🛡️ Anti Universal Hooker

Anti Universal Hooker is a lightweight, native-level anti-tamper mechanism designed for .NET Framework applications. It proactively defends against runtime method detouring, memory patching, and generic hooking tools.

📋 Overview

Traditional .NET hookers (like UniversalHooker) rely on modifying memory protection flags (RWX) to inject JMP instructions into compiled method bodies.

RuntimePatcher intercepts these low-level requests at the kernel32 level. Instead of crashing the application, it employs stealth error injection, feeding misleading Win32 error codes back to the attacker. This confuses reverse engineering tools and prevents the hook from being established, while keeping the host application stable.

Key Features

• Native Interception: Hooks VirtualProtect directly in memory using ntdll bypasses.
• Heuristic Filtering: Distinguishes between legitimate CLR memory operations and malicious patching attempts based on allocation size and flags.
• Stealth Error Injection: Dynamically resolves RtlSetLastWin32Error to inject fake system errors (e.g., ERROR_BAD_EXE_FORMAT) without importing suspicious APIs.
• Zero Dependencies: Pure C# implementation using P/Invoke and unsafe context.
• Auto-Initialization: Uses [ModuleInitializer] to deploy defenses before the Main entry point.

⚙️ Configuration

To integrate RuntimePatcher into your project, ensure your .csproj is configured correctly.

Requirements

• .NET Framework 4.8.1 (or compatible)
• C# 9.0+ (Required for ModuleInitializer)
• Unsafe Code (Required for pointer manipulation)

.csproj Setup

Add or modify the following properties in your project file:

<PropertyGroup>
    <TargetFrameworkVersion>v4.8.1</TargetFrameworkVersion>
    <LangVersion>12</LangVersion>
    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>