 | | 
06-03-2009
|
#1 (permalink)
| | Dual-Keyboard Member
Join Date: May 2008 Location: C:\windows\system32
Gender: 
Posts: 290
Thanks: 12
Thanked 295 Times in 46 Posts
| Anti Injection
ok so what im trying to do is
load a dll in to that game (got that part)
in the dll i load i want the code to block all hooks like .dll's (dont') get that part
Im useing Visual C++ 6 Microsoft can someone help me there are so many hackers on my game and if i can blokc loading of .dll's it will stop ton's of them because all they do is download hacks and then play on the server soo yeah | 
|  | |
06-04-2009
|
#2 (permalink)
| | Choob
Join Date: May 2008 Location: USA
Gender:
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
| You could hook various API functions like CreateRemoteThread, NtCreateThread, LoadLibrary, LoadLibraryExW, WriteProcessMemory, ReadProcessMemory, etc.
That could be done through various methods such as IAT, Runtime patching (using Jmps), etc.
Or you could develop a kernel level rootkit to prevent these functions on the kernel level.
In any case, there are many tools that can prevent or overcome these protections, which viruses use as self-defense.
It would work, but you could seriously piss off many security programs or savvy users when they find out what you are doing to their system to protect your software.
Probably the only real way to protect your software without hooking, would be to talk to a PE and COFF Image cryptography expert, and implement high levels of packing and obfuscation to protect your process's data stored on the HDD, and also when loaded into memory during runtime (something I know nothing about, sorry)
Last edited by AltF5; 06-04-2009 at 02:57 AM..
| |
| | |
06-04-2009
|
#3 (permalink)
| | Choob
Join Date: May 2008 Location: USA
Gender:
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
| (Damnit, didn't mean to post twice... browser lagged) | |
| | |
06-04-2009
|
#4 (permalink)
| | JetaKing
Join Date: Jan 2007 Location: J:\E\T\A\M\A\Y.exe
Gender:
Posts: 5,745
Thanks: 17
Thanked 1,064 Times in 265 Posts
| The most efficient way is to make most of the player data server side. In the world we live in now, nothing is really uncrackable. However, basic protection like SCT hooks on WriteProcessMemory, filtering out your process from the call(not disabling completely, this would be a very poor protection method if you did) monitor register access and you could monitor OpenProcess. Also, you could create a new low-priority thread in your game to run constant checksums, or check the first 22 bytes of any important or commonly attacked methods. We can't really give you much until you tell us which kinda game you're protecting.
Also, before doing any kernel-level(ring 0) hooking you really should go for the SCT first. Lastly, after all your libraries are loaded, call DisableThreadLibraryCalls APIs, this will stop the DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH notifications to the dllmain method. This could stop most of the dlls from starting.
Last edited by Jetamay; 06-04-2009 at 11:32 AM..
| |
| | |
06-04-2009
|
#5 (permalink)
| | Expert Member
Join Date: Feb 2008 Location: Hannah, Montana
Gender:
Posts: 667
Thanks: 2
Thanked 120 Times in 50 Posts
| AltF5 and Jetamay actually pretty well covered this, haha. You can also make use of some APIs to detect things, of course. The most cheesy is ReadProcessMemory. But, it might be easiest for you and I posted examples before. | |
| | |
06-04-2009
|
#6 (permalink)
| | Choob
Join Date: May 2008 Location: USA
Gender:
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
| Nifty suggestions by Jetamay.
Never heard of DisableThreadLibraryCalls, but that would be quite a kool way to stop Dlls loading since they couldn't return success on in the DLL_PROCESS_ATTACH
Although I have seen remote code execution using assembly and remote threads in as simple of a language as VB6, and it seems to work as long as the process isn't protected by DEP.
I guess basically if remote threads are prevented by hooking CreateRemoteThread, NtCreateThread, ZwCreateThread, and RtlCreateUserThread then external execution will not take place.
(Not sure of any other ways to start remote threads really)
Although you will also need to hook WriteProcessMemory, NtWriteVirtualMemory, and ZwWriteVirtualMemory to ensure nothing is written to your process, so that values in memory cannot be changed.
If you did IAT or Runtime patching, then it would be in usermode, which could still allow drivers to execute code on your process, but going into the kernel for a process's protection seems a little overkill.
@Jetamay
What is an SCT Hook ?
Never heard of that one before. | |
| | |
06-04-2009
|
#7 (permalink)
| | Dual-Keyboard Member Threadstarter
Join Date: May 2008 Location: C:\windows\system32
Gender:
Posts: 290
Thanks: 12
Thanked 295 Times in 46 Posts
| ok i understand but most of the kids that play on my server download hacks and the hack was made for all servers like mine so really if i can stop .dlls from loading then im good cuz most would stop hacking cuz they can't just download a hack and then run it
This is my code i need everthing thats already in there its makes sure the version is updated or they can't play on the server but what i need know is how to added anti injection to what i have here im really brand new to c++ can you help me out man i heard ur a god a c++ Code: // Sheild.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include <windows.h>
#include <time.h>
#include <Winbase.h>
void changeTime( ) {
int *time = ( int* )0x090C5B9C;
while(1) {
Sleep( 5000 );
try {
*time = 15406;
}
catch( ... ) {
MessageBox( 0, "Error Please Contact Overkilll.", "ERROR!", MB_ICONEXCLAMATION | MB_OK );
ExitThread( 0 );
::ExitProcess(0);
}
}
}
BOOL APIENTRY DllMain(HINSTANCE hDll, DWORD callReason, LPVOID lpReserved) {
DWORD ThreadID;
if( callReason == DLL_PROCESS_ATTACH ) {
DisableThreadLibraryCalls( hDll );
MessageBox( 0, "I'm Loaded ", "Sheild", MB_ICONEXCLAMATION | MB_OK );
CreateThread(0 , 0, (LPTHREAD_START_ROUTINE)&changeTime, 0, 0, &ThreadID );
}
else if( callReason == DLL_PROCESS_DETACH ) //We are leaving
ExitThread( 0 );
return 1;
}
Quote:
Originally Posted by Jetamay  The most efficient way is to make most of the player data server side. In the world we live in now, nothing is really uncrackable. However, basic protection like SCT hooks on WriteProcessMemory, filtering out your process from the call(not disabling completely, this would be a very poor protection method if you did) monitor register access and you could monitor OpenProcess. Also, you could create a new low-priority thread in your game to run constant checksums, or check the first 22 bytes of any important or commonly attacked methods. We can't really give you much until you tell us which kinda game you're protecting.
Also, before doing any kernel-level(ring 0) hooking you really should go for the SCT first. Lastly, after all your libraries are loaded, call DisableThreadLibraryCalls APIs, this will stop the DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH notifications to the dllmain method. This could stop most of the dlls from starting. | | |
| | |
06-04-2009
|
#8 (permalink)
| | Expert Member
Join Date: Feb 2008 Location: Hannah, Montana
Gender:
Posts: 667
Thanks: 2
Thanked 120 Times in 50 Posts
| You of course can only monitor which .dlls are loaded beings the program won't even load without some windows .dlls' that naturally load into all executables, if you didn't know. I suppose one of us will come up with some example for you and post it, when we have time. Oh and, you can't really have that link in your signature, sorry. You can move it to your profile's homepage though. | |
| | |
06-04-2009
|
#9 (permalink)
| | Dual-Keyboard Member Threadstarter
Join Date: May 2008 Location: C:\windows\system32
Gender:
Posts: 290
Thanks: 12
Thanked 295 Times in 46 Posts
| yep yep sig is gone and i know that some .dlls have to load what i really want to make this .dll in to like a hack sheild for my server but im still learning c++ but it would be nice to make it have
*anti injection from dll's
*hash files in the same folder as the game and delete 1's that match a hack
*Block writetoprossesmemory
*check if sheild is uptodate
thats ideal what i want to make if you could help me that would be great i make a lot off the Private server and always willing to pay people that help me out
thx Quote:
Originally Posted by Toymaker You of course can only monitor which .dlls are loaded beings the program won't even load without some windows .dlls' that naturally load into all executables, if you didn't know. I suppose one of us will come up with some example for you and post it, when we have time. Oh and, you can't really have that link in your signature, sorry. You can move it to your profile's homepage though. | | |
| | |
06-04-2009
|
#10 (permalink)
| | Choob
Join Date: May 2008 Location: USA
Gender:
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
| Here is 2 places I learned how to do API hooking via Runtime Patching: CodeProject: API hooking for hotpatchable operating systems. Free source code and programming help
And CodeProject: API Hooking with MS Detours. Free source code and programming help
So maybe start with that and experiment with other API hooks and once you get the hang of it, then prevent WriteProcessMemory by hooking WriteProcessMemory (kernel32.dll), NtWriteVirtualMemory (ntdll.dll), and ZwWriteVirtualMemory (ntdll.dll)
I would also prevent remote threads but that is up to you.
Also, now that I think about it, you will also need to hook SetWindowsHookEx because the system will automatically map Dlls into that process if a certain condition is met for a window hook.
DisableThreadLibraryCalls might have already prevent SetWindowsHookEx from working, but I am not 100% sure.
Here is some info on how remote threads and cause code execution in another process (it mainly shows via CreateRemoteThread) CodeProject: Three Ways to Inject Your Code into Another Process. Free source code and programming help
FYI - This entire process is really going to take a lot of research and time to understand and get fully working.
For any API hooking, you are basically going to need a Dll which is to be remotely injected into all currently existing processes, and also any new process that is started.
All currently existing processes, isn't too bad (just enumerate them all and then use the VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread method here: CodeProject: Three Ways to Inject Your Code into Another Process. Free source code and programming help
To ensure you get any newly created process, you will need to hook CreateProcessA, CreateProcessW, CreateProcessExA, CreateProcessExW, and NtCreateProcess (possibly some others relating to threads)
Basically what this will allow you to do is catch the creation of new processes, and then allow you to suspend its 1st thread, and run your code to inject(map) your Dll into that process.
Somewhat described here under "Figuring out when to inject the hook DLL" CodeProject: API hooking revealed. Free source code and programming help
And here: http://www.codeproject.com/KB/DLL/funapihook.aspx
Search for: CREATE_SUSPENDED
Some other articles you might want to look over or print out and read when you get some time: (These mainly explain the concepts in the articles above, but with various uses) http://www.codeproject.com/KB/winsdk/Remote.aspx http://www.codeproject.com/KB/DLL/RemoteLib.aspx http://www.codeproject.com/KB/winsdk...ioWinLock.aspx http://www.codeproject.com/KB/system...nAPICalls.aspx http://www.codeproject.com/KB/system...unleashed.aspx http://www.codeproject.com/KB/DLL/hooks.aspx
The hooking is about the only thing I can give advice on since I do not understand hashing, nor networking to check whether or not software is up-to-date.
And, what exactly do you mean by: *anti injection from dll's ?
Last edited by AltF5; 06-04-2009 at 05:10 PM..
| |
| | | | |
Linear Mode
