ImGui & Improvements

ImGui default now, original Windows design still intact, can be changed from a json file, or the file menu. Timing checks are undetected after you toggle them off and toggle them back on now (keeps the detected text showing after a timing check has been triggered without being turned off)

Author: ssnob

AntiDebugMethod.cpp

@@ -75,6 +75,7 @@ bool AntiDebugMethod::checkIfDetected() {
 char newButtonName[200];
 strcpy_s(newButtonName, name.c_str());
 strcat_s(newButtonName, "\n ENABLED - DETECTED!");
+updated_name = newButtonName;
 SendMessageA(enableButtonHwnd, WM_SETTEXT, 0, (LPARAM)newButtonName);
 }
 } else {
@@ -95,7 +96,6 @@ bool AntiDebugMethod::createGUI(HWND hWnd) {
 else {
 strcat_s(newButtonName, "\n DISABLED");
 }
-
 enableButtonHwnd = CreateWindowA("button", newButtonName, WS_VISIBLE | WS_CHILD | BS_MULTILINE | SS_CENTER, windowPosX, windowPosY, 230, 50, hWnd, (HMENU)(90+id), NULL,NULL);
 return 1;
 };

AntiDebugMethod.h

@@ -8,23 +8,26 @@ class AntiDebugMethod
 {
 private:
 static int current_id; 
-static std::vector<AntiDebugMethod*> allInstances;
-std::string name;
 int id;
-bool enabled = false;
 bool detected = false;
-int windowPosX, windowPosY;
 HWND enableButtonHwnd;
 public:
+int windowPosX, windowPosY;
+std::string name;
+std::string updated_name;
+bool enabled = false;
 bool (*funcPtr)();
 static void toggleThisMethod(int id);
 static void mainLoop();
 static bool anyDetection;
 static AntiDebugMethod* getMethodById(int id);
 
-void toggle();
+
 AntiDebugMethod(bool (*funcPtrParam)(), int windowPosXParam, int windowPosYParam, std::string nameParam);
+
+void toggle();
 bool checkIfDetected();
 bool createGUI(HWND hWnd);
+static std::vector<AntiDebugMethod*> allInstances;
 };
 

Methods/MethodGetLocalTime.h

@@ -1,6 +1,7 @@
 #pragma once
 #include <Windows.h>
 #include <iostream>
+#include "TimerDetection.h"
 
 bool MethodGetLocalTime()
 {
@@ -22,5 +23,10 @@ bool MethodGetLocalTime()
  uiEnd.LowPart = fEnd.dwLowDateTime;
  uiEnd.HighPart = fEnd.dwHighDateTime;
 
- return (((uiEnd.QuadPart - uiStart.QuadPart) * 100) / 1000000) > 100; 
+ bool detection_value = (((uiEnd.QuadPart - uiStart.QuadPart) * 100) / 1000000) > 100;
+ static timer_detection local_time_detection(detection_value);
+ local_time_detection.frame();
+ local_time_detection.set_condition(!local_time_detection.get_detected());
+ local_time_detection.update_detection(detection_value);
+ return local_time_detection.get_detected();
 }

Methods/MethodGetTickCount.h

@@ -1,19 +1,21 @@
 #pragma once
 #include <Windows.h>
 #include <iostream>
-
-bool MethodGetTickCount() {
+#include "TimerDetection.h"
 
 
+bool MethodGetTickCount() {
  DWORD tickReference = GetTickCount64();
 
  Sleep(50); 
 
  DWORD currentTick = GetTickCount64();
  DWORD elapsedTime = currentTick - tickReference;
 
- if (elapsedTime > 100)
- return true;
-
- return false;
+ bool detection_value = elapsedTime > 100;
+ static timer_detection tick_detection(detection_value);
+ tick_detection.frame();
+ tick_detection.set_condition(!tick_detection.get_detected());
+ tick_detection.update_detection(detection_value);
+ return tick_detection.get_detected();
 }

Methods/MethodQPC.h

@@ -1,6 +1,8 @@
 #pragma once
 #include <Windows.h>
 #include <iostream>
+#include <chrono>
+#include "TimerDetection.h"
 
 bool MethodQPC()
 {
@@ -11,5 +13,13 @@ bool MethodQPC()
  Sleep(50);
 
  QueryPerformanceCounter(&end);
- return (end.QuadPart - start.QuadPart) * 1000 / frequency.QuadPart > 100;
+ 
+ bool detection_value = (end.QuadPart - start.QuadPart) * 1000 / frequency.QuadPart > 100;
+
+ static timer_detection qpc_detection(detection_value);
+ qpc_detection.frame();
+ qpc_detection.set_condition(!qpc_detection.get_detected());
+ qpc_detection.update_detection(detection_value);
+ return qpc_detection.get_detected();
 }
+ 

Methods/TimerDetection.h

@@ -0,0 +1,53 @@
+#pragma once
+#include <chrono>
+
+// helper static class for things that are detected
+// but only for a short duration
+class timer_detection
+{
+public:
+ timer_detection(bool detected)
+ {
+ detection = detected;
+ last_call_time = std::chrono::steady_clock::now();
+ }
+
+ inline void frame()
+ {
+ auto current_time = std::chrono::steady_clock::now();
+ // short duration, if the button is untoggled the detection will reset
+ if (std::chrono::duration_cast<std::chrono::milliseconds>(current_time - last_call_time).count() > 250)
+ {
+ needs_reset = true;
+ }
+ else
+ {
+ needs_reset = false;
+ }
+
+ last_call_time = std::chrono::steady_clock::now();
+ }
+
+ inline void set_condition(bool cond)
+ {
+ condition = cond;
+ }
+
+ inline void update_detection(bool value)
+ {
+ if (condition || needs_reset)
+ {
+ detection = value;
+ }
+ }
+
+ inline bool get_detected()
+ {
+ return detection;
+ }
+private:
+ bool condition;
+ bool detection;
+ bool needs_reset;
+ std::chrono::time_point<std::chrono::steady_clock> last_call_time;
+};

README.md

@@ -2,11 +2,14 @@
 
 Implementation of some anti-debugging techniques on a (bad looking) Win32 application. The idea is to cover most used anti-debugging methods.
 
-![](preview.png)
+ImGui | Windows
+:-------------------------:|:-------------------------:
+![](new_preview.png) | ![](preview.png)
 
 ## How to use it
 
-You can compile yourself with Visual Studio 2019+ (no special instructions needed) or just download the binary on the release tab. Fire it up, attach a debugger and start enabling detection methods. Then, try to bypass some and have fun.
+You can compile yourself with Visual Studio 2019+ or just download the binary on the release tab. Fire it up, attach a debugger and start enabling detection methods. Then, try to bypass some and have fun.
+When compiling you need to copy the resources folder to the output folder for the images to display.
 
 ## How to add a new anti debugging method