bypass contributions

byp/.editorconfig

@@ -0,0 +1,11 @@
+; Top-most EditorConfig file
+root = true
+
+; Windows-style newlines
+[*]
+end_of_line = CRLF
+
+; Tab indentation
+[*.{cpp,h}]
+indent_style = tab
+tab_width = 4

byp/.gitattributes

@@ -0,0 +1,53 @@
+###############################################################################
+# Set default behavior to automatically normalize line endings.
+###############################################################################
+* text=auto
+
+###############################################################################
+# Set the merge driver for project and solution files
+#
+# Merging from the command prompt will add diff markers to the files if there
+# are conflicts (Merging from VS is not affected by the settings below, in VS
+# the diff markers are never inserted). Diff markers may cause the following 
+# file extensions to fail to load in VS. An alternative would be to treat
+# these files as binary and thus will always conflict and require user
+# intervention with every merge. To do so, just comment the entries below and
+# uncomment the group further below
+###############################################################################
+
+*.sln        text eol=crlf
+*.csproj     text eol=crlf
+*.vbproj     text eol=crlf
+*.vcxproj    text eol=crlf
+*.vcproj     text eol=crlf
+*.dbproj     text eol=crlf
+*.fsproj     text eol=crlf
+*.lsproj     text eol=crlf
+*.wixproj    text eol=crlf
+*.modelproj  text eol=crlf
+*.sqlproj    text eol=crlf
+*.wmaproj    text eol=crlf
+
+*.xproj      text eol=crlf
+*.props      text eol=crlf
+*.filters    text eol=crlf
+*.vcxitems   text eol=crlf
+
+
+#*.sln       merge=binary
+#*.csproj    merge=binary
+#*.vbproj    merge=binary
+#*.vcxproj   merge=binary
+#*.vcproj    merge=binary
+#*.dbproj    merge=binary
+#*.fsproj    merge=binary
+#*.lsproj    merge=binary
+#*.wixproj   merge=binary
+#*.modelproj merge=binary
+#*.sqlproj   merge=binary
+#*.wwaproj   merge=binary
+
+#*.xproj     merge=binary
+#*.props     merge=binary
+#*.filters   merge=binary
+#*.vcxitems  merge=binary

byp/.gitignore

@@ -0,0 +1,72 @@
+# Compiled Object files
+*.slo
+*.lo
+*.o
+*.obj
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Compiled Dynamic libraries
+*.so
+*.dylib
+*.dll
+
+# Fortran module files
+*.mod
+
+# Compiled Static libraries
+*.lai
+*.la
+*.a
+*.lib
+
+# Executables
+*.out
+*.app
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+build/
+bld/
+[Bb]in/
+[Oo]bj/
+*.VC.opendb
+
+# Visual C++ Solution
+*.VC.db
+
+# NuGet packages
+packages/
+
+# Alkhaser log file
+log.txt
+
+# Packages
+packages/

byp/blackmarlinexec.sln

@@ -0,0 +1,45 @@
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2026
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "al-khaser", "al-khaser\al-khaser.vcxproj", "{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Tools", "Tools", "{71BFEE2B-52EC-4526-90F5-D91D98B9C786}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ATAIdentifyDump", "Tools\ATAIdentifyDump\ATAIdentifyDump.vcxproj", "{245D8670-A888-4ECC-9B51-80584E55B701}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Debug|x64.ActiveCfg = Debug|x64
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Debug|x64.Build.0 = Debug|x64
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Debug|x86.ActiveCfg = Debug|Win32
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Debug|x86.Build.0 = Debug|Win32
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Release|x64.ActiveCfg = Release|x64
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Release|x64.Build.0 = Release|x64
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Release|x86.ActiveCfg = Release|Win32
+		{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}.Release|x86.Build.0 = Release|Win32
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Debug|x64.ActiveCfg = Debug|x64
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Debug|x64.Build.0 = Debug|x64
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Debug|x86.ActiveCfg = Debug|Win32
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Debug|x86.Build.0 = Debug|Win32
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Release|x64.ActiveCfg = Release|x64
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Release|x64.Build.0 = Release|x64
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Release|x86.ActiveCfg = Release|Win32
+		{245D8670-A888-4ECC-9B51-80584E55B701}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{245D8670-A888-4ECC-9B51-80584E55B701} = {71BFEE2B-52EC-4526-90F5-D91D98B9C786}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {0772817E-132F-4922-8377-5DA07255372F}
+	EndGlobalSection
+EndGlobal

byp/sbexecution/AntiAnalysis/pch.h

@@ -0,0 +1 @@
+#include "../pch.h"

byp/sbexecution/AntiAnalysis/process.cpp

@@ -0,0 +1,60 @@
+#include "pch.h"
+#pragma once
+#include "process.h"
+
+/*
+Check for process list
+*/
+
+VOID analysis_tools_process()
+{
+	const TCHAR *szProcesses[] = {
+		_T("ollydbg.exe"),						// OllyDebug debugger
+		_T("ProcessHacker.exe"),				// Process Hacker
+		_T("tcpview.exe"),						// Part of Sysinternals Suite
+		_T("autoruns.exe"),						// Part of Sysinternals Suite
+		_T("autorunsc.exe"),					// Part of Sysinternals Suite
+		_T("filemon.exe"),						// Part of Sysinternals Suite
+		_T("procmon.exe"),						// Part of Sysinternals Suite
+		_T("regmon.exe"),						// Part of Sysinternals Suite
+		_T("procexp.exe"),						// Part of Sysinternals Suite
+		_T("idaq.exe"),							// IDA Pro Interactive Disassembler
+		_T("idaq64.exe"),						// IDA Pro Interactive Disassembler
+		_T("ImmunityDebugger.exe"),				// ImmunityDebugger
+		_T("Wireshark.exe"),					// Wireshark packet sniffer
+		_T("dumpcap.exe"),						// Network traffic dump tool
+		_T("HookExplorer.exe"),					// Find various types of runtime hooks
+		_T("ImportREC.exe"),					// Import Reconstructor
+		_T("PETools.exe"),						// PE Tool
+		_T("LordPE.exe"),						// LordPE
+		_T("SysInspector.exe"),					// ESET SysInspector
+		_T("proc_analyzer.exe"),				// Part of SysAnalyzer iDefense
+		_T("sysAnalyzer.exe"),					// Part of SysAnalyzer iDefense
+		_T("sniff_hit.exe"),					// Part of SysAnalyzer iDefense
+		_T("windbg.exe"),						// Microsoft WinDbg
+		_T("joeboxcontrol.exe"),				// Part of Joe Sandbox
+		_T("joeboxserver.exe"),					// Part of Joe Sandbox
+		_T("joeboxserver.exe"),					// Part of Joe Sandbox
+		_T("ResourceHacker.exe"),				// Resource Hacker
+		_T("x32dbg.exe"),						// x32dbg
+		_T("x64dbg.exe"),						// x64dbg
+		_T("Fiddler.exe"),						// Fiddler
+		_T("httpdebugger.exe"),					// Http Debugger
+		_T("cheatengine-i386.exe"),				// Cheat Engine
+		_T("cheatengine-x86_64.exe"),			// Cheat Engine
+		_T("cheatengine-x86_64-SSE4-AVX2.exe"), // Cheat Engine
+		_T("frida-helper-32.exe"),				// Frida
+		_T("frida-helper-64.exe"),				// Frida
+	};
+
+	WORD iLength = sizeof(szProcesses) / sizeof(szProcesses[0]);
+	for (int i = 0; i < iLength; i++)
+	{
+		TCHAR msg[256] = _T("");
+		_stprintf_s(msg, sizeof(msg) / sizeof(TCHAR), _T("Checking process of malware analysis tool: %s "), szProcesses[i]);
+		if (GetProcessIdFromName(szProcesses[i]))
+			print_results(TRUE, msg);
+		else
+			print_results(FALSE, msg);
+	}
+}

byp/sbexecution/AntiAnalysis/process.h

@@ -0,0 +1,11 @@
+#pragma once
+
+VOID analysis_tools_process();
+
+/*
+
+avpui.exe 
+avgui.exe
+bdagent.exe
+
+*/

byp/sbexecution/AntiDebug/BeingDebugged.cpp

@@ -0,0 +1,36 @@
+#include "pch.h"
+#include "BeingDebugged.h"
+
+
+BOOL
+IsDebuggerPresentPEB(
+	VOID
+)
+/*++
+
+Routine Description:
+
+	Checks if the BeingDebugged flag is set in the Process Environment Block (PEB).
+	This is effectively the same code that IsDebuggerPresent() executes internally.
+	The PEB pointer is fetched from DWORD FS:[0x30] on x86_32 and QWORD GS:[0x60] on x86_64.
+
+Arguments:
+
+	None
+
+Return Value:
+
+	TRUE - if debugger was detected
+	FALSE - otherwise
+--*/
+{
+#if defined (ENV64BIT)
+	PPEB pPeb = (PPEB)__readgsqword(0x60);
+
+#elif defined(ENV32BIT)
+	PPEB pPeb = (PPEB)__readfsdword(0x30);
+
+#endif
+
+	return pPeb->BeingDebugged == 1;
+}

byp/sbexecution/AntiDebug/BeingDebugged.h

@@ -0,0 +1,3 @@
+#pragma once
+
+BOOL IsDebuggerPresentPEB();

byp/sbexecution/AntiDebug/CheckRemoteDebuggerPresent.cpp

@@ -0,0 +1,32 @@
+#include "pch.h"
+#include "CheckRemoteDebuggerPresent.h"
+
+BOOL
+CheckRemoteDebuggerPresentAPI (
+	VOID
+	)
+/*++
+
+Routine Description:
+
+	CheckRemoteDebuggerPresent() is another Win32 Debugging API function;
+	it can be used to check if a remote process is being debugged. However,
+	we can also use this as another method for checking if our own process
+	is being debugged. This API internally calls the NTDLL export
+	NtQueryInformationProcess function with the PROCESSINFOCLASS set to
+	7 (ProcessDebugPort).
+
+Arguments:
+
+	None
+
+Return Value:
+
+	TRUE - if debugger was detected
+	FALSE - otherwise
+--*/
+{
+	BOOL bIsDbgPresent = FALSE;
+	CheckRemoteDebuggerPresent(GetCurrentProcess(), &bIsDbgPresent);
+	return bIsDbgPresent;
+}

byp/sbexecution/AntiDebug/CheckRemoteDebuggerPresent.h

@@ -0,0 +1 @@
+BOOL CheckRemoteDebuggerPresentAPI();

byp/sbexecution/AntiDebug/CloseHandle_InvalidHandle.cpp

@@ -0,0 +1,43 @@
+#include "pch.h"
+
+
+ /* 
+ APIs making use of the ZwClose syscall (such as CloseHandle, indirectly) 
+ can be used to detect a debugger. When a process is debugged, calling ZwClose 
+ with an invalid handle will generate a STATUS_INVALID_HANDLE (0xC0000008) exception.
+ As with all anti-debugs that rely on information made directly available.
+*/
+
+
+BOOL NtClose_InvalideHandle()
+{
+	auto NtClose_ = static_cast<pNtClose>(API::GetAPI(API_IDENTIFIER::API_NtClose));
+
+	__try {
+		NtClose_(reinterpret_cast<HANDLE>(0x99999999ULL));
+	}
+	__except (EXCEPTION_EXECUTE_HANDLER) {
+		return TRUE;
+	}
+
+	return FALSE;
+
+}
+
+BOOL CloseHandle_InvalideHandle()
+{
+	// Let's try first with user mode API: CloseHandle
+	__try {
+		CloseHandle(reinterpret_cast<HANDLE>(0x99999999ULL));
+	}
+	__except (EXCEPTION_EXECUTE_HANDLER) {
+		return TRUE;
+	}
+
+	// Direct call to NtClose to bypass user mode hooks
+	if (NtClose_InvalideHandle())
+		return TRUE;
+	else
+		return FALSE;
+}
+

byp/sbexecution/AntiDebug/CloseHandle_InvalidHandle.h

@@ -0,0 +1 @@
+BOOL CloseHandle_InvalideHandle();