Prevent DLL injection

[voidspace]

Is there a way to prevent peeps from injecting dlls into your application. We have this screen capture application that injects its dll into our application which is causing a crash in our application.

[Krishnaa]

What way the DLL is injected ? is it SetWindowsHookEx ? Or CreateRemoteThread ?

Look the the injected DLL's export functions, also the dependancy of appliction which injects to know what API's are used.

[voidspace]

This is a 3rd party application so I have no idea how they are hooking into it ..but their dlls shows up in our processer loaded dlls when using process explorer and our application crashes if their application is running.

[Krishnaa]

This is a 3rd party application so I have no idea how they are hooking into it ..but their dlls shows up in our processer loaded dlls when using process explorer and our application crashes if their application is running.

So you know that executable and the injected DLL, get dependancy walker to see what functions are used. You need to know the injection method in order to prevent/block it.

[voidspace]

Thanks that should tell me.

[voidspace]

Well these are the function that are being imported/exported for the injected dll?

c:\program files\capture express\QCAPHK.DLL

c:\windows\system32\KERNEL32.DLL

c:\windows\system32\USER32.DLL

c:\windows\system32\OLEAUT32.DLL

c:\windows\system32\KERNEL32.DLL

c:\windows\system32\USER32.DLL

[i]CapUnHook
[i]CapHookKeyboard
[i]CapHookMouse


[e]CapUnHook
[e]CapHookKeyboard
[e]CapHookMouse

Internally which function it is calling is unknown. It must be using SetWindowsHook. So how can I prevent any application from hooking into our application is that even possible?

[Krishnaa]

I think you should try to find the reason of crash, because if you block the hooks for this application then in future your application might crash with some other hooking application.

[voidspace]

The reason for the crash is a memory leak in the third party dll injected into our application. The memory keeps incresing till 200 MB and our application just vanishes.

[Krishnaa]

Does that happen with other applications running on system like explorer.exe etc. ?

Also did you make sure that the memory increase if not from your code ?

[voidspace]

Yes we did. When this dll is injected our application crashes (only in release mode) the crash in side a simple if block.

The reason for ending up here is because the function table is messed up due to the DLL entering into our application reserved memory.
if( TRUE)
{
SetMemberVariableValue( dValue);
}

[Krishnaa]

I think you can still revise your code logic to handle the case, blocking the hooks is almost like inviting a lot of compatibility problems.

[voidspace]

Ok what I mean was the application execution pointer is corrupt when this third party dll screws up. So the problem is the 3rd party dll is crashing and since it is sitting in our address space our application also crashes. Try a simple DLL inject program that hogs memory.

[Igor Vartanov]

Ok what I mean was the application execution pointer is corrupt when this third party dll screws up. So the problem is the 3rd party dll is crashing and since it is sitting in our address space our application also crashes. Try a simple DLL inject program that hogs memory.

Normally you cannot prevent the dll injection, since it's done by regular OS mechanisms. The only way is to make the enemy unable to load itself.

• Intercept CreateProcess (installing KMD) and make it crash for enemy load attempts.
• Kill it on your app start along with all its files.

An alternative may be to refuse to run in system where it's present.
I belive, if your app is more valuable for customer, the latter will take care about cleaning the system up himself.

[Owyn]

i've seen an addon for application that simply won't let dll loaders inject dlls into process =\

btw, so far internet is full of injection dll sources but almost none to prevent it, at least a few basic ones with example codes would be great =\