Skip to content

Added a method to detect WireShark #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 109 additions & 0 deletions Methods/MethodWireShark.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
#pragma once

#include <windows.h>
#include <iostream>
#include <winsvc.h>
#include <string>

class DriverDetector {
private:

SC_HANDLE scManager;

public:

DriverDetector() {
scManager = OpenSCManager(
nullptr,
nullptr,
SC_MANAGER_ENUMERATE_SERVICE
);
}

~DriverDetector() {
if (scManager) {
CloseServiceHandle(scManager);
}
}

bool isDriverRunning(const std::string& driverName) const {
SC_HANDLE serviceHandle = OpenServiceA(
scManager,
driverName.c_str(),
SERVICE_QUERY_STATUS
);

if (serviceHandle == nullptr) {
return false;
}

SERVICE_STATUS_PROCESS statusBuffer;
DWORD bytesNeeded;
bool isRunning = false;

if (QueryServiceStatusEx(
serviceHandle,
SC_STATUS_PROCESS_INFO,
reinterpret_cast<LPBYTE>(&statusBuffer),
sizeof(SERVICE_STATUS_PROCESS),
&bytesNeeded)) {

isRunning = (statusBuffer.dwCurrentState == SERVICE_RUNNING);
}

CloseServiceHandle(serviceHandle);
return isRunning;
}

bool stopDriver(const std::string& driverName) const {
SC_HANDLE serviceHandle = OpenServiceA(
scManager,
driverName.c_str(),
SERVICE_STOP
);

if (serviceHandle == nullptr) {
return false;
}

SERVICE_STATUS status;
bool success = ControlService(
serviceHandle,
SERVICE_CONTROL_STOP,
&status
);

CloseServiceHandle(serviceHandle);
return success;
}
};

// Usage example
bool MethodWireShark() {
DriverDetector detector;

// Check for specific driver (In our case WireShark)
std::string targetDriver = "npcap";

if (detector.isDriverRunning(targetDriver)) {
std::cout << "The target driver was found!" << std::endl;

// Stop the driver * REQUIRES ADMINISTRATOR PRIVILEGES *
/*
if (detector.stopDriver(targetDriver)) {
std::cout << "Stopped driver: " << targetDriver << std::endl;
}
else
{
std::cerr << "Failed to stop driver: " << targetDriver << std::endl;
}
*/

return true;
}
else
{
std::cout << "The target driver was not found." << std::endl;
return false;
}
}
2 changes: 2 additions & 0 deletions anti-debugging.cpp
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@
#include "Methods/MethodQPC.h"
#include "Methods/MethodHeapFlag.h"
#include "Methods/MethodLFH.h"
#include "Methods/MethodWireShark.h"
LRESULT CALLBACK WindowProcedure( HWND, UINT, WPARAM, LPARAM );

void AddMenus( HWND hWnd );
@@ -168,6 +169,7 @@ void AddControls( HWND hWnd ) {
AddMethod( MethodGetLocalTime, "GetLocalTime Detection");
AddMethod( MethodGetTickCount, "GetTickCount Detection");
AddMethod(MethodQPC, "QueryPerformanceCounter Detection");
AddMethod(MethodWireShark, "WireShark Detection");

hLogo = CreateWindowA( "static", NULL, WS_VISIBLE | WS_CHILD | SS_BITMAP, -10, 0, 100, 100, hWnd, NULL, NULL, NULL );
SendMessageA( hLogo, STM_SETIMAGE, IMAGE_BITMAP, ( LPARAM )hLogoImage );