none
Blocking .dll Injection

Answers

  • XeTav said:

    Does this look like it would work?


    That looks rather unsafe, since it just smacks a RETN in the beginning of whatever API you're "blocking". When you're dealing with stdcall apis, with more than one argument, you'll corrupt your stack, probably causing whatever code is using the api to crash.

    I'd rather use Microsoft's Detours library. Have you looked into that?

    Einar Otto Stangvik | http://einaros.blogspot.com | Remember to close your threads :-)
    • Marked as answer by Yan-Fei Wei Monday, July 14, 2008 1:47 AM
    Wednesday, July 09, 2008 10:01 AM
  • This blog post is probably relevant.  Also keep in mind that the odds of blocking a benign or needed DLL are far greater than a malicious one.  Think of accessibility aids and virus scanners.
    Hans Passant.
    • Marked as answer by Yan-Fei Wei Monday, July 14, 2008 1:47 AM
    Wednesday, July 09, 2008 8:22 PM
  • XeTav said:

    What about detecting rather than blocking? If i could detect an external application interacting with my process i could tell my application to exit, therefore effectively stopping the dynamic link libary doing it's job rather than trying to block the injection.


    If you include Delayimp.lib and Delayimp.h to your project and specify the __pfnDliNotifyHook2 value [http://msdn.microsoft.com/en-us/library/z9h1h6ty(VS.80).aspx], then theoretically it should be possible to detect each of new DLL injected to your application.



    • Marked as answer by Yan-Fei Wei Monday, July 14, 2008 1:47 AM
    Friday, July 11, 2008 6:21 AM

All replies

  • There's no way to reliably prevent this. All you can do is make it harder, such as crc/hash checking your import table, and hooking LoadLibrary (offense is the best defense?) to see which dlls are being loaded.
    Einar Otto Stangvik | http://einaros.blogspot.com | Remember to close your threads :-)
    Tuesday, July 08, 2008 2:03 PM
  • Does this look like it would work?
    void AntiInject () 
       HANDLE hProc = GetCurrentProcess(); 
       while (TRUE) { 
          BlockAPI(hProc, "NTDLL.DLL", "LdrLoadDll"); 
          Sleep (100); 
       } 
     
    BOOLEAN BlockAPI (HANDLE hProcess, CHAR *libName, CHAR *apiName) 
       CHAR pRet[]={0xC3}; 
       HINSTANCE hLib = NULL
       VOID *pAddr = NULL
       BOOL bRet = FALSE
       DWORD dwRet = 0
     
       hLib = LoadLibrary (libName); 
       if (hLib) { 
           pAddr = (VOID*)GetProcAddress (hLib, apiName); 
           if (pAddr) { 
               if (WriteProcessMemory (hProcess, 
                                (LPVOID)pAddr, 
                                (LPVOID)pRet, 
                                sizeof (pRet), 
                                &dwRet )) { 
                  if (dwRet) { 
                     bRet = TRUE
                  } 
               } 
           } 
           FreeLibrary (hLib); 
       } 
       return bRet; 


    Tuesday, July 08, 2008 4:20 PM
  • Could you please elaborate on this one. Even i am looking for some inbuilt security of the application.
    Any changes made to the application, even a byte changed using dissembler should inform the application of misdeed and block its execution.

    Moreover, i have seen some applications cannot be closed by EndTask option in taskmanager. They implement some kind of protection which avoids them from being terminated by other process. An example of this is symantec antivirus. Moment you try terminating it pops up a message stating

    Operation could not be completed.
    Access denied.

    Any inputs on that would be appreciated.



    einaros said:

    There's no way to reliably prevent this. All you can do is make it harder, such as crc/hash checking your import table, and hooking LoadLibrary (offense is the best defense?) to see which dlls are being loaded.


    Einar Otto Stangvik | http://einaros.blogspot.com | Remember to close your threads :-)





    Kavitesh Singh.
    Wednesday, July 09, 2008 5:18 AM
  • XeTav said:

    Does this look like it would work?


    That looks rather unsafe, since it just smacks a RETN in the beginning of whatever API you're "blocking". When you're dealing with stdcall apis, with more than one argument, you'll corrupt your stack, probably causing whatever code is using the api to crash.

    I'd rather use Microsoft's Detours library. Have you looked into that?

    Einar Otto Stangvik | http://einaros.blogspot.com | Remember to close your threads :-)
    • Marked as answer by Yan-Fei Wei Monday, July 14, 2008 1:47 AM
    Wednesday, July 09, 2008 10:01 AM
  •  Apart from the fact this it is probably a bad idea it is extremely hard to do, to the point of being impossible.

    And sometimes (depending on whether you use applciation frameworks and runtime libraries) there are perfectly valid scenarios where the runtime or framework loads other DLLs when they are needed.
    Blocking DLLs from being loaded is like second guessing every single developer who worked any one of the libraries which are used directly or indirectly in your application.

    The only way afaik to prevent DL injection is running on Vista or Server2008, which separates userprocesses from elevated processes. And even then I don't know if that is bullet proof.
    In any case, on Windows 2003 and earlier, it is next to impossible, and it might cause weird side effects.

    EDIT: In my post I meant 'Impossible' to mean 'Impossible without breaking other stuff'
    Wednesday, July 09, 2008 12:56 PM
  • What about detecting rather than blocking? If i could detect an external application interacting with my process i could tell my application to exit, therefore effectively stopping the dynamic link libary doing it's job rather than trying to block the injection.
    Wednesday, July 09, 2008 2:27 PM
  • This blog post is probably relevant.  Also keep in mind that the odds of blocking a benign or needed DLL are far greater than a malicious one.  Think of accessibility aids and virus scanners.
    Hans Passant.
    • Marked as answer by Yan-Fei Wei Monday, July 14, 2008 1:47 AM
    Wednesday, July 09, 2008 8:22 PM
  • XeTav said:

    What about detecting rather than blocking? If i could detect an external application interacting with my process i could tell my application to exit, therefore effectively stopping the dynamic link libary doing it's job rather than trying to block the injection.


    If you include Delayimp.lib and Delayimp.h to your project and specify the __pfnDliNotifyHook2 value [http://msdn.microsoft.com/en-us/library/z9h1h6ty(VS.80).aspx], then theoretically it should be possible to detect each of new DLL injected to your application.



    • Marked as answer by Yan-Fei Wei Monday, July 14, 2008 1:47 AM
    Friday, July 11, 2008 6:21 AM