GoDefender

command module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2024 License: Unlicense Imports: 17 Imported by: 0

README

Go Defender

Go Defender

GoDefender

This Go package provides functionality to detect and defend against various forms of debugging tools and virtualization environments. By the way, for quick setup, run install.bat.

Anti-Virtualization
  • Triage Detection: Detects if the system is running in a triage or analysis environment.
  • Monitor Metrics: Monitors system metrics to identify abnormal behavior indicative of virtualization.
  • VirtualBox Detection: Detects the presence of Oracle VirtualBox.
  • VMware Detection: Detects the presence of VMware virtualization software.
  • KVM Check: Checks for Kernel-based Virtual Machine (KVM) hypervisor.
  • Username Check: Verifies if the current user is a default virtualization user.
  • Recent User Activity: Checks user activity; if there are fewer than 20 files, it exits.
  • USB Mount: Checks if a USB was ever plugged into the computer before.
  • VM Artifacts: Identifies artifacts left behind by virtual machines (VMs), which can indicate the presence of a VM environment.
  • Parallels Check: Detects Parallels Desktop, a popular virtualization software for macOS, used to run Windows and other guest operating systems.
  • QEMU Detection: Identifies the presence of QEMU, an open-source machine emulator and virtualizer, which may indicate virtual machine detection.
  • Patching Dll: Taking Advantage of Binary Image Signature Mitigation Policy to prevent injecting Non-Microsoft Binaries.
Anti-Debug

This module includes functions to detect and prevent debugging and analysis of the running process.

  • IsDebuggerPresent: Checks if a debugger is currently attached to the process.
  • Remote Debugger: Detects if a remote debugger is connected to the process.
  • PC Uptime: Monitors system uptime to detect debugging attempts based on system restarts.
  • Check Blacklisted Windows Names: Verifies if the process name matches any blacklisted names commonly used by debuggers.
  • Running Processes: Retrieves a list of running processes and identifies potential malicious ones.
  • Parent Anti-Debug: Detects if the parent process is attempting to debug the current process.
  • Check for bad Processes: if detected on the system, do something based on your option (bool).
  • Detects Usermode AntiAntiDebuggers: Detects user-mode anti-anti-debuggers like ScyllaHide (BASIC / VMP Plugin).
  • Internet Connection Check: Checks if an internet connection is present.
ProcessUtils

ProcessUtils you probably need for you app

  • Critical Process: Implements functionality to manage critical processes essential for system operation.
  • Set Runtime: Set the app runtime to specified one: MacOS,Linux,Windows
  • Enable All Tokens: Enable all tokens Windows privileges for current process
  • IsAdmin - Request Admin: Request admin for current process, and Check if current process is Admin
Quick Nutshell
  • Detects most anti-anti-debugging hooking methods on common anti-debugging functions by checking for bad instructions on function addresses (most effective on x64). It also detects user-mode anti-anti-debuggers like ScyllaHide and can detect some sandboxes that use hooking to monitor application behavior/activity (like Tria.ge).

Credits

  • https://github.com/AdvDebug: Inspired me to start making this package. Without him, it wouldn't be here. Check out his GitHub.
  • https://github.com/MmCopyMemory: Provided ideas and much more. Check out his GitHub.
  • I made this because I noticed someone was trying to crack or analyze my other Go programs. Previously, I had many lines of anti-debugging code (I coded lazily and put everything into one), so I wanted to create something quick and reliable that would make a reverse engineer's life harder. Thus, I made GoDefender.

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL