Hi there, so here's the deal. First off let me start by telling you why:

Basically it's a game security feature, to prevent cheating.

Anywhere here's the deal, I've been given the task of making a function to find all injected and loaded DLL's in a specific process at run time. Here's an example: They launch the game, this program will dump the target game's memory into a buffer or a file or something, and try and find all the DLL's loaded in that game's memory/process/address space.

I'm just wondering what an efficient way to do this would be. I'm uncertain how to find all DLL's loaded in a certain process's address space, or how I could really access this memory to begin with. I'm not asking to be spoon fed here (unless you really feel like it haha) I would just like to have some suggestions on how I can accomplish this task, and what I will need to know/be able to do.

I've done a bit of googling and I found a method commonly used to 'hide' these DLLs from injection detection techniques, here's the link/source code:

Found at: http://www.battleforums.com/forums/d...akdll-cpp.html
Source code: http://www.privatepaste.com/b31hpsgNJt

I'm also aware that I may be able to use notification hooks to monitor access of OpenGL.dll or the Direct 3D DLL, but I'm uncertain if this will be an affective method to counter the 'hide' code used, or even if it's an affective method overall.

Thanks a lot!

A dll is a module. So the task must look like enumerating a process modules. The task could be performed several ways, and to begin with something I would suggest to create a toolhelp32 snapshot and enumerate process modules. That would be the very first spoon.

OK I'll be sure to do that. Anyone else want to chime in, maybe with some ideas on how I can accomplish my task?

if you really want to prevent DLL injection.

- set your program security descriptor
- prevent apps from getting your process handle.
- scan for dll modules (without winapi) nt internals
- re-fix import table

this is how far any pro game security goes.

cannot give you specific details on how todo that, good luck

Well, I mainly just want to know if a DLL has been injected, not necessarily PREVENT them from being injected. Because if a DLL HAS been injected, I want to alert the server admin that cheats have been detected, or I want to kick/ban them from the server. So I don't necessarily need to prevent it, I just need to know if it's happening.

One point to remember: an injected dll is not necessarily a cheat tool. For example: contemporary dictionary applications inject global hook dlls into processes. Last year I made the one for one well-known respectable dictionary. :)

One point to remember: an injected dll is not necessarily a cheat tool. For example: contemporary dictionary applications inject global hook dlls into processes. Last year I made the one for one well-known respectable dictionary. :)

That may be true, but in my case most if not all injected DLLs will be cheats. And if there is any that aren't, I should be able to distinguish them depending on their name or some other way. But as far as I know there is no legit reason for there to be injected DLLs into this specific game.

What you are trying to do is swim against the stream, that is the problem all game developers
have since day 1.
cj-wijtmans post is maybe the best advice, not using any win api calls (any function you call for detection could be hooked already).

It's maybe a good idea to use EncodePointer and DecodePointer at startup of your application.

Just scanning for injected dll's can be done by using toolhelp32 as Igor Vartanov already mentioned, but again, several applications inject dlls into other processes for any reason, so it's probably not a good idea to bust an user because of those results.

But as far as I know there is no legit reason for there to be injected DLLs into this specific game.As far as I know, a global hook dll is injected into each and every windowed process that runs along with the hooking process... Okay, I'm gonna stop bothering you with my suggestions, have a good hunt. ;)

As far as I know, a global hook dll is injected into each and every windowed process that runs along with the hooking process... Okay, I'm gonna stop bothering you with my suggestions, have a good hunt. ;)

My bad hehe, but that won't necessarily be a problem if I can get the names of the injected dlls. I could probably have a blacklist of known cheats or something, and run the names against the blacklist, or possibly attempt to see what the injected modules are trying to do, and if they're doing something suspect (like trying to hook OpenGL) I will know if it's being used for cheating. Anyways, sorry if I came across wrong, but what I just stated was what I was trying to get across =)

better to check DLL's for CRC hash