Fury - Preventing DLL injection; Siberian Tiger - prevent active debug

[Majii Guy]

Since I don't make nearly enough contributions around here, time to throw down a few of my projects I've posted on other communities

__

Anti-debug library, "Siberian Tiger", build 0.900: http://www.sendspace.com/file/lknuyt.

ASM files, as well as intrinsics, are used to be compatible with both x86 and x64 platforms.

Strings are encrypted as a small layer of protection from reverse engineering.

As the library approaches it's final revision, I'll be obfuscating the application a bit more to ensure all checks are able to run, and work a bit more on integrability.

__

- Checks all modules entrypoint for being outside module space and the code segment; if size image or base image is invalid.

- Checks if thread start address or EIP is outside the code segment and outside module space.

- Check if an API function is hooked by checking the prologue code (i.e. The first 5 bytes).

Download: http://www.sendspace.com/file/cxdiyr

Update (Vista bugfix for "CheckModules"): http://www.sendspace.com/file/823gsn

Update 2 (Urgent for functionality): http://www.sendspace.com/file/toj9c4

Needless to say, the above three tricks should prevent DLL injection via CreateRemoteThread, thread hijacking, the DLL initialize registry key, hooking user mode API, etc.

I combined my fast system call wrapper to minimize use of user-mode API functions, making this more of a pain to reverse, and overall harder to attack. Supported platforms are Windows NT 4 through Windows 7 RC 2 (Includes all service packs, Windows 2003 server, and Windows 2008 server).

__

To build for x64 with either project, remove the X_x86.asm file, and include the X_x64.asm file provided with either project's archive.

Feedback would be appreciated

Edited August 18, 2009 by Majii Guy

[Loveless]

if size image or base image is invalid.

What happens when a legit DLL is packed with a packer that mangled Size of image on purpose?