DLL Injector protected with Enigma

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc
Post Reply
johndoe
Posts: 25
Joined: Fri Feb 17, 2012 10:34 pm

DLL Injector protected with Enigma

Post by johndoe » Sat Apr 28, 2012 5:22 pm

Hi again Enigma,
I'm trying to protect a simple DLL Injector with enigma, but when I try to inject the dll into target process, the process crashes.

Note: The DLL is in same directory as the injector. (is NOT virtualized!)
Note 2: With Themida works perfectly. :shock:

Can you see it, please?
Injector.rar
You do not have the required permissions to view the files attached to this post.

johndoe
Posts: 25
Joined: Fri Feb 17, 2012 10:34 pm

Re: DLL Injector protected with Enigma

Post by johndoe » Sat May 05, 2012 12:25 am

Please, my customers are waiting for a new version that I can't release without it... :(

Enigma
Site Admin
Posts: 2526
Joined: Wed Aug 20, 2008 2:24 pm

Re: DLL Injector protected with Enigma

Post by Enigma » Sat May 05, 2012 3:25 pm

Hi johndoe, yes, as I promised, new version is released and we will check out the problem with injection now.

johndoe
Posts: 25
Joined: Fri Feb 17, 2012 10:34 pm

Re: DLL Injector protected with Enigma

Post by johndoe » Sat May 05, 2012 5:45 pm

Hi enigma,
Is this version fixed against the error when using plugins also protected with enigma?

Keep me informed..

Thank you :D

Enigma
Site Admin
Posts: 2526
Joined: Wed Aug 20, 2008 2:24 pm

Re: DLL Injector protected with Enigma

Post by Enigma » Wed May 09, 2012 7:53 pm

Hi johndoe,

Finally we tested your files.

The problem happen due to option Registration Features - Import Protection - Emulate WinAPI. And also use the latest version of Enigma Protector 3.70.

Why the problem happens? It is very specific. There is the following code in the injection program:

Code: Select all

ThreadHandle := CreateRemoteThread( hProcess , nil , 0,   GetProcAddress(LoadLibrary('kernel32.dll'), 'LoadLibraryA') , LibName ,0 , TheadID );
Program gets an offset of the LoadLibraryA function and calls it in the remote process. Due to emulation of WinAPI, GetProcAddress returns not an address of LoadLibraryA in kernel32.dll but the address of emulated function inside protected process. Of course, this address does not exist or is invalid in the injected/remote process.

So if you disable this option for injection process, everything will be working well.

I tested both protected injector and protected injected dll, it worked well. I got a message from dll after injection.

Let me know if you will have any questions.

johndoe
Posts: 25
Joined: Fri Feb 17, 2012 10:34 pm

Re: DLL Injector protected with Enigma

Post by johndoe » Thu May 10, 2012 2:02 am

Works perfectly Enigma, thank you!

Post Reply