Prevent DLL injection
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 14 of 14

Thread: Prevent DLL injection

  1. #1
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Prevent DLL injection

    Is there a way to prevent peeps from injecting dlls into your application. We have this screen capture application that injects its dll into our application which is causing a crash in our application.
    | r r| h h|d

  2. #2
    Join Date
    Aug 1999
    Location
    <Classified>
    Posts
    6,882

    Re: Prevent DLL injection

    What way the DLL is injected ? is it SetWindowsHookEx ? Or CreateRemoteThread ?

    Look the the injected DLL's export functions, also the dependancy of appliction which injects to know what API's are used.
    Regards,
    Ramkrishna Pawar

  3. #3
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Re: Prevent DLL injection

    This is a 3rd party application so I have no idea how they are hooking into it ..but their dlls shows up in our processer loaded dlls when using process explorer and our application crashes if their application is running.
    | r r| h h|d

  4. #4
    Join Date
    Aug 1999
    Location
    <Classified>
    Posts
    6,882

    Re: Prevent DLL injection

    Quote Originally Posted by voidspace
    This is a 3rd party application so I have no idea how they are hooking into it ..but their dlls shows up in our processer loaded dlls when using process explorer and our application crashes if their application is running.
    So you know that executable and the injected DLL, get dependancy walker to see what functions are used. You need to know the injection method in order to prevent/block it.
    Regards,
    Ramkrishna Pawar

  5. #5
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Re: Prevent DLL injection

    Thanks that should tell me.
    | r r| h h|d

  6. #6
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Re: Prevent DLL injection

    Well these are the function that are being imported/exported for the injected dll?

    c:\program files\capture express\QCAPHK.DLL
    c:\windows\system32\KERNEL32.DLL
    c:\windows\system32\USER32.DLL
    c:\windows\system32\OLEAUT32.DLL
    c:\windows\system32\KERNEL32.DLL
    c:\windows\system32\USER32.DLL

    [i]CapUnHook
    [i]CapHookKeyboard
    [i]CapHookMouse


    [e]CapUnHook
    [e]CapHookKeyboard
    [e]CapHookMouse

    Internally which function it is calling is unknown. It must be using SetWindowsHook. So how can I prevent any application from hooking into our application is that even possible?
    | r r| h h|d

  7. #7
    Join Date
    Aug 1999
    Location
    <Classified>
    Posts
    6,882

    Re: Prevent DLL injection

    I think you should try to find the reason of crash, because if you block the hooks for this application then in future your application might crash with some other hooking application.
    Regards,
    Ramkrishna Pawar

  8. #8
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Re: Prevent DLL injection

    The reason for the crash is a memory leak in the third party dll injected into our application. The memory keeps incresing till 200 MB and our application just vanishes.
    | r r| h h|d

  9. #9
    Join Date
    Aug 1999
    Location
    <Classified>
    Posts
    6,882

    Re: Prevent DLL injection

    Does that happen with other applications running on system like explorer.exe etc. ?

    Also did you make sure that the memory increase if not from your code ?
    Regards,
    Ramkrishna Pawar

  10. #10
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Re: Prevent DLL injection

    Yes we did. When this dll is injected our application crashes (only in release mode) the crash in side a simple if block.

    The reason for ending up here is because the function table is messed up due to the DLL entering into our application reserved memory.
    if( TRUE)
    {
    SetMemberVariableValue( dValue);
    }
    | r r| h h|d

  11. #11
    Join Date
    Aug 1999
    Location
    <Classified>
    Posts
    6,882

    Re: Prevent DLL injection

    I think you can still revise your code logic to handle the case, blocking the hooks is almost like inviting a lot of compatibility problems.
    Regards,
    Ramkrishna Pawar

  12. #12
    Join Date
    Apr 2001
    Location
    San Diego CA
    Posts
    378

    Re: Prevent DLL injection

    Ok what I mean was the application execution pointer is corrupt when this third party dll screws up. So the problem is the 3rd party dll is crashing and since it is sitting in our address space our application also crashes. Try a simple DLL inject program that hogs memory.
    | r r| h h|d

  13. #13
    Join Date
    Nov 2000
    Location
    Voronezh, Russia
    Posts
    5,957

    Re: Prevent DLL injection

    Quote Originally Posted by voidspace
    Ok what I mean was the application execution pointer is corrupt when this third party dll screws up. So the problem is the 3rd party dll is crashing and since it is sitting in our address space our application also crashes. Try a simple DLL inject program that hogs memory.
    Normally you cannot prevent the dll injection, since it's done by regular OS mechanisms. The only way is to make the enemy unable to load itself.
    • Intercept CreateProcess (installing KMD) and make it crash for enemy load attempts.
    • Kill it on your app start along with all its files.

    An alternative may be to refuse to run in system where it's present.
    I belive, if your app is more valuable for customer, the latter will take care about cleaning the system up himself.
    Last edited by Igor Vartanov; July 21st, 2006 at 08:25 AM.
    Best regards,
    Igor

  14. #14
    Join Date
    May 2009
    Posts
    140

    Re: Prevent DLL injection

    i've seen an addon for application that simply won't let dll loaders inject dlls into process =\

    btw, so far internet is full of injection dll sources but almost none to prevent it, at least a few basic ones with example codes would be great =\

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Azure Activities Information Page

Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center