Anti-Debug Library

[Guy]

http://www.sendspace.com/file/1zlk2e

Build 0.802; short changelog:

- x64-compatible
- New tricks added, blah blah
- Switched from class to linear C

In this sample, I show how you can use functions in the SiberianTiger library to verify anti-debug functions run; e.g.

Code:

void MessageBoxA_( HWND hWnd, LPCTSTR lpText, LPCSTR lpCaption, UINT uType )
{
	int user32[] = { 'u', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l' };
	int MessageBoxA[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A' };

	FARPROC MBA_Addr = ( FARPROC ) Chameleon_GetProcAddressA(
		LoadLibrary( decode( user*** 10 ) ), 
		decode( MessageBoxA, 11 ) );
	typedef void ( NTAPI *Function ) (...);
	Function MessageBox_A = ( Function ) ( ( DWORD ) MBA_Addr ^ ( SiberianTiger_Execute ^ 1 ) );
	MessageBox_A( hWnd, lpText, lpCaption, uType );
}

The main line of interest:

Code:

	Function MessageBox_A = ( Function ) ( ( DWORD ) MBA_Addr ^ ( SiberianTiger_Execute ^ 1 ) );

Regards,
Guy

---------- Post added at 02:47 AM ---------- Previous post was at 01:23 AM ----------

Quick patch for Vista:

Replace the following lines:

Code:

	int user32[] = { 'u', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l' };
	int MessageBoxA[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A' };

Code:

	int user32[] = { 'u', 's', 'e', 'r', '3', '2', '.', 'd', 'l', 'l', 0 };
	int MessageBoxA[] = { 'M', 'e', 's', 's', 'a', 'g', 'e', 'B', 'o', 'x', 'A', 0 };

Forgot to null-terminate the encoded strings; I'm surprised this didn't cause problems on XP.

[MentaL]

[Guy]

Update: http://www.sendspace.com/file/8dexg9

Vista compatible, x64 compatible; inline ASM replaced by linked .asm files for compatibility reasons. Any tricks formerly not supported by x64 platforms due to the use of inline ASM are now supported!

Also, the integrated example is much easier to understand.