DLL Injector protected with Enigma

[johndoe]

Hi again Enigma,
I'm trying to protect a simple DLL Injector with enigma, but when I try to inject the dll into target process, the process crashes.

Note: The DLL is in same directory as the injector. (is NOT virtualized!)
Note 2: With Themida works perfectly.

Can you see it, please?

Injector.rar

[johndoe]

Please, my customers are waiting for a new version that I can't release without it...

[Enigma]

Hi johndoe, yes, as I promised, new version is released and we will check out the problem with injection now.

[johndoe]

Hi enigma,
Is this version fixed against the error when using plugins also protected with enigma?

Keep me informed..

Thank you

[Enigma]

Hi johndoe,

Finally we tested your files.

The problem happen due to option Registration Features - Import Protection - Emulate WinAPI. And also use the latest version of Enigma Protector 3.70.

Why the problem happens? It is very specific. There is the following code in the injection program:

Code: Select all

ThreadHandle := CreateRemoteThread( hProcess , nil , 0,   GetProcAddress(LoadLibrary('kernel32.dll'), 'LoadLibraryA') , LibName ,0 , TheadID );

Program gets an offset of the LoadLibraryA function and calls it in the remote process. Due to emulation of WinAPI, GetProcAddress returns not an address of LoadLibraryA in kernel32.dll but the address of emulated function inside protected process. Of course, this address does not exist or is invalid in the injected/remote process.

So if you disable this option for injection process, everything will be working well.

I tested both protected injector and protected injected dll, it worked well. I got a message from dll after injection.

Let me know if you will have any questions.

[johndoe]

Works perfectly Enigma, thank you!