Any questions? Ask us: support@enigmaprotector.com

[Plugin Request] Anti-dll injection

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc

[Plugin Request] Anti-dll injection

Postby P4ulo » Thu Apr 14, 2011 6:38 pm

Hello,

I need an plugin to block dll injection...

can you create one?

thanks!!!!!! :P
P4ulo
 
Posts: 4
Joined: Fri Apr 08, 2011 10:36 pm

Re: [Plugin Request] Anti-dll injection

Postby Enigma » Fri Apr 15, 2011 7:54 am

Hi P4ulo, something can be done, but it depends on a result you would like to get.

Do you want to avoid injection of particular dll, or just any dll? And it is better to know the method of the dll injection.
Enigma
Site Admin
 
Posts: 2201
Joined: Wed Aug 20, 2008 2:24 pm

Re: [Plugin Request] Anti-dll injection

Postby P4ulo » Fri Apr 15, 2011 1:17 pm

Hi Enigma,
I want to avoid the injection of any dll other than the system...
I guess that method is LdrLoadDll and LoadLibrary..

I've found a code on the web, but depending on the time that I inject the dll with this code, still blocks some dlls needed in the game, and crash:

Code: Select all
procedure hook(target, newfunc:pointer);
var
  jmpto:dword;
    OldProtect: Cardinal; // old protect in memory
begin
  jmpto:=dword(newfunc)-dword(target)-5;
  VirtualProtect(target, 5, PAGE_EXECUTE_READWRITE, @OldProtect);
  pbyte(target)^:=$e9;
  pdword(dword(target)+1)^:=jmpto;
end;

procedure myLdrLoadDll(PathToFile:PAnsiChar; Flags:variant; ModuleFileName:PAnsiChar; var ModuleHandle:THandle);
begin
  MessageBox(0, 'I have blocked your attempt to inject a dll file!!', 'WARNING!', MB_OK);
  ModuleHandle:=0;
end;

procedure Main;
begin
Hook(GetProcAddress(GetModuleHandle('ntdll.dll'), 'LdrLoadDll'), @myLdrLoadDll);
end;


begin
end.


Can you do something? :roll:

thanks
P4ulo
 
Posts: 4
Joined: Fri Apr 08, 2011 10:36 pm

Re: [Plugin Request] Anti-dll injection

Postby Enigma » Fri Apr 15, 2011 2:46 pm

This probably one of the methods that allows to avoid injection.

There is a mistake implementing of function myLdrLoadDll. There you have to check the name of the dll that is being injected, and if this dll is not on the list of "trusted" dlls then return a zero handle.

For example,

Code: Select all
procedure myLdrLoadDll(PathToFile:PAnsiChar; Flags:variant; ModuleFileName:PAnsiChar; var ModuleHandle:THandle);
const
  ALLOWED_MODULES : array [0..2] of string = ('kernel32.dll', 'user32.dll', 'ntdll.dll');
var
  s : string;
  found : boolean;
begin
  s := LowerCase(ExtractFileName(String(PathToFile)));
  found := false;
  for i := 0 to length(ALLOWED_MODULES) do
  begin
    if s = ALLOWED_MODULES[i] then
    begin
      found := true;
      break;
    end;
  end;
  if not found then
  begin
    MessageBox(0, 'I have blocked your attempt to inject a dll file!!', 'WARNING!', MB_OK);
    ModuleHandle:=0;
  end;
end;


Also, to avoid another method of injection, you have to disable callback of function CreateRemoteThread, that is starting to run in RtlRemoteCall. I.e. get an address of the function RtlRemoteCall and write a byte $C3 to this address.
Enigma
Site Admin
 
Posts: 2201
Joined: Wed Aug 20, 2008 2:24 pm

Re: [Plugin Request] Anti-dll injection

Postby P4ulo » Fri Apr 15, 2011 7:24 pm

Hi Enigma,
The problem is that PathToFile only return 'C', don't return the complete path... and ModuleFileName returns nothing...

Maybe you can fix looking this: http://undocumented.ntinternals.net/Use ... adDll.html

I've tried.. without sucess :cry:
P4ulo
 
Posts: 4
Joined: Fri Apr 08, 2011 10:36 pm

Re: [Plugin Request] Anti-dll injection

Postby evilbasem » Sat Apr 16, 2011 4:22 am

hi P4ulo

i need this plugin too i tried searching but... no helpful result :?: goodluck ,
evilbasem
 
Posts: 23
Joined: Thu Apr 14, 2011 3:21 am

Re: [Plugin Request] Anti-dll injection

Postby Enigma » Mon Apr 18, 2011 8:10 am

Just noticed, the function hook method is completely wrong there..

I will try to do something and post here. Refer to this thread later.

But you have to know, there is no ideal method of anti dll injection. There are such injection methods, that no way to avoid this..
Enigma
Site Admin
 
Posts: 2201
Joined: Wed Aug 20, 2008 2:24 pm

Re: [Plugin Request] Anti-dll injection

Postby Pls » Sun May 29, 2011 2:23 am

Hello Enigma
had any progress with this plugin?
Pls
 
Posts: 6
Joined: Sun May 29, 2011 2:10 am

Re: [Plugin Request] Anti-dll injection

Postby Enigma » Tue May 31, 2011 2:28 pm

Hi Pls,

Pls wrote:Hello Enigmahad any progress with this plugin?


As I already said, this is impossible to avoid any dll injection. There are many methods that can inject dll, and avoid all of them - impossible.

It is better and more useful to analyze what injected dll is really doing and detect it by it's work. For example, if injected dll modifies some code inside the process, we can make a plugin for Enigma that will check if this memory and, for example, terminate processes if memory is modified.
Enigma
Site Admin
 
Posts: 2201
Joined: Wed Aug 20, 2008 2:24 pm

Re: [Plugin Request] Anti-dll injection

Postby Pls » Thu Jun 02, 2011 7:41 pm

can you make this plugin to me with dll modifies some code inside the process

and

I compiled your example and it did not work
I edited some things to fix the hook thingy
Last edited by Pls on Tue Sep 06, 2011 2:39 am, edited 4 times in total.
Pls
 
Posts: 6
Joined: Sun May 29, 2011 2:10 am

Next

Return to Basic

Who is online

Users browsing this forum: No registered users and 7 guests