anjuyoung (10-05-2014),avacompute (01-21-2019),geyfeggot (10-03-2014),k-k-krusty (04-08-2015),mohammadomid87 (10-17-2020),NikolasKrai (10-04-2014),Shadowlord01 (06-03-2022),sifenks55 (12-31-2014)
Today i made a dll to prevent the classic dll injection based on LoadLibrary functions of kernel32.dll, this is how to use it
You just need to put the dll in the same location of the exe or in some subfolder like .\\FolderName\\AntiDLLInject.dllCode:[DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)] private static extern void Activate(); static void Main(string[] args) { Activate(); //etc... }
Result trying to inject with CE:
Antivirus scans:
https://www.virustotal.com/it/file/5...is/1411229492/
https://virusscan.jotti.org/en/scanre...e7154f23a02985
Download dll:
Last edited by Sam...; 09-20-2014 at 10:13 AM.
anjuyoung (10-05-2014),avacompute (01-21-2019),geyfeggot (10-03-2014),k-k-krusty (04-08-2015),mohammadomid87 (10-17-2020),NikolasKrai (10-04-2014),Shadowlord01 (06-03-2022),sifenks55 (12-31-2014)
Fixed rare crash bug caused by multiple hooks, updated the dll.
Please upload two scans of the .RAR file. One scan from VirusTotal and Jotti's malware scan for a total of two scans.
[ ] [ ] [ ] [ ][ ]
Editor from 06142011 2014
Donator since 09162011
Minion from 10102011 01062011
Minion+ from 01062012 08082012
Moderator from 08082012 10062012
Global Moderator from 10062012 12052017
Staff Administrator from 12052017 05012019
Trusted Member since 07132019
Global Moderator since 09112020
Wow I am lookin forward to this o_O
If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?
To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:
Code:static class AntiDllInjection { [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)] private static extern void Activate(); private static MD5 hasher = MD5.Create(); private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473"; public static void Protect() { if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll")) .Select(x => x.ToString("X2"))) == md5checksum) Activate(); else throw new Exception(); } }Code:try { AntiDllInjection.Protect(); } catch (Exception) { Console.WriteLine("Can't load protection..."); }
Last edited by Sam...; 09-26-2014 at 01:37 PM.
[MPGH]Mayion (09-29-2014),TheTrigger (09-29-2014)
It's fairly trivial to change one hardcoded hash to another using any decent hex editor / decompiler, though.
What would happen if a legitimate DLL was loaded into the process, would your protection prevent it? Take DllImport as an example:
From the MSDN docs:
This means that any external libraries will only be loaded when the PInvoke'd function is first called. If I was to call "Activate()" prior to any of my other PInvoke'd functions, would the program fail to load the libraries into memory?Originally Posted by msdn
Last edited by Jason; 10-03-2014 at 01:21 AM.
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
The developer need to improve it, i just brought him an example.
Since kernel32.dll is always loaded into .net apps DllImport will just use LoadLibrary of the current dll, most of dll injectors create a remote thread using an external address so when the thread will start they will get the hooked function instead of LoadLibrary.
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
any chance for the source?