Home › Forum › Programming › C# Programming › Prevent classic DLL Injection

Prevent classic DLL Injection

Posts 1–12 of 12 · Page 1 of 1

Today i made a dll to prevent the classic dll injection based on LoadLibrary functions of kernel32.dll, this is how to use it

Code:

[DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
private static extern void Activate();

static void Main(string[] args)
{
    Activate();
    //etc...
}

You just need to put the dll in the same location of the exe or in some subfolder like .\\FolderName\\AntiDLLInject.dll

Result trying to inject with CE:

Antivirus scans:
https://www.virustotal.com/it/file/5...is/1411229492/
http://virusscan.jotti.org/en/scanre...e7154f23a02985

Download dll:

AntiDLLInject_mpgh.net.zip

Fixed rare crash bug caused by multiple hooks, updated the dll.

Please upload two scans of the .RAR file. One scan from VirusTotal and Jotti's malware scan for a total of two scans.

Wow I am lookin forward to this o_O

If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?

Originally Posted by TheTrigger

If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?

To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:

Code:

static class AntiDllInjection
{
    [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
    private static extern void Activate();

    private static MD5 hasher = MD5.Create();
    private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473";

    public static void Protect()
    {
        if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll"))
            .Select(x => x.ToString("X2"))) == md5checksum)
            Activate();
        else
            throw new Exception();
    }
}

Code:

try
{
    AntiDllInjection.Protect();
}
catch (Exception)
{
    Console.WriteLine("Can't load protection...");
}

Nice Work :)

Originally Posted by Sam

To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:

Code:

static class AntiDllInjection
{
    [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
    private static extern void Activate();

    private static MD5 hasher = MD5.Create();
    private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473";

    public static void Protect()
    {
        if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll"))
            .Select(x => x.ToString("X2"))) == md5checksum)
            Activate();
        else
            throw new Exception();
    }
}

Code:

try
{
    AntiDllInjection.Protect();
}
catch (Exception)
{
    Console.WriteLine("Can't load protection...");
}

It's fairly trivial to change one hardcoded hash to another using any decent hex editor / decompiler, though.

What would happen if a legitimate DLL was loaded into the process, would your protection prevent it? Take DllImport as an example:

From the MSDN docs:

Originally Posted by msdn

Locating and loading the DLL, and locating the address of the function in memory occur only on the first call to the function.

This means that any external libraries will only be loaded when the PInvoke'd function is first called. If I was to call "Activate()" prior to any of my other PInvoke'd functions, would the program fail to load the libraries into memory?

Originally Posted by Jason

It's fairly trivial to change one hardcoded hash to another using any decent hex editor / decompiler, though.

The developer need to improve it, i just brought him an example.

Originally Posted by Jason

What would happen if a legitimate DLL was loaded into the process, would your protection prevent it? Take DllImport as an example:

....

This means that any external libraries will only be loaded when the PInvoke'd function is first called. If I was to call "Activate()" prior to any of my other PInvoke'd functions, would the program fail to load the libraries into memory?

Since kernel32.dll is always loaded into .net apps DllImport will just use LoadLibrary of the current dll, most of dll injectors create a remote thread using an external address so when the thread will start they will get the hooked function instead of LoadLibrary.

Originally Posted by Sam

That doesn't make any sense.

Originally Posted by Jason

That doesn't make any sense.

Try yourself

, the dll just handle native injection do not affects the .net app.

Source

any chance for the source?

Posts 1–12 of 12 · Page 1 of 1

Post a Reply

Similar Threads

DLL injection FailledBy aynal in WarRock - International Hacks
1Last post 20y ago
Crash at Dll injectBy CyberStriker in WarRock - International Hacks
1Last post 18y ago
[Help!] CA crash on dll injectBy CyberStriker in Combat Arms Hacks & Cheats
9Last post 18y ago
[HELP] - DLL InjectionBy pelonzudo in C++/C Programming
1Last post 18y ago
DLL injectionBy Lynie in C++/C Programming
3Last post 17y ago

Tags for this Thread

None

Home › Forum › Programming › C# Programming › Prevent classic DLL Injection

Prevent classic DLL Injection

Posts 1–12 of 12 · Page 1 of 1

Prevent classic DLL Injection

Today i made a dll to prevent the classic dll injection based on LoadLibrary functions of kernel32.dll, this is how to use it

Code:

[DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
private static extern void Activate();

static void Main(string[] args)
{
    Activate();
    //etc...
}

You just need to put the dll in the same location of the exe or in some subfolder like .\\FolderName\\AntiDLLInject.dll

Result trying to inject with CE:

Antivirus scans:
https://www.virustotal.com/it/file/5...is/1411229492/
http://virusscan.jotti.org/en/scanre...e7154f23a02985

Download dll:

AntiDLLInject_mpgh.net.zip

Fixed rare crash bug caused by multiple hooks, updated the dll.

Please upload two scans of the .RAR file. One scan from VirusTotal and Jotti's malware scan for a total of two scans.

Wow I am lookin forward to this o_O

If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?

Originally Posted by TheTrigger

If i create a new (empty) dll with a same function name (that does nothing, ofc), i could avoid your protection..
This library should be integrated into the program then.
or i'm wrong?

To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:

Code:

static class AntiDllInjection
{
    [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
    private static extern void Activate();

    private static MD5 hasher = MD5.Create();
    private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473";

    public static void Protect()
    {
        if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll"))
            .Select(x => x.ToString("X2"))) == md5checksum)
            Activate();
        else
            throw new Exception();
    }
}

Code:

try
{
    AntiDllInjection.Protect();
}
catch (Exception)
{
    Console.WriteLine("Can't load protection...");
}

Nice Work :)

Originally Posted by Sam

To prevent a dll override you could do a checksum of the file using any hash type like md5 or sha1...example:

Code:

static class AntiDllInjection
{
    [DllImport("AntiDLLInject.dll", CallingConvention = CallingConvention.Cdecl)]
    private static extern void Activate();

    private static MD5 hasher = MD5.Create();
    private static readonly string md5checksum = "6E7E31653A365CC66D5CF977B2A9B473";

    public static void Protect()
    {
        if (string.Concat(hasher.ComputeHash(File.ReadAllBytes("AntiDLLInject.dll"))
            .Select(x => x.ToString("X2"))) == md5checksum)
            Activate();
        else
            throw new Exception();
    }
}

Code:

try
{
    AntiDllInjection.Protect();
}
catch (Exception)
{
    Console.WriteLine("Can't load protection...");
}

Originally Posted by msdn

Locating and loading the DLL, and locating the address of the function in memory occur only on the first call to the function.

Originally Posted by Jason

It's fairly trivial to change one hardcoded hash to another using any decent hex editor / decompiler, though.

The developer need to improve it, i just brought him an example.

Originally Posted by Jason

Originally Posted by Sam

That doesn't make any sense.

Originally Posted by Jason

That doesn't make any sense.

Try yourself

, the dll just handle native injection do not affects the .net app.

Source

any chance for the source?

Posts 1–12 of 12 · Page 1 of 1

Post a Reply

Similar Threads

DLL injection FailledBy aynal in WarRock - International Hacks
1Last post 20y ago
Crash at Dll injectBy CyberStriker in WarRock - International Hacks
1Last post 18y ago
[Help!] CA crash on dll injectBy CyberStriker in Combat Arms Hacks & Cheats
9Last post 18y ago
[HELP] - DLL InjectionBy pelonzudo in C++/C Programming
1Last post 18y ago
DLL injectionBy Lynie in C++/C Programming
3Last post 17y ago

Tags for this Thread

None