Enigma Protector

Software Protection and Licensing
http://forum.enigmaprotector.com/

Possible Anti-DLL

http://forum.enigmaprotector.com/viewtopic.php?t=1790

Page 1 of 2

Possible Anti-DLL

Posted: Tue Apr 03, 2012 11:08 pm
by Etroplus

Code: Select all

function BlockAPI(hProcess : THANDLE; libName, apiName : PAnsiChar) : Boolean;
var
  pRet : Char;
  hLib : THandle;
  pAddr : Pointer;
  dwRet : DWORD;
begin
  pRet := #$C3;
  //hLib := nil;
  Result := False;
  hLib := LoadLibrary(libName);
  if hLib > 0 then
  begin
    pAddr := GetProcAddress(hLib, apiName);
    if pAddr <> nil then
    begin
      if WriteProcessMemory(hProcess, pAddr, @pRet, SizeOf(pRet), dwRet) then
        if dwRet > 0 then
          Result := True;
    end;
    FreeLibrary(hLib);
  end;
end;

procedure AntiInject;
var
  hProc : THANDLE;
begin
  hProc := GetCurrentProcess;
  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll');
    Sleep (100);
  end;
end;


procedure AntiInject2;
var
  hProc : THnadle;
begin
  hProc := FindWindow(nil, 'Gunz');

  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll');
    Sleep (100);
  end;
end;

Re: Possible Anti-DLL

Posted: Wed Apr 04, 2012 9:16 am
by Enigma
Hi, this is possible, but this does not handle all the possible ways for dll injection. Moreover, I recommend to modify this code so:

Code: Select all

function BlockAPI(hProcess : THANDLE; libName, apiName : PAnsiChar; ParamsCount : byte) : Boolean;
var
  pRet : Char;
  hLib : THandle;
  pAddr : Pointer;
  dwRet : array [0..2] of byte;
begin
  Result := False;
  hLib := LoadLibrary(libName);
  if hLib > 0 then
  begin
    pAddr := GetProcAddress(hLib, apiName);
    if pAddr <> nil then
    begin
      if ParamCount = 0 then
      begin
        dwRet[0] := $C3;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 1, dwRet);
      end else
      begin
        dwRet[0] := $C2;
        dwRet[1] := ParamsCount * 4;
        dwRet[2] := 0;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 3, dwRet);
      end;
    end;
    FreeLibrary(hLib);
  end;
end;

procedure AntiInject;
var
  hProc : THANDLE;
begin
  hProc := GetCurrentProcess;
  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll', 4);
    Sleep (100);
  end;
end;


procedure AntiInject2;
var
  hProc : THnadle;
begin
  hProc := FindWindow(nil, 'Gunz');
  while True do
  begin
    BlockAPI(hProc, 'NTDLL.DLL', 'LdrLoadDll', 4);
    Sleep (100);
  end;
end;

Re: Possible Anti-DLL

Posted: Mon Apr 09, 2012 7:02 am
by 0xFFFFFFF
how i can translate this code for C/C++?

Re: Possible Anti-DLL

Posted: Tue Apr 10, 2012 5:25 pm
by Sander
how to use this ?

Re: Possible Anti-DLL

Posted: Tue Aug 07, 2012 9:45 am
by lolalexlol
yes how can i use this?

Re: Possible Anti-DLL

Posted: Tue Aug 07, 2012 11:53 am
by Enigma
Compile it using Delphi into DLL and use in plugins.

Re: Possible Anti-DLL

Posted: Tue Aug 07, 2012 6:55 pm
by lolalexlol
ok but i saw this line hProc := FindWindow(nil, 'Gunz'); i have to replace 'Gunz' witch my window name? e.g if i wana put this on Notepad i must put like this hProc := FindWindow(nil, 'Notepad'); ?

Re: Possible Anti-DLL

Posted: Wed Aug 08, 2012 6:34 am
by Enigma
lolalexlol wrote:ok but i saw this line hProc := FindWindow(nil, 'Gunz'); i have to replace 'Gunz' witch my window name? e.g if i wana put this on Notepad i must put like this hProc := FindWindow(nil, 'Notepad'); ?
Yes, this is possible and your code is correct. Only note, FindWindow searches for a exact match of the Window Text which is not always known. So if the window text will be 'Notepad1', your check will fail.

Re: Possible Anti-DLL

Posted: Fri Nov 23, 2012 6:34 am
by johndoe
Error:
types of actual and formal var parameters must be identical
line:
Result := WriteProcessMemory(hProcess, pAddr, @pRet, 1, dwRet);
Help-me? :/

Re: Possible Anti-DLL

Posted: Fri Nov 23, 2012 2:52 pm
by Enigma
Seems should be like this:

Code: Select all

function BlockAPI(hProcess : THANDLE; libName, apiName : PAnsiChar; ParamsCount : byte) : Boolean;
var
  pRet : Char;
  hLib : THandle;
  pAddr : Pointer;
  dwRet : array [0..2] of byte;
  dwtmp : Cardinal;
begin
  Result := False;
  hLib := LoadLibrary(libName);
  if hLib > 0 then
  begin
    pAddr := GetProcAddress(hLib, apiName);
    if pAddr <> nil then
    begin
      if ParamCount = 0 then
      begin
        dwRet[0] := $C3;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 1, dwtmp);
      end else
      begin
        dwRet[0] := $C2;
        dwRet[1] := ParamsCount * 4;
        dwRet[2] := 0;
        Result := WriteProcessMemory(hProcess, pAddr, @pRet, 3, dwtmp);
      end;
    end;
    FreeLibrary(hLib);
  end;
end;
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited