| View previous topic :: View next topic |
| Author |
Message |
h4c0r-BG
Master Cheater
 Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
 Posted: Wed Aug 13, 2008 10:56 am Post subject: [Delphi dll inject blocker] adding exception(s) dll |
 |
|
Here is the source for the absolute blocker:
| Code: | procedure hook(target, newfunc:pointer);
var
jmpto:dword;
OldProtect: Cardinal; // old protect in memory
begin
jmpto:=dword(newfunc)-dword(target)-5;
VirtualProtect(target, 5, PAGE_EXECUTE_READWRITE, @OldProtect);
pbyte(target)^:=$e9;
pdword(dword(target)+1)^:=jmpto;
end;
procedure myLdrLoadDll(PathToFile:PAnsiChar; Flags:variant; ModuleFileName:PAnsiChar; var ModuleHandle:THandle);
begin
MessageBox(0, 'I have blocked your attempt to inject a dll file!!', 'WARNING!', MB_OK);
ModuleHandle:=0;
end;
procedure Main;
begin
Hook(GetProcAddress(GetModuleHandle('ntdll.dll'), 'LdrLoadDll'), @myLdrLoadDll);
end;
begin
end. |
I've found this example in the internet and it is pretty good. They said it blocks even "loadlibrary".
My question is would it be easy to add exceptions for system dlls or dlls which the application loads because they are all blocked too. Will the code be huge? Can anyone give me hints about how/what needs to be done?
Thank you very much.
_________________
|
|
| Back to top |
|
 |
jackyyll
Expert Cheater
![]() Reputation: 0
Joined: 28 Jan 2008
Posts: 143
Location: here
|
| Posted: Wed Aug 13, 2008 11:26 am Post subject: |
|
|
| Uhh.. Someone could just open your exe you have this code in and remove it? Or, they could edit the file and have it jump to a code cave before any of the files code gets executed and call LoadLibraryA to load their DLL instead of injecting.. And since it'd be executed first you can't really block that.
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Aug 13, 2008 11:39 am Post subject: |
|
|
These hooks are not really good
| Code: | Function LdrLoadDllX(PathToFile:PAnsiChar; Flags:variant;ModuleFileName:PAnsiChar; var ModuleHandle:THandle):bool;
var DblWord:DWORD;
hHandle:THandle;
begin
hHandle:=LoadLibrary('ntdll.dll');
DblWord:=DWORD(GetProcAddress(hHandle,'LdrLoadDll'))+5;
asm
mov edi,edi
push ebp
mov esp,ebp
jmp [DblWord]
end;
end; |
Havent tested but this code bypasses the hook. So... Whats the point? Unless you can do kernel hooks.
To answer your question. All you have to do is loop through all the sys dll functions and hook them.
Then your program becomes GameGuard. You have to iunject your dll into every process for it to work.
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Wed Aug 13, 2008 11:54 am Post subject: |
|
|
Of course it blocks LoadLibrary... LoadLibraryW makes a call directly to that function at some point.
And yes you can add exceptions... Just add a couple compares with the ModuleFileName and if they don't match block the attempt.
| dnsi0 wrote: | These hooks are not really good
| Code: | Function LdrLoadDllX(PathToFile:PAnsiChar; Flags:variant;ModuleFileName:PAnsiChar; var ModuleHandle:THandle):bool;
var DblWord:DWORD;
hHandle:THandle;
begin
hHandle:=LoadLibrary('ntdll.dll');
DblWord:=DWORD(GetProcAddress(hHandle,'LdrLoadDll'))+5;
asm
mov edi,edi
push ebp
mov esp,ebp
jmp [DblWord]
end;
end; |
Havent tested but this code bypasses the hook. So... Whats the point? Unless you can do kernel hooks.
To answer your question. All you have to do is loop through all the sys dll functions and hook them.
Then your program becomes GameGuard. You have to iunject your dll into every process for it to work. |
No that code does not bypass the hook. Do you think every single function starts with the hot-patch prefix?
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Aug 13, 2008 12:26 pm Post subject: |
|
|
ok. SO I have to see what gg actucally hooks before I patch it.
And I found out how to debug gg. XD
All you ahve to do is make a dll that freezes it and then attach a debugger.
| Description: |
|
| Filesize: |
91.82 KB |
| Viewed: |
12377 Time(s) |
|
Last edited by dnsi0 on Wed Aug 13, 2008 12:33 pm; edited 1 time in total |
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Wed Aug 13, 2008 12:29 pm Post subject: |
|
|
| dnsi0 wrote: | ok. SO I have to see what gg actucally hooks before I patch it.
And I found out how to debug gg. XD
All you ahve to do is make a dll that freezes it and then attach a debugger. |
Wrong again.
You have to find out the initial bytes of the function. 
And.. good luck with that.
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Aug 13, 2008 12:33 pm Post subject: |
|
|
There I posted a screeny.
And thats what I ment o.o. Find where the function starts o.o
|
|
| Back to top |
|
|
h4c0r-BG
Master Cheater
Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
| Posted: Wed Aug 13, 2008 1:12 pm Post subject: |
|
|
Thank you lurc. Your idea about ModuleFileName seems good.
But i have some questions.
I've tried adding in procedure myLdrLoadDll
showmessage(modulefilename);
To see if in the procedure i can get the name of the current injected dll but it does not show anything. At that moment i realised that at my procedure i can't get the name of it.
So it should be done in:
procedure Main; ... before or after the hooking or any other way?
_________________
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Wed Aug 13, 2008 2:00 pm Post subject: |
|
|
Edit: Nvm.
_________________
Last edited by lurc on Wed Aug 13, 2008 2:35 pm; edited 1 time in total |
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Wed Aug 13, 2008 2:27 pm Post subject: |
|
|
| Actually CreateRemoteThread in DLL injection is used by creating a thread that runs LoadLibrary...
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Wed Aug 13, 2008 2:35 pm Post subject: |
|
|
| Zand wrote: | | Actually CreateRemoteThread in DLL injection is used by creating a thread that runs LoadLibrary... |
Rofl, oh yea, I somehow completely forgot about the WriteProcessMemory part of that... Ignore what i said before.
_________________
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Wed Aug 13, 2008 7:35 pm Post subject: |
|
|
Hooking LoadLibraryExW and blocking ALL modules from loading does not work. You should do some filtering of DLL names.
To add exception handling, simply enclose the statements in a try..except block...
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
| Posted: Wed Aug 13, 2008 8:29 pm Post subject: |
|
|
| Answered via MSN, I'll also post source if anyone is interested in seeing.
|
|
| Back to top |
|
|
h4c0r-BG
Master Cheater
Reputation: 0
Joined: 29 Nov 2006
Posts: 449
Location: The yogurt country
|
| Posted: Thu Aug 14, 2008 5:06 am Post subject: |
|
|
Groot, if you read my thread i am trying to achieve "exceptions for system dll files and so on..."  so it will not be pointless.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
