DLL Injection Detection - Page 2
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Page 2 of 2 FirstFirst 12
Results 16 to 23 of 23

Thread: DLL Injection Detection

  1. #16
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,065

    Re: DLL Injection Detection

    But as far as I know there is no legit reason for there to be injected DLLs into this specific game.
    Wrong, there are a ton of reasons for this to be legit.

    Stuff like Ventrillo/mumble uses this for their push-to-talk button among others (global key hook). Videodrivers use this to enable/disable certain features on demand (again key hook). I've seen anti-virus software install Window hooks. Software to help people with disabilities hook all kinds of API functions in "legitimate" ways to either do voice-narating, or zoom/scale text, or display text on a braille device.
    I could go on. The list of software that needs to do soem form of hooking/injecting is HUGE.

    if I can get the names of the injected dlls. I could probably have a blacklist of known cheats
    Plenty "generic" cheats have built in obfuscation. Such as renaming the dll (even each run), even modifying the dll, or building "custom/randomized" versions for each of their paying customers.

    or possibly attempt to see what the injected modules are trying to do, and if they're doing something suspect (like trying to hook OpenGL) I will know if it's being used for cheating.
    You have no realistic way to detect they are hooking API functions other than detecting one of several common tricks which no self respecting hacker would use.

    You have no realistic way to check "what a module is trying to do", other than some basic heuristic testing. Even an experienced programmer will need a good bit of time to figure out what a chunk of assembly code is doing. And it's easy to obfuscate code so that you can't just watch at the entire code in a debugger. (A lot of cheats run on custom VM's, and all you ever see is the basic VM runtime loop).



    With all due respects to the people on codeguru, and I know some are awesome.
    Like I said in previous if you haven't got experience with the actual hacking process itself... you have no chance of stopping a hacker, you probably don't even have much notion of some of the tools these guys have at their disposal to do their evilness.

  2. #17
    Join Date
    Oct 2006
    Location
    Sweden
    Posts
    3,639

    Re: DLL Injection Detection

    You're probably right OReubens and that's also why I haven't bought any game for many years now. Multiplayer games are just full of cheaters or people that spend so many hours in it it's just not fun when you just have time to enter a few hours a week.

    I whish there were more game companies that focused on making a good single player game, free of all the unwanted crap such as Steam, Punkbuster and you name it. The possibility to play against a friend over internet or local network would give extra points though. I miss the Quake evenings with snacks and a few beers we had at the company ages ago.
    Debugging is twice as hard as writing the code in the first place.
    Therefore, if you write the code as cleverly as possible, you are, by
    definition, not smart enough to debug it.
    - Brian W. Kernighan

    To enhance your chance's of getting an answer be sure to read
    http://www.codeguru.com/forum/announ...nouncementid=6
    and http://www.codeguru.com/forum/showthread.php?t=366302 before posting

    Refresh your memory on formatting tags here
    http://www.codeguru.com/forum/misc.php?do=bbcode

    Get your free MS compiler here
    http://www.microsoft.com/visualstudio/eng/downloads

  3. #18
    Join Date
    Mar 2013
    Posts
    5

    Re: DLL Injection Detection

    EnumProcessModules() it require to check again and again..my code checking again and again dll exist or not....i want efficient method like wen somebody inject then any event fire or watever i can easy detect instead of listing of dlls then block by checking ...i

  4. #19
    Join Date
    Mar 2013
    Posts
    5

    Re: DLL Injection Detection

    i dnt think its efficient method to checking again and again by using process module name and enumprocessModule....i want efficient ways wen dll is injected and event fire .so my process will not disturb by checking again and again.Below code checking again and again.i dnt think its efficent..i want it will detect as event fire.LoadAssembly event handler not work because dll is injected in process memory.i dnt knowe what should i do...i need ur help.
    while (true)
    {
    Thread.Sleep(500);
    Process proc1 = Process.GetCurrentProcess();
    for (int i = 0; i < proc1.Modules.Count; i++)
    {
    proc1.Modules[i].ModuleName.ToString();

    }
    // if count greater then current dll then APPLICATION WILL ESIST
    if (proc1.Modules.Count > CurrentProcessModule.Count)
    {
    Application.Exit();

    }
    }

  5. #20
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,065

    Re: DLL Injection Detection

    A dll can be loaded before your program even starts executing, so you will need the EnumProcessModules anyway.

    If you want to be notified of dll's being loaded and unloaded:
    LdrRegisterDllNotification and it's companion 'unregister' are what you could use.

    However... this only tracks actual DLL loads (LoadLibrary and LoadLibraryEx calls) done through the process space itself.

    You could also hook LoadLibrary yourself (be VERY careful here, it's quite easy to get obscure bugs this way).

    It won't help for injected code. Cheats can circumvent the API's themselves. It also won't help for out-of-process cheats nor will it help against rootkits (which are the thing the advanced cheat programs use these days).

  6. #21
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,065

    Re: DLL Injection Detection

    Quote Originally Posted by S_M_A View Post
    You're probably right OReubens and that's also why I haven't bought any game for many years now. Multiplayer games are just full of cheaters or people that spend so many hours in it it's just not fun when you just have time to enter a few hours a week.
    Quite a few games have an "always online" feature ONLY as a means to stop piracy or to force-feed or advertise additional (paying) services.

    As to games that are really server based, true, a lot of them get their competition out of "playing more than others". You can't really avoid this, someone that has more time simply will be better even if just because of the fact they get more practice.

    Then again, there are quite a few games that restrict how much a player can do each day either by having a fixed number of turns per day or a fixed number of time you can play or even getting a fixed amount of "action points" per day and you spend different amounts of those on various actions. Those games are rare though. Game makers tend to want their players to play MORE not less

  7. #22
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,065

    Re: DLL Injection Detection

    Quote Originally Posted by Qasim Qadri View Post
    i want it will detect as event fire.LoadAssembly event handler not work because dll is injected in process memory.

    // if count greater then current dll then APPLICATION WILL ESIST
    If you are going to block/terminate your app whenever a dll gets loaded... your customers will REALLY hate you for that. (or you're simply not going to have a lot of customers).

    Like I said before, there are tons of legitimate reasons why a DLL gets loaded into your application after it started running. Even calling some windows API functions loads additional DLL's (and this has become even more obvious with the way Win8 has taken things. Lots more stuff now is delay loaded to keep the initial footprint of your app as low as possible).

  8. #23
    Join Date
    Mar 2013
    Posts
    5

    Re: DLL Injection Detection

    Quote Originally Posted by OReubens View Post
    A dll can be loaded before your program even starts executing, so you will need the EnumProcessModules anyway.

    If you want to be notified of dll's being loaded and unloaded:
    LdrRegisterDllNotification and it's companion 'unregister' are what you could use.

    However... this only tracks actual DLL loads (LoadLibrary and LoadLibraryEx calls) done through the process space itself.

    You could also hook LoadLibrary yourself (be VERY careful here, it's quite easy to get obscure bugs this way).

    It won't help for injected code. Cheats can circumvent the API's themselves. It also won't help for out-of-process cheats nor will it help against rootkits (which are the thing the advanced cheat programs use these days).
    can u give me source code Example.because i dnt have much experience.i can better understand from source code in c#..i wait for source code.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center