brietje698

Hello,

I'm wondering how i could stop people from injectinf Dll's into my app, anyone could tell me


Re: Visual C++ General Stop Dll Injection

Aleksandr Tokarev

As to my mind its imposible in common case. You can know all libraries thats loads your process, but there is no any garantee that on other machine list of libraries will the same. Unless, you have the same OS and Machines are clones.





Re: Visual C++ General Stop Dll Injection

Ramkrishna Pawar

Well, it's possible, but the efforts to achieve that would be too much.






Re: Visual C++ General Stop Dll Injection

Aleksandr Tokarev

How its possible to your mind





Re: Visual C++ General Stop Dll Injection

Ramkrishna Pawar

Aleksandr Tokarev wrote:

How its possible to your mind

Because the DLL is loaded into your process, there must be a sequence of actions happening when a module is injected, and the application code always have full user mode rights on the process, it can modify things to not load the injection. At the worst, someone can involve kernel mode code to help do this. If you understand how windows loader works, then you can see the possibilities yourself.






Re: Visual C++ General Stop Dll Injection

rtpninja

:-)





Re: Visual C++ General Stop Dll Injection

Bruno van Dooren

rtpninja wrote:

Here are some things you can try, without digging into kernel-mode development:

  • If you know the name of the DLL they're trying to inject, you can (of course) scan your process to see if that module's been loaded and if so, either quit, or ::FreeLibrary it if doing so doesn't crash your app.

It is easy to load a DLL so that FreeLibrary cannot unload it.

  • If they're using AppInit_DLLs section of the registry to inject their DLL, you can query this key when your application starts up, and refuse to start if any DLLs are found.

But the DLL can be injected at runtime.

  • If they're using a global Windows hook to inject their DLL, you might be able to play around with setting a Debug hook (WH_DEBUG) to figure out which module is doing the hooking; then you can kill it, shut down your app, or whatever.

Killing it might not be possible. The only thing you might detecting it, but then how would you distinguish between DLLs that get loaded as part of the normal lifecycle, and malicious DLL loads Lots of DLLs get loaded directly and indirectly.

  • If they're using the CreateRemoteThread trick to inject their DLL.. not sure what you can do here. Probably there's some way to defend against it, especially if you know the rogue DLL's name ahead of time.

It's hardly a trick, and there is very little you can do. anyone with the ability to create that thread can do so. you might be able to detect this, but I suspect you will not see the difference between that and a normal thread start. And again, threads can be started by other platform components as part of the normal lifecyle.

  • If they're using WriteProcessMemory, that's a fairly brittle solution anyway. Not sure how to defend but it's a bad way to go about injecting a DLL unless you're Richter.

Brittle, yes, but if they are hacking your app, they won't care.

  • If they're injection logic requires that your app is easy to identify (by process/module name, for example) you can switch your app to run as a DLL using a generic host process. This might trick them up if they're looking to inject into "MYAPP.EXE" and suddenly you change your app so that it runs as (just for example) SVCHOST.EXE.

This is not practical either because then all your shorcuts would stop working, any references in the registry would be incorrect, and other places like the service database would be out of dat as well.

There is very little you can do, and most of the things you do can be circumvented. Going through all this trouble is hardly worth it.





Re: Visual C++ General Stop Dll Injection

Ramkrishna Pawar

Bruno van Dooren wrote:
rtpninja wrote:

Here are some things you can try, without digging into kernel-mode development:

  • If you know the name of the DLL they're trying to inject, you can (of course) scan your process to see if that module's been loaded and if so, either quit, or ::FreeLibrary it if doing so doesn't crash your app.

It is easy to load a DLL so that FreeLibrary cannot unload it.

  • If they're using AppInit_DLLs section of the registry to inject their DLL, you can query this key when your application starts up, and refuse to start if any DLLs are found.

But the DLL can be injected at runtime.

  • If they're using a global Windows hook to inject their DLL, you might be able to play around with setting a Debug hook (WH_DEBUG) to figure out which module is doing the hooking; then you can kill it, shut down your app, or whatever.

Killing it might not be possible. The only thing you might detecting it, but then how would you distinguish between DLLs that get loaded as part of the normal lifecycle, and malicious DLL loads Lots of DLLs get loaded directly and indirectly.

  • If they're using the CreateRemoteThread trick to inject their DLL.. not sure what you can do here. Probably there's some way to defend against it, especially if you know the rogue DLL's name ahead of time.

It's hardly a trick, and there is very little you can do. anyone with the ability to create that thread can do so. you might be able to detect this, but I suspect you will not see the difference between that and a normal thread start. And again, threads can be started by other platform components as part of the normal lifecyle.

  • If they're using WriteProcessMemory, that's a fairly brittle solution anyway. Not sure how to defend but it's a bad way to go about injecting a DLL unless you're Richter.

Brittle, yes, but if they are hacking your app, they won't care.

  • If they're injection logic requires that your app is easy to identify (by process/module name, for example) you can switch your app to run as a DLL using a generic host process. This might trick them up if they're looking to inject into "MYAPP.EXE" and suddenly you change your app so that it runs as (just for example) SVCHOST.EXE.

This is not practical either because then all your shorcuts would stop working, any references in the registry would be incorrect, and other places like the service database would be out of dat as well.

There is very little you can do, and most of the things you do can be circumvented. Going through all this trouble is hardly worth it.

I agree, most of the times user will never know which all DLLs are injected, simple harmless apps such as yahoo messenger, google desktop inject DLLs, if one writes code to exit in case of injection then that program will almost never run. Smile






Re: Visual C++ General Stop Dll Injection

Aleksandr Tokarev

Ramkrishna Pawar wrote:

Because the DLL is loaded into your process, there must be a sequence of actions happening when a module is injected, and the application code always have full user mode rights on the process, it can modify things to not load the injection. At the worst, someone can involve kernel mode code to help do this. If you understand how windows loader works, then you can see the possibilities yourself.

Can you show us some code, industry-based code, that will work in most of cases, and will not prevent normal lifecycle of application





Re: Visual C++ General Stop Dll Injection

Aleksandr Tokarev

I guess, to remove this access-rights

PROCESS_VM_OPERATION Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory).
PROCESS_VM_READ Required to read memory in a process using ReadProcessMemory.
PROCESS_VM_WRITE Required to write to memory in a process using WriteProcessMemory.

Will protect from most of dll injecttions and global hooks.

CreateRemoteThread will not work and WriteProcessMemory too.

I hope(!) global hooks too, because for their work need writing remote process memory.

The second way create a process under a special user account, logon credentials for wich known only startup process.





Re: Visual C++ General Stop Dll Injection

Ramkrishna Pawar

Aleksandr Tokarev wrote:
Ramkrishna Pawar wrote:

Because the DLL is loaded into your process, there must be a sequence of actions happening when a module is injected, and the application code always have full user mode rights on the process, it can modify things to not load the injection. At the worst, someone can involve kernel mode code to help do this. If you understand how windows loader works, then you can see the possibilities yourself.

Can you show us some code, industry-based code, that will work in most of cases, and will not prevent normal lifecycle of application

Nah, writing the code would not be that easy on time. But I can explain if you ask me specific questions.

The central idea is, when a DLL is injected (using SetWindowsHookEx, CreateRemoteThread etc.) the part of code in user32.dll loads it inside target process (user32.dll is already mapped in that process address space) so if you can monitor and intercept that activity you can also alter it.

[Discussing this topic in details will open a lot information which can be misused, so I am reluctunt to discuss only the idea and not how to do everything.]






Re: Visual C++ General Stop Dll Injection

Ramkrishna Pawar

Aleksandr Tokarev wrote:

I guess, to remove this access-rights

PROCESS_VM_OPERATION Required to perform an operation on the address space of a process (see VirtualProtectEx and WriteProcessMemory).
PROCESS_VM_READ Required to read memory in a process using ReadProcessMemory.
PROCESS_VM_WRITE Required to write to memory in a process using WriteProcessMemory.

Will protect from most of dll injecttions and global hooks.

CreateRemoteThread will not work and WriteProcessMemory too.

I hope(!) global hooks too, because for their work need writing remote process memory.

The second way create a process under a special user account, logon credentials for wich known only startup process.

This whole logic collapses when the injector has admin rights, the permissions can be readjusted. Plus changing permissions on whole process memory might result in huge troubles for the code running inside that process.






Re: Visual C++ General Stop Dll Injection

brietje698

Theres a program called Process Guard and it can protect a process from injecting dll's i think, but how does that work then





Re: Visual C++ General Stop Dll Injection

Ramkrishna Pawar

brietje698 wrote:

Theres a program called Process Guard and it can protect a process from injecting dll's i think, but how does that work then

It has a kernel mode component which intercepts injection & several other operations.






Re: Visual C++ General Stop Dll Injection

rtpninja

:-)