Anti Injection

[Toymaker]

Yes you can read the values at an address and decide if it's integrity is proper or not. You actually find my example, or no and, you're trying to mix / confuse it with another code you have? I suppose I'll have to do this out for you.

[genx2]

yes i found it
https://www.mpgh.net/forum/161-tutori...torial_p1.html

Im working on the idea of making it check the value like u said
but the code i have above write's the the memory but i was wondering if i could simply change the code I posted before to read the address instead of just writing to it

Yes you can read the values at an address and decide if it's integrity is proper or not. You actually find my example, or no and, you're trying to mix / confuse it with another code you have? I suppose I'll have to do this out for you.

[radnomguywfq3]

Nifty suggestions by Jetamay.
Never heard of DisableThreadLibraryCalls, but that would be quite a kool way to stop Dlls loading since they couldn't return success on in the DLL_PROCESS_ATTACH

Although I have seen remote code execution using assembly and remote threads in as simple of a language as VB6, and it seems to work as long as the process isn't protected by DEP.

I guess basically if remote threads are prevented by hooking CreateRemoteThread, NtCreateThread, ZwCreateThread, and RtlCreateUserThread then external execution will not take place.
(Not sure of any other ways to start remote threads really)

Although you will also need to hook WriteProcessMemory, NtWriteVirtualMemory, and ZwWriteVirtualMemory to ensure nothing is written to your process, so that values in memory cannot be changed.

If you did IAT or Runtime patching, then it would be in usermode, which could still allow drivers to execute code on your process, but going into the kernel for a process's protection seems a little overkill.


@Jetamay
What is an SCT Hook ?
Never heard of that one before.

SCT is a system call table. Instead of calling directly from the kernel, programs make calls to the system call table which makes a call to the according kernel method. Also, hooking WriteProcessMemory should be done, but chances are if you're protecting from injected code which is being executed within your process's address space, the target will be using methods such as memcpy, strcpy, strcmp, etc, or accessing it directly using pointers. What you can do it make you're code segment read only, and check for changes in it's protection. Most hackers will use the VirtualProtect API to remove protection on a certain range of addresses.

[genx2]

i saw this but dosen't see to stop injection when i try to injection my other .dll

Code:

/* Replace "dll.h" with the name of your header */
#include "dll.h"
#include <windows.h>
// ANTI DLL INJECTION by _FIL73R_

#include <windows.h>

BOOLEAN BlockAPI (HANDLE,CHAR *,CHAR *);
void AntiInject ();

/****************/
main()
{
   CreateThread (0,0, (LPTHREAD_START_ROUTINE)AntiInject, 0, 0, 0);
   while (TRUE); // loop forever... now to try and inject
}
/****************/



void AntiInject ()
{
   HANDLE hProc = GetCurrentProcess();
   while (TRUE) {
      BlockAPI(hProc, "NTDLL.DLL", "LdrLoadDll");
      Sleep (100);
   }
}

BOOLEAN BlockAPI (HANDLE hProcess, CHAR *libName, CHAR *apiName)
{
 CHAR pRet[]={ 0x31, 0xC0, // XOR eax, eax
              0xC3 };     // RET
   HINSTANCE hLib = NULL;
   VOID *pAddr = NULL;
   BOOL bRet = FALSE;
   DWORD dwRet = 0;

   hLib = LoadLibrary (libName);
   if (hLib) {
       pAddr = (VOID*)GetProcAddress (hLib, apiName);
       if (pAddr) {
           if (WriteProcessMemory (hProcess,
                            (LPVOID)pAddr,
                            (LPCVOID)pRet,
                            sizeof (pRet),
                            &dwRet )) {
              if (dwRet) {
                 bRet = TRUE;
              }
           }
       }
       FreeLibrary (hLib);
   }
   return bRet;
}
/* Replace "dll.h" with the name of your header */
#include "dll.h"
#include <windows.h>
// ANTI DLL INJECTION by _FIL73R_

#include <windows.h>

BOOLEAN BlockAPI (HANDLE,CHAR *,CHAR *);
void AntiInject ();

/****************/
main()
{
   CreateThread (0,0, (LPTHREAD_START_ROUTINE)AntiInject, 0, 0, 0);
   while (TRUE); // loop forever... now to try and inject
}
/****************/



void AntiInject ()
{
   HANDLE hProc = GetCurrentProcess();
   while (TRUE) {
      BlockAPI(hProc, "NTDLL.DLL", "LdrLoadDll");
      Sleep (100);
   }
}

BOOLEAN BlockAPI (HANDLE hProcess, CHAR *libName, CHAR *apiName)
{
 CHAR pRet[]={ 0x31, 0xC0, // XOR eax, eax
              0xC3 };     // RET
   HINSTANCE hLib = NULL;
   VOID *pAddr = NULL;
   BOOL bRet = FALSE;
   DWORD dwRet = 0;

   hLib = LoadLibrary (libName);
   if (hLib) {
       pAddr = (VOID*)GetProcAddress (hLib, apiName);
       if (pAddr) {
           if (WriteProcessMemory (hProcess,
                            (LPVOID)pAddr,
                            (LPCVOID)pRet,
                            sizeof (pRet),
                            &dwRet )) {
              if (dwRet) {
                 bRet = TRUE;
              }
           }
       }
       FreeLibrary (hLib);
   }
   return bRet;
}

[AltF5]

To prevent other Dlls in your process from being hooked (atleast through the method of Runtime Patching) you will need to hook those 3 APIs I listed above for write process memory.

Basically if hProcess refers to a handle to your process, then do not execute the real function.

Other hooking techniques that involve modification of the actual Dll's code on disc, is probably out of your control.



In regards to the code above.
Instead of trying to hook LdrLoadDll, why not just use the DisableThreadLibraryCalls to prevent other Dlls from being loading into your process? (I am assuming that this API would work, but never tried)

As for it not working... are you sure this code was run inside the process which is doing the remote Dll injection?
Remember, you need to make sure that the dll (with that code inside) is injected (mapped) into EVERY currently existing process AND any NEWLY created processes.

Sorry I cannot help with checking to see if that code works or not. I am not too good with troubleshooting the C-syntax languages. (too many datatypes and conversions too really memorize) My main development is in VB6.



@Jetamay
Is SCT hooking the same as SSDT hooking?