Archive for the ‘Executable Protection’ Category

Well, the last build had some an XP-only trick, and a problem with the GetHeapFlags function (Vista’s default heap handling is a bit different than XP’s; luckily, the heap behavior for debugging is still identifiable). The OutputDebugString trick was only available on XP, but, as an alternative, I setup a formatting exploit that’s been reported […]


After some testing, I was able to figure out which anti-debug functions did not work on Vista, and marked them to be filtered out. Enjoy! 🙂 #include <windows.h> #define WIN32_LEAN_AND_MEAN #define VC_EXTRALEAN bool DebugBit = TRUE; int countExceptions = 0; char GetBeingDebugged( ) { char BeingDebuggedBit; __asm { MOV EAX,DWORD PTR FS:[0x30] XOR EAX, 0x2 […]


A recent project of mine branched into anti-debug techniques I compiled based off anti-anti-debug plugins I found, and some experimental techniques I discovered myself (e.g. SEH with CloseHandle giving an invalid handle). #include <windows.h> #define WIN32_LEAN_AND_MEAN #define VC_EXTRALEAN bool DebugBit = TRUE; int countExceptions = 0; char GetBeingDebugged( ) { char BeingDebuggedBit; __asm { MOV […]


An idea I had to prevent threads from being launched outside the code segment (e.g. Via DLL injection) would be to kill all threads found to have a start address outside the code segment. To battle against such an idea, you would have to either: a) Spoof the TIB. b) Launch a thread from within […]


As I work on Chameleon, I constantly question myself: Is it worth it? A project of this stature, certainly, hasn’t someone else done it, with reasonable quality? But, I can only name two open-source x86 virtualization tools: 1) libEMU (http://libemu.carnivore.it/) 2) ReWolf’s x86 Virtualizer (http://www.rewolf.pl) I usually feel pretty at that reminder; any non-commercial product […]


As part of the project, for obfuscation purposes, I’ve begun writing my own little random function, which replaces: – srand( ) – rand( ) – GetTickCount( ) – GetSystemTime( ) I’ve obfuscated the functions a little, and ported the rand() function itself to C++. Good luck to anyone trying to fingerprint the custom rand function […]


After diving into very unorganized/sloppy code, I’ve decided to begin a rewrite of Project Larva, dubbed “Chameleon”. Thus far, the interpreted PUSH operation works with ease, next being CALL, then MOV/LEA, arithmetic/bitwise operations, and last being comparisons with conditional jump. Once I finish forementioned, I’ll be looking into setting up the project on Sourceforge and […]