Majii Guy Posted August 18, 2009 Posted August 18, 2009 (edited) Since I don't make nearly enough contributions around here, time to throw down a few of my projects I've posted on other communities __ Anti-debug library, "Siberian Tiger", build 0.900: http://www.sendspace.com/file/lknuyt. ASM files, as well as intrinsics, are used to be compatible with both x86 and x64 platforms. Strings are encrypted as a small layer of protection from reverse engineering. As the library approaches it's final revision, I'll be obfuscating the application a bit more to ensure all checks are able to run, and work a bit more on integrability. __ - Checks all modules entrypoint for being outside module space and the code segment; if size image or base image is invalid. - Checks if thread start address or EIP is outside the code segment and outside module space. - Check if an API function is hooked by checking the prologue code (i.e. The first 5 bytes). Download: http://www.sendspace.com/file/cxdiyr Update (Vista bugfix for "CheckModules"): http://www.sendspace.com/file/823gsn Update 2 (Urgent for functionality): http://www.sendspace.com/file/toj9c4 Needless to say, the above three tricks should prevent DLL injection via CreateRemoteThread, thread hijacking, the DLL initialize registry key, hooking user mode API, etc. I combined my fast system call wrapper to minimize use of user-mode API functions, making this more of a pain to reverse, and overall harder to attack. Supported platforms are Windows NT 4 through Windows 7 RC 2 (Includes all service packs, Windows 2003 server, and Windows 2008 server). __ To build for x64 with either project, remove the X_x86.asm file, and include the X_x64.asm file provided with either project's archive. Feedback would be appreciated Edited August 18, 2009 by Majii Guy
Loveless Posted August 21, 2009 Posted August 21, 2009 if size image or base image is invalid. What happens when a legit DLL is packed with a packer that mangled Size of image on purpose?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now