Prevent classic DLL Injection

**Sam...** · 09-19-2014

Today i made a dll to prevent the classic dll injection based on LoadLibrary functions of kernel32.dll, this is how to use it

Code:

[DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
private static extern void Activate();

static void Main(string[] args)
{
    Activate();
    //etc...
}

You just need to put the dll in the same location of the exe or in some subfolder like .\\FolderName\\AntiDLLInject.dll

Result trying to inject with CE:

Antivirus scans:
https://www.virustotal.com/it/file/5...is/1411229492/
https://virusscan.jotti.org/en/scanre...e7154f23a02985

Download dll:

**Sam...** · 09-20-2014

Fixed rare crash bug caused by multiple hooks, updated the dll.

**[MPGH]Hero** · 09-20-2014

Please upload two scans of the .RAR file. One scan from VirusTotal and Jotti's malware scan for a total of two scans.

**GodsAngel** · 09-23-2014

Wow I am lookin forward to this o_O

**TheTrigger** · 09-26-2014

If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?

**Sam...** · 09-26-2014

Originally Posted by TheTrigger

If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?

To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:

Code:

static class AntiDllInjection
{
    [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
    private static extern void Activate();

    private static MD5 hasher = MD5.Create();
    private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473";

    public static void Protect()
    {
        if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll"))
            .Select(x => x.ToString("X2"))) == md5checksum)
            Activate();
        else
            throw new Exception();
    }
}

Code:

try
{
    AntiDllInjection.Protect();
}
catch (Exception)
{
    Console.WriteLine("Can't load protection...");
}

**TheTrigger** · 09-29-2014

Nice Work :)

**Jason** · 10-03-2014

Originally Posted by Sam

To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:

Code:

static class AntiDllInjection
{
    [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
    private static extern void Activate();

    private static MD5 hasher = MD5.Create();
    private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473";

    public static void Protect()
    {
        if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll"))
            .Select(x => x.ToString("X2"))) == md5checksum)
            Activate();
        else
            throw new Exception();
    }
}

Code:

try
{
    AntiDllInjection.Protect();
}
catch (Exception)
{
    Console.WriteLine("Can't load protection...");
}

It's fairly trivial to change one hardcoded hash to another using any decent hex editor / decompiler, though.

What would happen if a legitimate DLL was loaded into the process, would your protection prevent it? Take DllImport as an example:

From the MSDN docs:

Originally Posted by msdn

Locating and loading the DLL, and locating the address of the function in memory occur only on the first call to the function.

This means that any external libraries will only be loaded when the PInvoke'd function is first called. If I was to call "Activate()" prior to any of my other PInvoke'd functions, would the program fail to load the libraries into memory?

**Sam...** · 10-03-2014

Originally Posted by Jason

It's fairly trivial to change one hardcoded hash to another using any decent hex editor / decompiler, though.

The developer need to improve it, i just brought him an example.

Originally Posted by Jason

What would happen if a legitimate DLL was loaded into the process, would your protection prevent it? Take DllImport as an example:

....

This means that any external libraries will only be loaded when the PInvoke'd function is first called. If I was to call "Activate()" prior to any of my other PInvoke'd functions, would the program fail to load the libraries into memory?

Since kernel32.dll is always loaded into .net apps DllImport will just use LoadLibrary of the current dll, most of dll injectors create a remote thread using an external address so when the thread will start they will get the hooked function instead of LoadLibrary.

**Jason** · 10-05-2014

Originally Posted by Sam

Since kernel32.dll is always loaded into .net apps DllImport will just use LoadLibrary of the current dll, most of dll injectors create a remote thread using an external address so when the thread will start they will get the hooked function instead of LoadLibrary.

That doesn't make any sense.

**Sam...** · 10-05-2014

Originally Posted by Jason

That doesn't make any sense.

Try yourself

, the dll just handle native injection do not affects the .net app.

**ofrist123** · 06-02-2020

any chance for the source?

Thread: Prevent classic DLL Injection

Thread Tools

Display

Prevent classic DLL Injection

The Following 8 Users Say Thank You to Sam... For This Useful Post:

The Following 2 Users Say Thank You to Sam... For This Useful Post:

Source

Similar Threads

DLL injection

[HELP] - DLL Injection

Crash at Dll inject

[Help!] CA crash on dll inject

DLL injection Failled