Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/EvilBytecode/GoDefender

Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package. Windows ONLY.
https://github.com/EvilBytecode/GoDefender

anti-cracking anti-debug anti-vm debugger debugging malware protection reverse-engineering

Last synced: 5 days ago
JSON representation

Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package. Windows ONLY.

Host: GitHub
URL: https://github.com/EvilBytecode/GoDefender
Owner: EvilBytecode
License: unlicense
Created: 2024-06-04T06:02:06.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-08-24T10:38:43.000Z (3 months ago)
Last Synced: 2024-08-31T11:11:07.602Z (2 months ago)
Topics: anti-cracking, anti-debug, anti-vm, debugger, debugging, malware, protection, reverse-engineering
Language: Go
Homepage:
Size: 931 KB
Stars: 256
Watchers: 7
Forks: 25
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Go Defender

https://discord.gg/qeYaYK4JKq
![Go Defender](GoDefenderLogo.png)

## GoDefender

This Go package provides functionality to detect and defend against various forms of debugging tools and virtualization environments.
By the way, for quick setup, run `install.bat`.

### Anti-Virtualization

- **Triage Detection**: Detects if the system is running in a triage or analysis environment.
- **Monitor Metrics**: Monitors system metrics to identify abnormal behavior indicative of virtualization.
- **VirtualBox Detection**: Detects the presence of Oracle VirtualBox.
- **VMware Detection**: Detects the presence of VMware virtualization software.
- **KVM Check**: Checks for Kernel-based Virtual Machine (KVM) hypervisor.
- **Username Check**: Verifies if the current user is a default virtualization user.
- **Recent User Activity**: Checks user activity; if there are fewer than 20 files, it exits.
- **USB Mount**: Checks if a USB was ever plugged into the computer before.
- **VM Artifacts**: Identifies artifacts left behind by virtual machines (VMs), which can indicate the presence of a VM environment.
- **Parallels Check**: Detects Parallels Desktop, a popular virtualization software for macOS, used to run Windows and other guest operating systems.
- **QEMU Detection**: Identifies the presence of QEMU, an open-source machine emulator and virtualizer, which may indicate virtual machine detection.

### Anti-Debug

This module includes functions to detect and prevent debugging and analysis of the running process.

- **IsDebuggerPresent**: Checks if a debugger is currently attached to the process.
- **Remote Debugger**: Detects if a remote debugger is connected to the process.
- **PC Uptime**: Monitors system uptime to detect debugging attempts based on system restarts.
- **Check Blacklisted Windows Names**: Verifies if the process name matches any blacklisted names commonly used by debuggers.
- **Running Processes**: Retrieves a list of running processes and identifies potential malicious ones.
- **Parent Anti-Debug**: Detects if the parent process is attempting to debug the current process.
- **Check for bad Processes**: if detected on the system, do something based on your option (bool).
- **Detects Usermode AntiAntiDebuggers**: Detects user-mode anti-anti-debuggers like ScyllaHide (BASIC / VMP Plugin).
- **Internet Connection Check**: Checks if an internet connection is present.

### ProcessUtils
ProcessUtils you probably need for you app
- **Critical Process**: Implements functionality to manage critical processes essential for system operation.
- **Set Runtime**: Set the app runtime to specified one: ```MacOS,Linux,Windows```
- **Enable All Tokens**: Enable all tokens Windows privileges for current process
- **IsAdmin - Request Admin**: Request admin for current process, and Check if current process is Admin

# Anti-Dll-Injection
- **Patching Dll**: Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.

### Quick Nutshell

- Detects most anti-anti-debugging hooking methods on common anti-debugging functions by checking for bad instructions on function addresses (most effective on x64). It also detects user-mode anti-anti-debuggers like ScyllaHide and can detect some sandboxes that use hooking to monitor application behavior/activity (like [Tria.ge](https://tria.ge/)).

## Credits

- https://github.com/AdvDebug : Inspired me to start making this package. Without him, it wouldn't be here. Check out his GitHub.
- https://github.com/MmCopyMemory : Provided ideas and much more. Check out his GitHub.
- https://github.com/bytepulze : Help With Errors/Fixes, Check Out His Github
- I made this because I noticed someone was trying to crack or analyze my other Go programs. Previously, I had many lines of anti-debugging code (I coded lazily and put everything into one), so I wanted to create something quick and reliable that would make a reverse engineer's life harder. Thus, I made GoDefender.