py

@@ -0,0 +1,12 @@
+import ctypes
+
+def IsScreenSmall():
+    try:
+        user32 = ctypes.windll.user32
+        width = user32.GetSystemMetrics(0) 
+        height = user32.GetSystemMetrics(1)
+
+        is_small = width < 800 or height < 600
+        return is_small, None
+    except Exception as e:
+        return False, f"Error checking screen size: {e}"

AntiVirtulization/ParallelsCheck.py

@@ -0,0 +1,17 @@
+import os
+import glob
+
+def CheckForParallels():
+    parallels_drivers = ["prl_sf", "prl_tg", "prl_eth"]
+    sys32_folder = os.path.join(os.getenv("SystemRoot", ""), "System32")
+
+    try:
+        files = os.listdir(sys32_folder)
+        for file in files:
+            for driver in parallels_drivers:
+                if driver in file.lower():
+                    return True, None
+    except Exception as e:
+        return False, f"Error accessing System32 directory: {e}"
+
+    return False, None