diff --git a/AntiAntiRootkit/IsSecureBoot/SecureBootCheck.go b/AntiAntiRootkit/IsSecureBoot/SecureBootCheck.go new file mode 100644 index 0000000..7b2766f --- /dev/null +++ b/AntiAntiRootkit/IsSecureBoot/SecureBootCheck.go @@ -0,0 +1,33 @@ +package SecureBootCheck + +import ( + "os/exec" + "strings" + "syscall" +) + +const CREATE_NO_WINDOW = 0x08000000 + +// IsSecureBootEnabled runs Confirm-SecureBootUEFI silently (no console window) and returns true if Secure Boot is enabled. +func IsSecureBootEnabled() bool { + cmd := exec.Command( + "powershell.exe", + "-NoProfile", + "-NonInteractive", + "-Command", + "Confirm-SecureBootUEFI", + ) + // Hide the console window entirely + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + + output, err := cmd.Output() + if err != nil { + return false + } + + outStr := strings.TrimSpace(strings.ToLower(string(output))) + return outStr == "true" +} diff --git a/AntiDLLInjection/MitigationPolicy/PatchMitigationPolicy.go b/AntiDLLInjection/MitigationPolicy/PatchMitigationPolicy.go index b18b99f..af88536 100644 --- a/AntiDLLInjection/MitigationPolicy/PatchMitigationPolicy.go +++ b/AntiDLLInjection/MitigationPolicy/PatchMitigationPolicy.go @@ -15,12 +15,17 @@ type PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY struct { } var ( - modkernelbase = syscall.NewLazyDLL("kernelbase.dll") - procSetProcessMitigationPolicy = modkernelbase.NewProc("SetProcessMitigationPolicy") + modkernel32 = syscall.NewLazyDLL("kernel32.dll") + procSetProcessMitigationPolicy = modkernel32.NewProc("SetProcessMitigationPolicy") ) +// SetProcessMitigationPolicy calls the Windows API SetProcessMitigationPolicy func SetProcessMitigationPolicy(policy int, lpBuffer *PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, size uint32) (bool, error) { - ret, _, err := procSetProcessMitigationPolicy.Call(uintptr(policy),uintptr(unsafe.Pointer(lpBuffer)),uintptr(size),) + ret, _, err := procSetProcessMitigationPolicy.Call( + uintptr(policy), + uintptr(unsafe.Pointer(lpBuffer)), + uintptr(size), + ) if ret != 0 { return true, nil } @@ -31,20 +36,15 @@ func SetProcessMitigationPolicy(policy int, lpBuffer *PROCESS_MITIGATION_BINARY_ } func ConfigureProcessMitigationPolicy() { - var OnlyMicrosoftBinaries PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY - OnlyMicrosoftBinaries.MicrosoftSignedOnly = 1 + var policy PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY + policy.MicrosoftSignedOnly = 1 - success, err := SetProcessMitigationPolicy(ProcessSignaturePolicyMitigation, - &OnlyMicrosoftBinaries, - uint32(unsafe.Sizeof(OnlyMicrosoftBinaries)), - ) + ok, err := SetProcessMitigationPolicy(ProcessSignaturePolicyMitigation, &policy, uint32(unsafe.Sizeof(policy))) if err != nil { - fmt.Println("Failed:", err.Error()) - return - } - if success { - fmt.Println("Success") + fmt.Printf("Failed to set mitigation policy: %v\n", err) + } else if ok { + fmt.Println("Mitigation policy set successfully.") } else { - fmt.Println("Failed") + fmt.Println("Failed to set mitigation policy: Unknown error.") } } diff --git a/AntiDebug/CheckBlacklistedWindowsNames/CheckBlacklistedWindowsNames.go b/AntiDebug/CheckBlacklistedWindowsNames/CheckBlacklistedWindowsNames.go index 836f490..7b9bb12 100644 --- a/AntiDebug/CheckBlacklistedWindowsNames/CheckBlacklistedWindowsNames.go +++ b/AntiDebug/CheckBlacklistedWindowsNames/CheckBlacklistedWindowsNames.go @@ -1,69 +1,242 @@ package CheckBlacklistedWindowsNames import ( - "log" - "syscall" - "unsafe" + "os" + "os/exec" + "strings" + "syscall" + "unsafe" ) var ( - mu32 = syscall.NewLazyDLL("user32.dll") - pew = mu32.NewProc("EnumWindows") - pgwt = mu32.NewProc("GetWindowTextA") - pgwtp = mu32.NewProc("GetWindowThreadProcessId") - mk32 = syscall.NewLazyDLL("kernel32.dll") - pop = mk32.NewProc("OpenProcess") - ptp = mk32.NewProc("TerminateProcess") - pch = mk32.NewProc("CloseHandle") + mu32 = syscall.NewLazyDLL("user32.dll") + pew = mu32.NewProc("EnumWindows") + pgwt = mu32.NewProc("GetWindowTextA") + pgwtp = mu32.NewProc("GetWindowThreadProcessId") + mk32 = syscall.NewLazyDLL("kernel32.dll") + pop = mk32.NewProc("OpenProcess") + ptp = mk32.NewProc("TerminateProcess") + pch = mk32.NewProc("CloseHandle") ) +// Full banned UUIDs list +var bannedUUIDs = []string{ + "7AB5C494-39F5-4941-9163-47F54D6D5016", + "7204B444-B03C-48BA-A40F-0D1FE2E4A03B", + "88F1A492-340E-47C7-B017-AAB2D6F6976C", + "129B5E6B-E368-45D4-80AB-D4F106495924", + "8F384129-F079-456E-AE35-16608E317F4F", + "E6833342-780F-56A2-6F92-77DACC2EF8B3", + "032E02B4-0499-05C3-0806-3C0700080009", + "03DE0294-0480-05DE-1A06-350700080009", + "11111111-2222-3333-4444-555555555555", + "71DC2242-6EA2-C40B-0798-B4F5B4CC8776", + "6F3CA5EC-BEC9-4A4D-8274-11168F640058", + "ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548", + "4C4C4544-0050-3710-8058-CAC04F59344A", + "00000000-0000-0000-0000-AC1F6BD04972", + "00000000-0000-0000-0000-AC1F6BD04C9E", + "00000000-0000-0000-0000-000000000000", + "5BD24D56-789F-8468-7CDC-CAA7222CC121", + "49434D53-0200-9065-2500-65902500E439", + "49434D53-0200-9036-2500-36902500F022", + "777D84B3-88D1-451C-93E4-D235177420A7", + "49434D53-0200-9036-2500-369025000C65", + "B1112042-52E8-E25B-3655-6A4F54155DBF", + "00000000-0000-0000-0000-AC1F6BD048FE", + "EB16924B-FB6D-4FA1-8666-17B91F62FB37", + "A15A930C-8251-9645-AF63-E45AD728C20C", + "67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3", + "C7D23342-A5D4-68A1-59AC-CF40F735B363", + "63203342-0EB0-AA1A-4DF5-3FB37DBB0670", + "44B94D56-65AB-DC02-86A0-98143A7423BF", + "6608003F-ECE4-494E-B07E-1C4615D1D93C", + "D9142042-8F51-5EFF-D5F8-EE9AE3D1602A", + "49434D53-0200-9036-2500-369025003AF0", + "8B4E8278-525C-7343-B825-280AEBCD3BCB", + "4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27", + "79AF5279-16CF-4094-9758-F88A616D81B4", +} + +// Full banned computer names list +var bannedComputerNames = []string{ + "WDAGUtilityAccount", "Harry Johnson", "JOANNA", "WINZDS-21T43RNG", + "Abby", "Peter Wilson", "hmarc", "patex", "JOHN-PC", "RDhJ0CNFevzX", "kEecfMwgj", "Frank", + "8Nl0ColNQ5bq", "Lisa", "John", "george", "PxmdUOpVyx", "8VizSM", "w0fjuOVmCcP5A", "lmVwjj9b", + "PqONjHVwexsS", "3u2v9m8", "Julia", "HEUeRzl", "BEE7370C-8C0C-4", "DESKTOP-NAKFFMT", + "WIN-5E07COS9ALR", "B30F0242-1C6A-4", "DESKTOP-VRSQLAG", "Q9IATRKPRH", "XC64ZB", + "DESKTOP-D019GDM", "DESKTOP-WI8CLET", "SERVER1", "LISA-PC", "DESKTOP-B0T93D6", + "DESKTOP-1PYKP29", "DESKTOP-1Y2433R", "COMPNAME_4491", "WILEYPC", "WORK", "KATHLROGE", + "DESKTOP-TKGQ6GH", "6C4E733F-C2D9-4", "RALPHS-PC", "DESKTOP-WG3MYJS", "DESKTOP-7XC6GEZ", + "DESKTOP-5OV9S0O", "QarZhrdBpj", "ORELEEPC", "ARCHIBALDPC", "DESKTOP-NNSJYNR", + "JULIA-PC", "DESKTOP-BQISITB", "d1bnJkfVlH", +} + +// Full banned processes list +var bannedProcesses = []string{ + "HTTP Toolkit.exe", "httpdebuggerui.exe", "wireshark.exe", "fiddler.exe", + "df5serv.exe", "processhacker.exe", "vmtoolsd.exe", + "ida64.exe", "ollydbg.exe", "pestudio.exe", "vgauthservice.exe", "vmacthlp.exe", + "x96dbg.exe", "vmsrvc.exe", "x32dbg.exe", "vmusrvc.exe", "prl_cc.exe", "prl_tools.exe", "xenservice.exe", + "qemu-ga.exe", "joeboxcontrol.exe", "ksdumperclient.exe", "ksdumper.exe", "joeboxserver.exe", +} + var blacklistedWindows = []string{ - "proxifier", "graywolf", "extremedumper", "zed", "exeinfope", "dnspy", - "titanHide", "ilspy", "titanhide", "x32dbg", "codecracker", "simpleassembly", - "process hacker 2", "pc-ret", "http debugger", "Centos", "process monitor", - "debug", "ILSpy", "reverse", "simpleassemblyexplorer", "process", "de4dotmodded", - "dojandqwklndoqwd-x86", "sharpod", "folderchangesview", "fiddler", "die", "pizza", - "crack", "strongod", "ida -", "brute", "dump", "StringDecryptor", "wireshark", - "debugger", "httpdebugger", "gdb", "kdb", "x64_dbg", "windbg", "x64netdumper", - "petools", "scyllahide", "megadumper", "reversal", "ksdumper v1.1 - by equifox", - "dbgclr", "HxD", "monitor", "peek", "ollydbg", "ksdumper", "http", "wpe pro", "dbg", - "httpanalyzer", "httpdebug", "PhantOm", "kgdb", "james", "x32_dbg", "proxy", "phantom", - "mdbg", "WPE PRO", "system explorer", "de4dot", "X64NetDumper", "protection_id", - "charles", "systemexplorer", "pepper", "hxd", "procmon64", "MegaDumper", "ghidra", "xd", - "0harmony", "dojandqwklndoqwd", "hacker", "process hacker", "SAE", "mdb", "checker", - "harmony", "Protection_ID", "PETools", "scyllaHide", "x96dbg", "systemexplorerservice", - "folder", "mitmproxy", "dbx", "sniffer", "Process Hacker", "Process Explorer", "Sysinternals", "www.sysinternals.com", "binary ninja", + "proxifier", "graywolf", "extremedumper", "zed", "exeinfope", "dnspy", "titanHide", "ilspy", "titanhide", + "x32dbg", "codecracker", "simpleassembly", "process hacker 2", "pc-ret", "http debugger", "Centos", + "process monitor", "debug", "ILSpy", "reverse", "simpleassemblyexplorer", "de4dotmodded", + "dojandqwklndoqwd-x86", "sharpod", "folderchangesview", "fiddler", "die", "pizza", "crack", "strongod", + "ida -", "brute", "dump", "StringDecryptor", "wireshark", "debugger", "httpdebugger", "gdb", "kdb", + "x64_dbg", "windbg", "x64netdumper", "petools", "scyllahide", "megadumper", "reversal", + "ksdumper v1.1 - by equifox", "dbgclr", "HxD", "peek", "ollydbg", "ksdumper", "http", + "wpe pro", "dbg", "httpanalyzer", "httpdebug", "PhantOm", "kgdb", "james", "x32_dbg", "proxy", "phantom", + "mdbg", "WPE PRO", "system explorer", "de4dot", "X64NetDumper", "protection_id", "charles", + "systemexplorer", "pepper", "hxd", "procmon64", "MegaDumper", "ghidra", "0harmony", + "dojandqwklndoqwd", "hacker", "process hacker", "SAE", "mdb", "cheat engine", "hacker", "windbg.exe", + "petools.exe", "hacker.exe", +} + +const CREATE_NO_WINDOW = 0x08000000 + +// enumWindowsAndCheck enumerates windows and returns true if any blacklisted window title is found +func enumWindowsAndCheck() bool { + foundBlacklisted := false + + // Wrap enumWindowsProc callback to mark if blacklisted window found + callback := func(hwnd syscall.Handle, lParam uintptr) uintptr { + var pid uint32 + pgwtp.Call(uintptr(hwnd), uintptr(unsafe.Pointer(&pid))) + + var title [256]byte + pgwt.Call(uintptr(hwnd), uintptr(unsafe.Pointer(&title[0])), uintptr(len(title))) + wt := string(title[:]) + wt = strings.Trim(wt, "\x00") + + for _, blacklisted := range blacklistedWindows { + if strings.Contains(strings.ToLower(wt), strings.ToLower(blacklisted)) { + foundBlacklisted = true + break + } + } + return 1 // Continue enumeration + } + + pew.Call(syscall.NewCallback(callback), 0) + + return foundBlacklisted +} + +// checkBannedProcesses returns true if any banned process is running (does NOT terminate) +func checkBannedProcesses() bool { + cmd := exec.Command("tasklist", "/fo", "csv", "/nh") + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + output, err := cmd.Output() + if err != nil { + return false + } + + lines := strings.Split(string(output), "\n") + for _, line := range lines { + if line == "" { + continue + } + fields := parseCSVLine(line) + if len(fields) < 2 { + continue + } + procName := strings.Trim(fields[0], "\"") + + for _, bannedProc := range bannedProcesses { + if strings.EqualFold(procName, bannedProc) { + return true + } + } + } + + return false } -// CheckBlacklistedWindows checks for blacklisted window names and terminates the associated process if found. -func CheckBlacklistedWindows() { - pew.Call(syscall.NewCallback(enumWindowsProc), 0) +// parseCSVLine is a simple CSV parser for one line (handles quoted commas) +func parseCSVLine(line string) []string { + var res []string + var cur strings.Builder + inQuotes := false + for i := 0; i < len(line); i++ { + ch := line[i] + if ch == '"' { + inQuotes = !inQuotes + continue + } + if ch == ',' && !inQuotes { + res = append(res, cur.String()) + cur.Reset() + continue + } + cur.WriteByte(ch) + } + res = append(res, cur.String()) + return res } -// enumWindowsProc is the callback function that checks each window title against the blacklist. -func enumWindowsProc(hwnd syscall.Handle, lParam uintptr) uintptr { - var pid uint32 - pgwtp.Call(uintptr(hwnd), uintptr(unsafe.Pointer(&pid))) - - var title [256]byte - pgwt.Call(uintptr(hwnd), uintptr(unsafe.Pointer(&title[0])), uintptr(len(title))) - wt := string(title[:]) - - // Check if the window title contains any blacklisted strings - for _, blacklisted := range blacklistedWindows { - if contains(wt, blacklisted) { - log.Printf("Detected blacklisted window: %s\n", wt) - // If a blacklisted window is found, terminate the associated process - proc, _, _ := pop.Call(syscall.PROCESS_TERMINATE, 0, uintptr(pid)) - if proc != 0 { - ptp.Call(proc, 0) - pch.Call(proc) - } - } - } - return 1 // Continue enumeration +// checkBannedUUID example, using PowerShell to get UUID and match banned +func checkBannedUUID() bool { + cmd := exec.Command( + "powershell.exe", + "-NoProfile", + "-NonInteractive", + "-Command", + "Get-CimInstance Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID", + ) + // Hide the console window entirely + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + + out, err := cmd.Output() + if err != nil { + return false + } + uuid := strings.TrimSpace(string(out)) + uuid = strings.ToUpper(uuid) + for _, banned := range bannedUUIDs { + if uuid == banned { + return true + } + } + return false } -func contains(s, substr string) bool { - return len(s) >= len(substr) && s[:len(substr)] == substr +// CheckBlacklistedWindows checks windows and processes against blacklist and returns true if any blacklist matches found. +func CheckBlacklistedWindows() bool { + // Check banned computer name early and return true if matched + hostname, err := os.Hostname() + if err == nil { + for _, bannedName := range bannedComputerNames { + if strings.EqualFold(hostname, bannedName) { + return true + } + } + } + + // Check banned UUIDs (via PowerShell) + if checkBannedUUID() { + return true + } + + // Enumerate windows and check blacklisted window titles + if enumWindowsAndCheck() { + return true + } + + // Enumerate running processes and check banned ones + if checkBannedProcesses() { + return true + } + + // No blacklist conditions matched + return false } diff --git a/AntiDebug/InternetCheck/internetcheck.go b/AntiDebug/InternetCheck/internetcheck.go index 0c2c924..fe4ad26 100644 --- a/AntiDebug/InternetCheck/internetcheck.go +++ b/AntiDebug/InternetCheck/internetcheck.go @@ -1,23 +1,15 @@ package InternetCheck import ( - "log" - "net" - "errors" + "errors" + "net" ) func CheckConnection() (bool, error) { - conn, err := net.Dial("tcp", "google.com:80") - if err != nil { - err = errors.New("error checking internet connection: " + err.Error()) - log.Printf("[DEBUG] Error checking internet connection: %v", err) - return false, err - } - defer func() { - if cerr := conn.Close(); cerr != nil { - log.Printf("[DEBUG] Error closing connection: %v", cerr) - } - }() - - return true, nil + conn, err := net.Dial("tcp", "google.com:80") + if err != nil { + return false, errors.New("error checking internet connection: " + err.Error()) + } + defer conn.Close() + return true, nil } diff --git a/AntiDebug/ParentAntiDebug/parentantidebug.go b/AntiDebug/ParentAntiDebug/parentantidebug.go index 0329a12..f463a6a 100644 --- a/AntiDebug/ParentAntiDebug/parentantidebug.go +++ b/AntiDebug/ParentAntiDebug/parentantidebug.go @@ -1,7 +1,7 @@ package ParentAntiDebug import ( - "log" + "os" "path/filepath" "syscall" @@ -27,11 +27,9 @@ type ProcessInfo struct { func NtQueryProc(handle syscall.Handle, class uint32, info *ProcessInfo, length uint32) error { r1, _, err := syscall.Syscall6(ntquery.Addr(), 5, uintptr(handle), uintptr(class), uintptr(unsafe.Pointer(info)), uintptr(length), 0, 0) if err != 0 { - log.Printf("NtQueryInformationProcess failed: %v", err) return err } if r1 != 0 { - log.Printf("NtQueryInformationProcess failed: unexpected return value: %v", r1) return err } return nil @@ -41,7 +39,6 @@ func NtQueryProc(handle syscall.Handle, class uint32, info *ProcessInfo, length func QueryImageName(handle syscall.Handle, flags uint32, nameBuffer []uint16, size *uint32) error { err := windows.QueryFullProcessImageName(windows.Handle(handle), flags, &nameBuffer[0], size) if err != nil { - log.Printf("QueryFullProcessImageName failed: %v", err) return err } return nil @@ -51,7 +48,6 @@ func QueryImageName(handle syscall.Handle, flags uint32, nameBuffer []uint16, si func CurrentProcName() (string, error) { exePath, err := os.Executable() if err != nil { - log.Printf("os.Executable failed: %v", err) return "", err } return filepath.Base(exePath), nil @@ -62,7 +58,6 @@ func ParentAntiDebug() bool { const ProcInfo = 0 var p ProcessInfo if err := NtQueryProc(syscall.Handle(windows.CurrentProcess()), ProcInfo, &p, uint32(unsafe.Sizeof(p))); err != nil { - log.Printf("Error querying process information: %v", err) return false } par := int32(p.InheritedFromPID) @@ -71,7 +66,6 @@ func ParentAntiDebug() bool { } handle, err := syscall.OpenProcess(syscall.PROCESS_QUERY_INFORMATION, false, uint32(par)) if err != nil { - log.Printf("Error opening process handle: %v", err) return false } defer syscall.CloseHandle(handle) @@ -79,7 +73,6 @@ func ParentAntiDebug() bool { buff13 := make([]uint16, windows.MAX_PATH) size := uint32(len(buff13)) if err := QueryImageName(handle, 0, buff13, &size); err != nil { - log.Printf("Error querying image name: %v", err) return false } parname := filepath.Base(syscall.UTF16ToString(buff13[:size])) diff --git a/AntiDebug/ProcessDetection/ProcessDetection.go b/AntiDebug/ProcessDetection/ProcessDetection.go index c177726..305642b 100644 --- a/AntiDebug/ProcessDetection/ProcessDetection.go +++ b/AntiDebug/ProcessDetection/ProcessDetection.go @@ -2,7 +2,6 @@ package BadProcesses import ( "bytes" - "log" "os/exec" "strings" ) diff --git a/AntiDebug/RunningProcesses/RunningProcesses.go b/AntiDebug/RunningProcesses/RunningProcesses.go index e903efb..c2ee83b 100644 --- a/AntiDebug/RunningProcesses/RunningProcesses.go +++ b/AntiDebug/RunningProcesses/RunningProcesses.go @@ -1,37 +1,38 @@ package RunningProcesses import ( - "log" "syscall" "unsafe" ) var ( - kernel32DLL = syscall.NewLazyDLL("kernel32.dll") - enumProcesses = kernel32DLL.NewProc("K32EnumProcesses") + kernel32DLL = syscall.NewLazyDLL("kernel32.dll") + enumProcesses = kernel32DLL.NewProc("K32EnumProcesses") ) // GetRunningProcessesCount returns the number of currently running processes. func GetRunningProcessesCount() (int, error) { var ids [1024]uint32 var needed uint32 - r1, _, err := enumProcesses.Call(uintptr(unsafe.Pointer(&ids)), uintptr(len(ids)), uintptr(unsafe.Pointer(&needed))) + + r1, _, _ := enumProcesses.Call( + uintptr(unsafe.Pointer(&ids[0])), + uintptr(len(ids)*4), // size in bytes + uintptr(unsafe.Pointer(&needed)), + ) + if r1 == 0 { - log.Printf("K32EnumProcesses failed: %v", err) - return 0, nil + return 0, syscall.GetLastError() } - return int(needed / 4), nil + + return int(needed / 4), nil // each process ID is 4 bytes } // CheckRunningProcessesCount checks if the number of currently running processes is less than a specified count. -func CheckRunningProcessesCount(count int) (bool, error) { - processesCount, err := GetRunningProcessesCount() +func CheckRunningProcessesCount(threshold int) (bool, error) { + count, err := GetRunningProcessesCount() if err != nil { return false, err } - - if processesCount < count { - return true, nil - } - return false, nil + return count < threshold, nil } diff --git a/AntiDebug/UserAntiAntiDebug/HooksDetection.go b/AntiDebug/UserAntiAntiDebug/HooksDetection.go index 40214e1..e41b621 100644 --- a/AntiDebug/UserAntiAntiDebug/HooksDetection.go +++ b/AntiDebug/UserAntiAntiDebug/HooksDetection.go @@ -1,7 +1,7 @@ package HooksDetection import ( - "log" + "syscall" "unsafe" ) @@ -142,7 +142,3 @@ func DetectHooksOnCommonWinAPIFunctions(moduleName string, functions []string) b } return false } - -func AntiAntiDebug() { - log.Println("Detecting Hooks on Common WinAPI Functions by checking for Bad Instructions on Functions Addresses (Most Effective on x64): ", DetectHooksOnCommonWinAPIFunctions("", nil)) -} diff --git a/AntiVirtualization/AnyRunDetection/anyruncheck.go b/AntiVirtualization/AnyRunDetection/anyruncheck.go new file mode 100644 index 0000000..b11959d --- /dev/null +++ b/AntiVirtualization/AnyRunDetection/anyruncheck.go @@ -0,0 +1,27 @@ +package AnyRunDetection + +import ( + "log" + "net" + "strings" +) + +// AnyRunDetection checks for the "52-54-00" MAC address prefix and returns true if found. +func AnyRunDetection() (bool, error) { + // Retrieve all network interfaces + interfaces, err := net.Interfaces() + if err != nil { + log.Printf("Error getting network interfaces: %v", err) + return false, err + } + + // Loop through each interface and check the MAC address + for _, iface := range interfaces { + macAddress := iface.HardwareAddr.String() // Fetch the MAC address + if strings.HasPrefix(strings.ToUpper(strings.ReplaceAll(macAddress, "-", ":")), "52:54:00") { + return true, nil + } + } + + return false, nil +} diff --git a/AntiVirtualization/CleanEnvironmentDetection/cleanenvironmentcheck.go b/AntiVirtualization/CleanEnvironmentDetection/cleanenvironmentcheck.go new file mode 100644 index 0000000..a108144 --- /dev/null +++ b/AntiVirtualization/CleanEnvironmentDetection/cleanenvironmentcheck.go @@ -0,0 +1,61 @@ +package CleanEnvironmentDetection + +import ( + "strings" + + "golang.org/x/sys/windows/registry" +) + +// DetectCleanEnvironment checks if at least 10 programs are installed on the system. +func DetectCleanEnvironment() bool { + total := countInstalledPrograms() + return total >= 10 +} + +// countInstalledPrograms enumerates installed programs from registry uninstall keys. +func countInstalledPrograms() int { + uninstallKeys := []struct { + root registry.Key + path string + }{ + {registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`}, + {registry.LOCAL_MACHINE, `SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall`}, + {registry.CURRENT_USER, `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`}, + } + + count := 0 + seen := make(map[string]bool) + + for _, uk := range uninstallKeys { + key, err := registry.OpenKey(uk.root, uk.path, registry.READ) + if err != nil { + continue + } + defer key.Close() + + names, err := key.ReadSubKeyNames(-1) + if err != nil { + continue + } + + for _, name := range names { + subKey, err := registry.OpenKey(uk.root, uk.path+`\`+name, registry.READ) + if err != nil { + continue + } + + displayName, _, err := subKey.GetStringValue("DisplayName") + subKey.Close() + + if err == nil && displayName != "" { + normalized := strings.ToLower(displayName) + if !seen[normalized] { + seen[normalized] = true + count++ + } + } + } + } + + return count +} diff --git a/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go b/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go new file mode 100644 index 0000000..27552bb --- /dev/null +++ b/AntiVirtualization/ComodoAntivirusDetection/comodocheck.go @@ -0,0 +1,84 @@ +package ComodoAntivirusDetection + +import ( + "os" + "golang.org/x/sys/windows/registry" + "golang.org/x/sys/windows/svc/mgr" +) + +// DetectComodoAntivirus checks if Comodo Antivirus is installed or present. +func DetectComodoAntivirus() bool { + // Check for the installation paths + comodoPaths := []string{ + "C:\\Program Files\\COMODO\\COMODO Internet Security\\", + "C:\\Program Files (x86)\\COMODO\\COMODO Internet Security\\", + } + + for _, path := range comodoPaths { + if pathExists(path) { + return true + } + } + + // Check for the Comodo Antivirus driver + driverPath := "C:\\Windows\\System32\\drivers\\cmdguard.sys" + if pathExists(driverPath) { + return true + } + + // Check for Comodo Antivirus registry key + if checkComodoRegistry() { + return true + } + + // Check for Comodo Antivirus service using Windows service manager. + if checkComodoService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkComodoRegistry checks for Comodo Antivirus in the registry key. +func checkComodoRegistry() bool { + comodoKey := `SOFTWARE\COMODO\CIS` + return registryKeyExists(registry.LOCAL_MACHINE, comodoKey) +} + +// checkComodoService checks for the Comodo Antivirus service using Windows service manager. +func checkComodoService() bool { + serviceName := "cmdagent" + return serviceExists(serviceName) +} + +// serviceExists checks if a service exists using Windows service manager. +func serviceExists(serviceName string) bool { + m, err := mgr.Connect() + if err != nil { + return false + } + defer m.Disconnect() + + s, err := m.OpenService(serviceName) + if err != nil { + return false + } + s.Close() + return true +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/CyberCapture/AvastSandbox.go b/AntiVirtualization/CyberCapture/AvastSandbox.go new file mode 100644 index 0000000..52590d0 --- /dev/null +++ b/AntiVirtualization/CyberCapture/AvastSandbox.go @@ -0,0 +1,18 @@ +package CyberCapture + +import ( + "os" + "path/filepath" +) + +func CreateDirectory() bool { + programFiles := os.Getenv("ProgramFiles") + if programFiles == "" { + programFiles = `C:\Program Files` + } + + dir := filepath.Join(programFiles, "antvirusdefender2025") + + err := os.MkdirAll(dir, 0755) + return err == nil +} diff --git a/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go b/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go new file mode 100644 index 0000000..a5d10fb --- /dev/null +++ b/AntiVirtualization/DeepFreezeDetection/deepfreezecheck.go @@ -0,0 +1,111 @@ +package DeepFreezeDetection + +import ( + "os" + "strings" + "golang.org/x/sys/windows/registry" + "golang.org/x/sys/windows/svc/mgr" +) + +// DetectDeepFreeze checks if Deep Freeze is installed or present. +func DetectDeepFreeze() bool { + // Check for installation paths + deepFreezePaths := []string{ + "C:\\Program Files\\Faronics\\Deep Freeze\\", + "C:\\Program Files (x86)\\Faronics\\Deep Freeze\\", + } + for _, path := range deepFreezePaths { + if pathExists(path) { + return true + } + } + + // Check for Deep Freeze driver + driverPath := "C:\\Persi0.sys" + if pathExists(driverPath) { + return true + } + + // Check registry keys + if checkHelpDirRegistry() { + return true + } + + if checkAutoRecoverMOFs() { + return true + } + + // Check for Deep Freeze service using Windows API + if checkDeepFreezeService() { + return true + } + + return false +} + +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +func checkHelpDirRegistry() bool { + helpDirKey := `SOFTWARE\Classes\TypeLib\{C5D763D9-2422-4B2D-A425-02D5BD016239}\1.0\HELPDIR` + return registryKeyExists(registry.LOCAL_MACHINE, helpDirKey) +} + +func checkAutoRecoverMOFs() bool { + cimomKey := `SOFTWARE\Microsoft\Wbem\CIMOM` + key, err := registry.OpenKey(registry.LOCAL_MACHINE, cimomKey, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + mofs, _, err := key.GetStringsValue("Autorecover MOFs") + if err != nil { + return false + } + + for _, mof := range mofs { + if strings.Contains(strings.ToLower(mof), "faronics") { + return true + } + } + return false +} + +func checkDeepFreezeService() bool { + return serviceExists("DFServ") +} + +// Updated serviceExists uses Windows Service Manager API +func serviceExists(serviceName string) bool { + m, err := mgr.Connect() + if err != nil { + return false + } + defer m.Disconnect() + + svc, err := m.OpenService(serviceName) + if err != nil { + return false + } + defer svc.Close() + + status, err := svc.Query() + if err != nil { + return false + } + + const serviceRunning = 4 + return status.State == serviceRunning +} + +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/HyperVDetection/hypervdetection.go b/AntiVirtualization/HyperVDetection/hypervdetection.go new file mode 100644 index 0000000..bb1f43a --- /dev/null +++ b/AntiVirtualization/HyperVDetection/hypervdetection.go @@ -0,0 +1,70 @@ +package HyperVCheck + +import ( + "os/exec" + "strings" + "syscall" + "golang.org/x/sys/windows/registry" + "golang.org/x/sys/windows/svc/mgr" +) + +// DetectHyperV checks if Hyper-V is installed using registry, service, and process checks. +func DetectHyperV() (bool, error) { + // 1. Check Registry for Hyper-V + key, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization`, registry.QUERY_VALUE) + if err == nil { + defer key.Close() + enabled, _, err := key.GetIntegerValue("Enabled") + if err == nil && enabled == 1 { + return true, nil + } + } + + // 2. Check if Hyper-V services are running (vmms and vmbus) + if isServiceExisting("vmms") || isServiceExisting("vmbus") { + return true, nil + } + + // 3. Check if Hyper-V processes are running (vmms.exe and vmbus.sys) + if isProcessRunning("vmms.exe") || isProcessRunning("vmbus.sys") { + return true, nil + } + + return false, nil +} + +// isServiceExisting checks if a specific service exists and is running using Windows service manager. +func isServiceExisting(serviceName string) bool { + m, err := mgr.Connect() + if err != nil { + return false + } + defer m.Disconnect() + + svc, err := m.OpenService(serviceName) + if err != nil { + return false + } + defer svc.Close() + + status, err := svc.Query() + if err != nil { + return false + } + + // SERVICE_RUNNING = 4 + return status.State == 4 +} + +// isProcessRunning checks if a specific process is running +func isProcessRunning(processName string) bool { + cmd := exec.Command("tasklist") + cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + + output, err := cmd.Output() + if err != nil { + return false + } + + return strings.Contains(strings.ToLower(string(output)), strings.ToLower(processName)) +} diff --git a/AntiVirtualization/KVMCheck/kvmcheck.go b/AntiVirtualization/KVMCheck/kvmcheck.go index 42b3dd1..aba5b11 100644 --- a/AntiVirtualization/KVMCheck/kvmcheck.go +++ b/AntiVirtualization/KVMCheck/kvmcheck.go @@ -1,7 +1,7 @@ package KVMCheck import ( - "log" + "os" "path/filepath" ) @@ -13,7 +13,6 @@ func CheckForKVM() (bool, error) { for _, driver := range badDriversList { files, err := filepath.Glob(filepath.Join(os.Getenv("SystemRoot"), "System32", driver)) if err != nil { - log.Printf("Error accessing system files for %s: %v", driver, err) continue } if len(files) > 0 { diff --git a/AntiVirtualization/PowerShellDetection/PowerShellCheck.go b/AntiVirtualization/PowerShellDetection/PowerShellCheck.go new file mode 100644 index 0000000..b455687 --- /dev/null +++ b/AntiVirtualization/PowerShellDetection/PowerShellCheck.go @@ -0,0 +1,44 @@ +package PowerShellCheck + +import ( + "bytes" + "os/exec" + "strings" + "syscall" +) + +const CREATE_NO_WINDOW = 0x08000000 + +// RunPowerShellCommand runs a PowerShell command silently and returns the trimmed output or an error. +func RunPowerShellCommand(psCommand string) (string, error) { + // Use powershell.exe with -NoProfile and -NonInteractive to reduce side effects + cmd := exec.Command("powershell.exe", "-NoProfile", "-NonInteractive", "-Command", psCommand) + + // Hide the console window entirely + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + + var out bytes.Buffer + cmd.Stdout = &out + cmd.Stderr = &out + + err := cmd.Run() + if err != nil { + return "", err + } + + // Return trimmed output + return strings.TrimSpace(out.String()), nil +} + +// ContainsInPowerShellOutput runs a PowerShell command and checks if the output contains the target substring (case-insensitive). +func ContainsInPowerShellOutput(psCommand, target string) (bool, error) { + output, err := RunPowerShellCommand(psCommand) + if err != nil { + return false, err + } + + return strings.Contains(strings.ToLower(output), strings.ToLower(target)), nil +} diff --git a/AntiVirtualization/RecentFileActivity/RecentFileActivity.go b/AntiVirtualization/RecentFileActivity/RecentFileActivity.go index 721b2d2..1c0412b 100644 --- a/AntiVirtualization/RecentFileActivity/RecentFileActivity.go +++ b/AntiVirtualization/RecentFileActivity/RecentFileActivity.go @@ -1,7 +1,7 @@ package RecentFileActivity import ( - "log" + "os" "io/ioutil" "path/filepath" @@ -12,7 +12,6 @@ func RecentFileActivityCheck() (bool, error) { recdir := filepath.Join(os.Getenv("APPDATA"), "microsoft", "windows", "recent") files, err := ioutil.ReadDir(recdir) if err != nil { - log.Printf("Debug Check: Error reading recent file activity directory: %v", err) return false, err } diff --git a/AntiVirtualization/RepetitiveProcess/repetitiveproc.go b/AntiVirtualization/RepetitiveProcess/repetitiveproc.go index fc70a86..8fc568c 100644 --- a/AntiVirtualization/RepetitiveProcess/repetitiveproc.go +++ b/AntiVirtualization/RepetitiveProcess/repetitiveproc.go @@ -2,7 +2,7 @@ package RepetitiveProcess import ( "bytes" - "log" + "os/exec" "strings" "syscall" @@ -18,7 +18,6 @@ func Check() (bool, error) { err := cmd.Run() if err != nil { - log.Printf("Error running tasklist command: %v", err) return false, err } diff --git a/AntiVirtualization/SandboxieDetection/sandboxiecheck.go b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go new file mode 100644 index 0000000..6787d76 --- /dev/null +++ b/AntiVirtualization/SandboxieDetection/sandboxiecheck.go @@ -0,0 +1,107 @@ +package SandboxieDetection + +import ( + "os" + "golang.org/x/sys/windows/registry" + "golang.org/x/sys/windows/svc/mgr" +) + +// DetectSandboxie checks if Sandboxie is installed or present. +func DetectSandboxie() bool { + // Check for the installation paths + sandboxiePaths := []string{ + "C:\\Program Files\\Sandboxie\\", + "C:\\Program Files (x86)\\Sandboxie\\", + } + + for _, path := range sandboxiePaths { + if pathExists(path) { + return true + } + } + + // Check for the existence of the Sandboxie service + serviceName := "SbieSvc" // Sandboxie service name + if isServiceExisting(serviceName) { + return true + } + + // Check for Sandboxie registry keys + if checkSandboxieRegistry() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// isServiceExisting checks if a service exists using Windows service manager. +func isServiceExisting(serviceName string) bool { + m, err := mgr.Connect() + if err != nil { + return false // fail quietly + } + defer m.Disconnect() + + s, err := m.OpenService(serviceName) + if err != nil { + return false // service not found + } + s.Close() + return true // service found +} + +// checkSandboxieRegistry checks for the presence of various Sandboxie-related registry keys. +func checkSandboxieRegistry() bool { + // Check if Sandboxie is listed in the uninstall registry key + uninstallKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie` + if registryKeyExists(registry.LOCAL_MACHINE, uninstallKey) { + return true + } + + // Check for the auto-run Sandman entry in HKCU + autorunKey := `Software\Microsoft\Windows\CurrentVersion\Run` + if registryValueExists(registry.CURRENT_USER, autorunKey, "SandboxiePlus_AutoRun") { + return true + } + + // Check for the shell integration for running files/folders sandboxed + sandboxedKey := `Software\Classes\*\shell\sandbox` + if registryKeyExists(registry.CURRENT_USER, sandboxedKey) { + return true + } + + folderSandboxedKey := `Software\Classes\Folder\shell\sandbox` + if registryKeyExists(registry.CURRENT_USER, folderSandboxedKey) { + return true + } + + return false +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} + +// registryValueExists checks if a registry key has a specific value. +func registryValueExists(root registry.Key, path, valueName string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + _, _, err = key.GetStringValue(valueName) + return err == nil +} diff --git a/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go new file mode 100644 index 0000000..33a97d2 --- /dev/null +++ b/AntiVirtualization/ShadowDefenderDetection/shadowdefendercheck.go @@ -0,0 +1,173 @@ +package ShadowDefenderDetection + +import ( + "bufio" + "os" + "path/filepath" + "strings" + "golang.org/x/sys/windows/registry" + "golang.org/x/sys/windows/svc/mgr" +) + +// DetectShadowDefender checks if Shadow Defender is installed or present. +func DetectShadowDefender() bool { + // Check for the installation paths + shadowDefenderPaths := []string{ + "C:\\Program Files\\Shadow Defender\\", + "C:\\Program Files (x86)\\Shadow Defender\\", + } + + for _, path := range shadowDefenderPaths { + if pathExists(path) { + return true + } + } + + // Check for Shadow Defender registry keys + if checkShadowDefenderRegistry() || checkCLSIDRegistry() || checkTypeLibRegistry() || + checkUninstallRegistry() || checkSoftwareRegistry() || checkServicesRegistry() || + checkDiskptRegistry() || checkUserDatFiles() || checkShadowDefenderService() { + return true + } + + return false +} + +// pathExists checks if a given path exists. +func pathExists(path string) bool { + _, err := os.Stat(path) + return !os.IsNotExist(err) +} + +// checkShadowDefenderRegistry checks for the presence of the Shadow Defender-related registry key. +func checkShadowDefenderRegistry() bool { + runKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` + return registryValueExists(registry.LOCAL_MACHINE, runKey, "Shadow Defender") +} + +// checkCLSIDRegistry checks for the CLSID key associated with Shadow Defender. +func checkCLSIDRegistry() bool { + clsidKey := `CLSID\{78C3F4BC-C7BC-48E4-AD72-2DD16F6704A9}` + return registryKeyExists(registry.CLASSES_ROOT, clsidKey) +} + +// checkTypeLibRegistry checks for the specific TypeLib entry associated with Shadow Defender. +func checkTypeLibRegistry() bool { + typeLibKey := `TypeLib\{3A5C2EFF-619A-481D-8D5D-A6968DB02AF1}\1.0\0\win64` + return registryKeyExists(registry.CLASSES_ROOT, typeLibKey) +} + +// checkUninstallRegistry checks for the specific Uninstall entry associated with Shadow Defender. +func checkUninstallRegistry() bool { + uninstallKey := `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{93A07A0D-454E-43d1-86A9-5DE9C5F4411A}` + return registryKeyExists(registry.LOCAL_MACHINE, uninstallKey) +} + +// checkSoftwareRegistry checks for the presence of the Shadow Defender software registry key. +func checkSoftwareRegistry() bool { + softwareKey := `SOFTWARE\Shadow Defender` + return registryKeyExists(registry.LOCAL_MACHINE, softwareKey) +} + +// checkServicesRegistry checks for the specific services key associated with Shadow Defender. +func checkServicesRegistry() bool { + servicesKey := `SYSTEM\ControlSet001\Services\{0CBD4F48-3751-475D-BE88-4F271385B672}` + return registryKeyExists(registry.LOCAL_MACHINE, servicesKey) +} + +// checkDiskptRegistry checks for the specific diskpt service key associated with Shadow Defender. +func checkDiskptRegistry() bool { + diskptKey := `SYSTEM\ControlSet001\Services\diskpt` + return registryKeyExists(registry.LOCAL_MACHINE, diskptKey) +} + +// checkUserDatFiles checks if the user.dat files contain the keyword "Shadow Defender". +func checkUserDatFiles() bool { + userDir := os.Getenv("USERPROFILE") + shadowDefenderUserDataPaths := []string{ + filepath.Join(userDir, "Shadow Defender", "user.dat"), + filepath.Join("C:\\Users\\*", "Shadow Defender", "user.dat"), + } + + for _, userDataPath := range shadowDefenderUserDataPaths { + if fileContainsKeyword(userDataPath, "Shadow Defender") { + return true + } + } + return false +} + +// checkShadowDefenderService checks for the existence of the Shadow Defender Service using Windows service manager. +func checkShadowDefenderService() bool { + serviceDisplayName := "Shadow Defender Service" + return serviceExists(serviceDisplayName) +} + +// serviceExists checks if a service with the given display name exists using Windows service manager. +func serviceExists(displayName string) bool { + m, err := mgr.Connect() + if err != nil { + return false + } + defer m.Disconnect() + + services, err := m.ListServices() + if err != nil { + return false + } + + for _, svcName := range services { + s, err := m.OpenService(svcName) + if err != nil { + continue + } + config, err := s.Config() + s.Close() + if err != nil { + continue + } + if config.DisplayName == displayName { + return true + } + } + return false +} + +// fileContainsKeyword checks if a file contains a specific keyword. +func fileContainsKeyword(filePath, keyword string) bool { + file, err := os.Open(filePath) + if err != nil { + return false + } + defer file.Close() + + scanner := bufio.NewScanner(file) + for scanner.Scan() { + if strings.Contains(scanner.Text(), keyword) { + return true + } + } + return false +} + +// registryValueExists checks if a registry key has a specific value. +func registryValueExists(root registry.Key, path, valueName string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + + _, _, err = key.GetStringValue(valueName) + return err == nil +} + +// registryKeyExists checks if a registry key exists. +func registryKeyExists(root registry.Key, path string) bool { + key, err := registry.OpenKey(root, path, registry.QUERY_VALUE) + if err != nil { + return false + } + defer key.Close() + return true +} diff --git a/AntiVirtualization/TriageDetection/triagecheck.go b/AntiVirtualization/TriageDetection/triagecheck.go index fc7ed14..2ad6488 100644 --- a/AntiVirtualization/TriageDetection/triagecheck.go +++ b/AntiVirtualization/TriageDetection/triagecheck.go @@ -1,26 +1,31 @@ package TriageDetection import ( - "log" - "os/exec" "strings" + "os/exec" "syscall" ) +const CREATE_NO_WINDOW = 0x08000000 + // TriageCheck checks for specific hard disk models and returns true if found. func TriageCheck() (bool, error) { - monki := exec.Command("wmic", "diskdrive", "get", "model") + // Modern PowerShell command to get disk drive models + psCmd := `Get-CimInstance -ClassName Win32_DiskDrive | Select-Object -ExpandProperty Model` - // Set the command to hide the console window - monki.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} + cmd := exec.Command("powershell", "-NoProfile", "-Command", psCmd) + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } - wowww, err := monki.Output() + output, err := cmd.Output() if err != nil { - log.Printf("Error running wmic command: %v", err) return false, err } - if strings.Contains(string(wowww), "DADY HARDDISK") || strings.Contains(string(wowww), "QEMU HARDDISK") { + outputStr := strings.ToUpper(string(output)) + if strings.Contains(outputStr, "DADY HARDDISK") || strings.Contains(outputStr, "QEMU HARDDISK") { return true, nil } diff --git a/AntiVirtualization/USBCheck/USBCheck.go b/AntiVirtualization/USBCheck/USBCheck.go index 07861eb..eea4d24 100644 --- a/AntiVirtualization/USBCheck/USBCheck.go +++ b/AntiVirtualization/USBCheck/USBCheck.go @@ -1,41 +1,32 @@ package USBCheck import ( - "log" - "os/exec" - "strings" - "syscall" + "golang.org/x/sys/windows/registry" ) -// yes this detects https://tria.ge lol -// PluggedIn checks if USB devices were ever plugged in and returns true if found. -func PluggedIn() (bool, error) { - usbcheckcmd := exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Services\\USBSTOR") - usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} - - outputusb, err1 := usbcheckcmd.CombinedOutput() - if err != nil { - log.Printf("Debug Check: Error running reg query command: %v", err) - usbcheckcmd := exec.Command("reg", "query", "HKLM\\SYSTEM\\ControlSet001\\Enum\\USBSTOR") - usbcheckcmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} - outputusb, err2 := usbcheckcmd.CombinedOutput() - if err2 != nil { - log.Printf("Debug Check: Error running reg query command: %v", err) - return false, err - } +// PluggedIn checks if USB devices were ever plugged in by querying the USBSTOR registry keys. +// It returns true if any USB storage device entries are found. +func PluggedIn() (bool, error) { + // First try checking the Services\USBSTOR key + key1, err := registry.OpenKey(registry.LOCAL_MACHINE, `SYSTEM\ControlSet001\Services\USBSTOR`, registry.READ) + if err == nil { + defer key1.Close() + return true, nil } - usblines := strings.Split(string(outputusb), "\n") - pluggedusb := 0 - for _, line := range usblines { - if strings.TrimSpace(line) != "" { - pluggedusb++ - } + // If not present, try Enum\USBSTOR to check history of connected USB devices + key2, err := registry.OpenKey(registry.LOCAL_MACHINE, `SYSTEM\ControlSet001\Enum\USBSTOR`, registry.READ) + if err != nil { + return false, err } + defer key2.Close() - if pluggedusb < 1 { - return false, nil + // Read subkey names under USBSTOR (each one typically represents a connected device) + subkeys, err := key2.ReadSubKeyNames(-1) + if err != nil { + return false, err } - return true, nil + // Return true if at least one USB device entry is present + return len(subkeys) > 0, nil } diff --git a/AntiVirtualization/VMArtifacts/arifacts.go b/AntiVirtualization/VMArtifacts/arifacts.go index cff1117..533735a 100644 --- a/AntiVirtualization/VMArtifacts/arifacts.go +++ b/AntiVirtualization/VMArtifacts/arifacts.go @@ -1,6 +1,5 @@ package VMArtifacts import ( - "fmt" "strings" "os" "path/filepath" @@ -14,7 +13,6 @@ func VMArtifactsDetect() bool { system32Folder := os.Getenv("SystemRoot") + `\System32` files, err := filepath.Glob(filepath.Join(system32Folder, "*")) if err != nil { - fmt.Printf("Error accessing System32 folder: %v\n", err) return false } diff --git a/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go b/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go new file mode 100644 index 0000000..0441391 --- /dev/null +++ b/AntiVirtualization/VMPlatformDetection/vmplatformcheck.go @@ -0,0 +1,85 @@ +package VMPlatformCheck + +import ( + "strings" + "golang.org/x/sys/windows/registry" +) + +func DetectVMPlatform() (bool, error) { + serial, err := getBiosSerialFromRegistry() + if err != nil { + return false, err + } + model, err := getSystemProductName() + if err != nil { + return false, err + } + manufacturer, err := getSystemManufacturer() + if err != nil { + return false, err + } + + serialLower := strings.ToLower(serial) + modelLower := strings.ToLower(model) + manufacturerLower := strings.ToLower(manufacturer) + + if serialLower == "0" { + return true, nil + } + + vmIndicators := []string{ + "vmware", + "virtual", + "microsoft", + "innotek", + "virtualbox", + } + + for _, indicator := range vmIndicators { + if strings.Contains(modelLower, indicator) || + strings.Contains(manufacturerLower, indicator) || + strings.Contains(serialLower, indicator) { + return true, nil + } + } + return false, nil +} + +func getBiosSerialFromRegistry() (string, error) { + key, err := registry.OpenKey(registry.LOCAL_MACHINE, `HARDWARE\DESCRIPTION\System\BIOS`, registry.QUERY_VALUE) + if err != nil { + return "", err + } + defer key.Close() + serial, _, err := key.GetStringValue("SerialNumber") + if err != nil { + return "", err + } + return strings.TrimSpace(serial), nil +} + +func getSystemProductName() (string, error) { + key, err := registry.OpenKey(registry.LOCAL_MACHINE, `HARDWARE\DESCRIPTION\System`, registry.QUERY_VALUE) + if err != nil { + return "", err + } + defer key.Close() + productName, _, err := key.GetStringValue("SystemProductName") + if err != nil { + return "", err + } + return strings.TrimSpace(productName), nil +} + +func getSystemManufacturer() (string, error) { + key, err := registry.OpenKey(registry.LOCAL_MACHINE, `HARDWARE\DESCRIPTION\System`, registry.QUERY_VALUE) + if err != nil { + return "", err + } + defer key.Close() + manufacturer, _, err := key.GetStringValue("SystemManufacturer") + if err != nil { + return "", err + } + return strings.TrimSpace(manufacturer), nil +} diff --git a/AntiVirtualization/VMWareDetection/vmwaredetection.go b/AntiVirtualization/VMWareDetection/vmwaredetection.go index 4ee4dd5..a88ca76 100644 --- a/AntiVirtualization/VMWareDetection/vmwaredetection.go +++ b/AntiVirtualization/VMWareDetection/vmwaredetection.go @@ -1,25 +1,30 @@ package VMWareDetection import ( - "log" - "os/exec" - "strings" - "syscall" + "os/exec" + "strings" + "syscall" ) +const CREATE_NO_WINDOW = 0x08000000 + // GraphicsCardCheck checks for virtualization software by inspecting the graphics card information. // It returns true if VMware is detected, otherwise false. func GraphicsCardCheck() (bool, error) { - cmd := exec.Command("wmic", "path", "win32_VideoController", "get", "name") - cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} - gpu, err := cmd.Output() - if err != nil { - log.Println("Error executing command:", err) - return false, err - } - detected := strings.Contains(strings.ToLower(string(gpu)), "vmware") - if detected { - return true, nil - } - return false, nil -} \ No newline at end of file + // PowerShell command to get video controller names + psCmd := `Get-CimInstance -ClassName Win32_VideoController | Select-Object -ExpandProperty Name` + + cmd := exec.Command("powershell", "-NoProfile", "-Command", psCmd) + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + + output, err := cmd.Output() + if err != nil { + return false, err + } + + detected := strings.Contains(strings.ToLower(string(output)), "vmware") + return detected, nil +} diff --git a/AntiVirtualization/VirtualboxDetection/virtualboxdetection.go b/AntiVirtualization/VirtualboxDetection/virtualboxdetection.go index 9442831..031509f 100644 --- a/AntiVirtualization/VirtualboxDetection/virtualboxdetection.go +++ b/AntiVirtualization/VirtualboxDetection/virtualboxdetection.go @@ -1,25 +1,30 @@ package VirtualboxDetection import ( - "log" - "os/exec" + "os/exec" + "strings" "syscall" - "strings" ) +const CREATE_NO_WINDOW = 0x08000000 + // GraphicsCardCheck checks for virtualization software by inspecting the graphics card information. // It returns true if VirtualBox is detected, otherwise false. func GraphicsCardCheck() (bool, error) { - cmd := exec.Command("wmic", "path", "win32_VideoController", "get", "name") - cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} - gpu, err := cmd.Output() - if err != nil { - log.Println("Error executing command:", err) - return false, err - } - detected := strings.Contains(strings.ToLower(string(gpu)), "virtualbox") - if detected { - return true, nil - } - return false, nil -} \ No newline at end of file + // PowerShell command to get GPU names + psCmd := `Get-CimInstance -ClassName Win32_VideoController | Select-Object -ExpandProperty Name` + + cmd := exec.Command("powershell", "-NoProfile", "-Command", psCmd) + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + + output, err := cmd.Output() + if err != nil { + return false, err + } + + detected := strings.Contains(strings.ToLower(string(output)), "virtualbox") + return detected, nil +} diff --git a/Install.bat b/Install.bat index 3d1597b..3912bc4 100644 --- a/Install.bat +++ b/Install.bat @@ -1,4 +1,4 @@ -@Echo off +@echo off title DOWNLOADING MODULES go mod init GoDefender go get github.com/EvilBytecode/GoDefender diff --git a/ProcessUtils/AdminChecks/adminchecks.go b/ProcessUtils/AdminChecks/adminchecks.go index e735270..4c47c14 100644 --- a/ProcessUtils/AdminChecks/adminchecks.go +++ b/ProcessUtils/AdminChecks/adminchecks.go @@ -4,8 +4,8 @@ import ( "os" "strings" "syscall" + "golang.org/x/sys/windows" - "fmt" ) // IsAdmin checks if the current process is running as an administrator. @@ -14,7 +14,8 @@ func IsAdmin() bool { return ret != 0 } -// ElevateProcess attempts to elevate the process to run with administrative privileges. : https://stackoverflow.com/questions/31558066/how-to-ask-for-administer-privileges-on-windows-with-go +// ElevateProcess attempts to elevate the process to run with administrative privileges. +// Reference: https://stackoverflow.com/questions/31558066/how-to-ask-for-administer-privileges-on-windows-with-go func ElevateProcess() { verb := "runas" exe, _ := os.Executable() @@ -28,8 +29,6 @@ func ElevateProcess() { var showCmd int32 = 1 // SW_NORMAL - err := windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd) - if err != nil { - fmt.Println(err) - } + // Call ShellExecute and ignore any error + _ = windows.ShellExecute(0, verbPtr, exePtr, argPtr, cwdPtr, showCmd) } diff --git a/ProcessUtils/SelfDelete/selfdelete.go b/ProcessUtils/SelfDelete/selfdelete.go new file mode 100644 index 0000000..7f8c4ab --- /dev/null +++ b/ProcessUtils/SelfDelete/selfdelete.go @@ -0,0 +1,43 @@ +package SelfDelete + +import ( + "fmt" + "os" + "os/exec" + "syscall" +) + +const CREATE_NO_WINDOW = 0x08000000 + +// SelfDelete schedules the deletion of the running executable with no visible window. +func SelfDelete() { + exePath, err := os.Executable() + if err != nil { + return + } + + exePathQuoted := `"` + exePath + `"` + + // Create a temporary batch file to delete the executable + batFile := exePath + ".del.bat" + batContent := fmt.Sprintf(` +@echo off +:Repeat +del %s >nul 2>&1 +if exist %s goto Repeat +del "%%~f0" +`, exePathQuoted, exePathQuoted) + + _ = os.WriteFile(batFile, []byte(batContent), 0644) + + // Run the batch file hidden (no window) + cmd := exec.Command("cmd", "/C", batFile) + cmd.SysProcAttr = &syscall.SysProcAttr{ + HideWindow: true, + CreationFlags: CREATE_NO_WINDOW, + } + _ = cmd.Start() + + // Exit so the batch file can delete us + os.Exit(0) +} diff --git a/main.go b/main.go index cdb0493..ab6608a 100644 --- a/main.go +++ b/main.go @@ -3,6 +3,7 @@ package AntiDebugVMAnalysis import ( "log" "os" + // AntiDebug "github.com/EvilBytecode/GoDefender/AntiDebug/CheckBlacklistedWindowsNames" "github.com/EvilBytecode/GoDefender/AntiDebug/InternetCheck" @@ -10,22 +11,38 @@ import ( "github.com/EvilBytecode/GoDefender/AntiDebug/ParentAntiDebug" "github.com/EvilBytecode/GoDefender/AntiDebug/RemoteDebugger" "github.com/EvilBytecode/GoDefender/AntiDebug/RunningProcesses" - "github.com/EvilBytecode/GoDefender/AntiDebug/UserAntiAntiDebug" + HooksDetection "github.com/EvilBytecode/GoDefender/AntiDebug/UserAntiAntiDebug" "github.com/EvilBytecode/GoDefender/AntiDebug/pcuptime" + // AntiVirtualization + "github.com/EvilBytecode/GoDefender/AntiVirtualization/AnyRunDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/CleanEnvironmentDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ComodoAntivirusDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/CyberCapture" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/DeepFreezeDetection" + HyperVCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/HyperVDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/KVMCheck" "github.com/EvilBytecode/GoDefender/AntiVirtualization/MonitorMetrics" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" + PowerShellCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/PowerShellDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/SandboxieDetection" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/ShadowDefenderDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/TriageDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/USBCheck" "github.com/EvilBytecode/GoDefender/AntiVirtualization/UsernameCheck" + "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" + VMPlatformCheck "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMPlatformDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMWareDetection" "github.com/EvilBytecode/GoDefender/AntiVirtualization/VirtualboxDetection" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/VMArtifacts" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/RepetitiveProcess" - "github.com/EvilBytecode/GoDefender/AntiVirtualization/ParallelsCheck" ) func ThunderKitty() { + // Directory creation check + if success := CyberCapture.CreateDirectory(); !success { + log.Println("[DEBUG] Avast/AVG CyberCapture detected.") + os.Exit(-1) + } // lets just catch bunch of vms at beginning lol if usbPluggedIn, err := USBCheck.PluggedIn(); err != nil { @@ -39,10 +56,25 @@ func ThunderKitty() { log.Println("[DEBUG] Blacklisted username detected") os.Exit(-1) } - // lets make their job harder. - HooksDetection.AntiAntiDebug() + // Run the built-in hook checks. + if HooksDetection.DetectHooksOnCommonWinAPIFunctions("", nil) { + log.Println("[DEBUG] UserAntiAntiDebug detected") + os.Exit(-1) + } + + found, err := PowerShellCheck.RunPowerShellCommand(`"PowerShell is working: " + (Get-Date).ToShortTimeString()`) + if err != nil { + // Exit immediately on error + log.Printf("[DEBUG] PowerShell check failed: %v", err) + os.Exit(-1) + } + if found != "" { + // Service exists, continue with your logic + } else { + log.Println("[DEBUG] PowerShell returned empty result") + os.Exit(-1) + } - // // AntiVirtualization checks if vmwareDetected, _ := VMWareDetection.GraphicsCardCheck(); vmwareDetected { log.Println("[DEBUG] VMWare detected") @@ -64,6 +96,12 @@ func ThunderKitty() { os.Exit(-1) } + // Check if the AnyRun environment is detected + if anyRunDetected, _ := AnyRunDetection.AnyRunDetection(); anyRunDetected { + log.Println("[DEBUG] AnyRun detected") + os.Exit(-1) // Exit the program with an error code + } + if isScreenSmall, _ := MonitorMetrics.IsScreenSmall(); isScreenSmall { log.Println("[DEBUG] Screen size is small") os.Exit(-1) @@ -83,7 +121,53 @@ func ThunderKitty() { os.Exit(-1) } - CheckBlacklistedWindowsNames.CheckBlacklistedWindows() + // Hyper-V detection + if hypervDetected, _ := HyperVCheck.DetectHyperV(); hypervDetected { + log.Println("[DEBUG] Hyper-V detected") + os.Exit(-1) + } + + // VMPlatform detection + if vmPlatformDetected, _ := VMPlatformCheck.DetectVMPlatform(); vmPlatformDetected { + log.Println("[DEBUG] VM Platform detected") + os.Exit(-1) + } + + // Comodo Antivirus detection + if comodoDetected := ComodoAntivirusDetection.DetectComodoAntivirus(); comodoDetected { + log.Println("[DEBUG] Comodo Antivirus detected") + os.Exit(-1) + } + + // Shadow Defender detection + if shadowDefenderDetected := ShadowDefenderDetection.DetectShadowDefender(); shadowDefenderDetected { + log.Println("[DEBUG] Shadow Defender detected") + os.Exit(-1) + } + + // Sandboxie detection + if sandboxieDetected := SandboxieDetection.DetectSandboxie(); sandboxieDetected { + log.Println("[DEBUG] Sandboxie detected") + os.Exit(-1) + } + + // Deep Freeze detection + if deepFreezeDetected := DeepFreezeDetection.DetectDeepFreeze(); deepFreezeDetected { + log.Println("[DEBUG] Deep Freeze detected") + os.Exit(-1) + } + + // Clean Environment detection + if cleanEnvironmentDetected := CleanEnvironmentDetection.DetectCleanEnvironment(); cleanEnvironmentDetected { + log.Println("[DEBUG] Clean Environment detected") + os.Exit(-1) + } + + // Blacklisted Windows account names, UUIDs, processes etc. + if CheckBlacklistedWindowsNames.CheckBlacklistedWindows() { + log.Println("[DEBUG] Blacklisted Windows name or process detected") + os.Exit(-1) + } // Other AntiDebug checks if isDebuggerPresentResult := IsDebuggerPresent.IsDebuggerPresent1(); isDebuggerPresentResult {