dcsimg
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 6 of 6

Thread: Anti dll Injection with API Hooking "Access Violation writing location 0x0000000000"

  1. #1
    Join Date
    Apr 2014
    Posts
    61

    Anti dll Injection with API Hooking "Access Violation writing location 0x0000000000"

    Hi,

    I'm using the JMP instruction tecnique for try make a Anti-Dll Injection with detour when LdrLoadDll api is called inside my program. I found a Delphi code that works perfectly, but this VC++ 2013 version for this code, crashes with a "Access Violation writing location 0x0000000000" with showed below.

    So, how I can solve this trouble? Someone can help me please?

    Thanks in advance.

    Delphi version:

    Code:
    procedure hook(target, newfunc:pointer); 
    var 
      jmpto:dword; 
        OldProtect: Cardinal; // old protect in memory 
    begin 
      jmpto:=dword(newfunc)-dword(target)-5; 
      VirtualProtect(target, 5, PAGE_EXECUTE_READWRITE, @OldProtect); 
      pbyte(target)^:=$e9; 
      pdword(dword(target)+1)^:=jmpto; 
    end; 
    
    procedure myLdrLoadDll(PathToFile:PAnsiChar; Flags:variant; ModuleFileName:PAnsiChar; var ModuleHandle:THandle); 
    begin 
      MessageBox(0, 'I have blocked your attempt to inject a dll file!!', 'WARNING!', MB_OK); 
      ModuleHandle:=0; 
    end; 
    
    procedure Main; 
    begin 
    Hook(GetProcAddress(GetModuleHandle('ntdll.dll'), 'LdrLoadDll'), @myLdrLoadDll); 
    end; 
    
    begin 
    end.
    Trying translate for VC++ 2013 version:

    Code:
    // Anti_DLLInjection.cpp : Defines the entry point for the console application.
    //
    
    #include "stdafx.h"
    #include <windows.h>
    #include <stdio.h>
    #include <iostream>
    #include <string>
    #include <memory>
    
    using namespace std;
    
    BOOL TrampolineAPI(HMODULE hModule, LPCWSTR DllName, LPCSTR ProcName, DWORD dwReplaced)
    {
    	DWORD dwReturn;
    	DWORD dwOldProtect;
    	DWORD dwAddressToHook = (DWORD)GetProcAddress(GetModuleHandle(DllName), ProcName);
    	BYTE *pbTargetCode = (BYTE *)dwAddressToHook;
    	BYTE *pbReplaced = (BYTE *)dwReplaced;
    	VirtualProtect((LPVOID)dwAddressToHook, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    	*pbTargetCode++ = 0xE9;   // My trouble is here
    	*((signed int*)(pbTargetCode)) = pbReplaced - (pbTargetCode + 4);
    	VirtualProtect((LPVOID)dwAddressToHook, 5, PAGE_EXECUTE, &dwOldProtect);
    	dwReturn = dwAddressToHook + 5;
    	FlushInstructionCache(GetCurrentProcess(), NULL, NULL);
    	return TRUE;
    }
    
    void WINAPI Replaced(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
    {
    	printf("Invasion!!");
    }
    
    
    
    int _tmain(int argc, _TCHAR* argv[])
    {
    
    	while (true)
    	{
    		TrampolineAPI(GetModuleHandle(0), (LPCWSTR)"ntdll.DLL", "LdrLoadDLL", (DWORD)Replaced);
    		
    	}
    	
    	
    	return 0;
    }
    Last edited by FL4SHC0D3R; October 26th, 2015 at 11:40 AM.

  2. #2
    Join Date
    Apr 2000
    Location
    Belgium (Europe)
    Posts
    4,626

    Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000

    You are quite deluding yourself if you think this makes your program 100% safe from injection.
    -There are other ways to inject dlls.
    -There are ways to inject code that isn't even in a DLL.

  3. #3
    2kaud's Avatar
    2kaud is online now Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    6,920

    Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000

    Are you compiling as 32 or 64 bit?
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++17 Compiler: Microsoft VS2019 (16.4.0)

  4. #4
    Join Date
    Nov 2003
    Posts
    1,902

    Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000

    >> (LPCWSTR)"ntdll.DLL"
    That is not a wide string. Casting it to one does not change that fact.

    You have zero error checking.

    gg

  5. #5
    Join Date
    Mar 2001
    Posts
    2,527

    Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000

    if this line fails (which it probably is):
    Code:
    DWORD dwAddressToHook = (DWORD)GetProcAddress(GetModuleHandle(DllName), ProcName);
    then
    Code:
    dwAddressToHook=0
    so
    Code:
    BYTE *pbTargetCode = (BYTE *)dwAddressToHook;
    and then as a result
    Code:
    pbTargetCode=0
    and
    Code:
    *pbTargetCode++ = 0xE9;   // My trouble is here
    is where you will have a memory exception when you try to write
    0xE9 to the memory address 0x00000000.

    I agree Codeplug, good hint. I suggest you go through and implement
    error checking, by looking at the return values of each functions as
    well as the values of the reference parameters to see if they are correct in code.
    Last edited by ahoodin; October 29th, 2015 at 02:43 PM.
    ahoodin
    To keep the plot moving, that's why.

  6. #6
    Join Date
    Mar 2001
    Posts
    2,527

    Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000

    Quote Originally Posted by Codeplug View Post
    >> (LPCWSTR)"ntdll.DLL"
    That is not a wide string. Casting it to one does not change that fact.

    You have zero error checking.

    gg
    Have a look here at how the author of this article uses error checking in a
    similar application
    http://www.codeguru.com/cpp/w-p/dll/...-Interface.htm

    If you had error checking, you most likely would know exactly what line the true problem was caused by and maybe
    already fixed it.
    ahoodin
    To keep the plot moving, that's why.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width




On-Demand Webinars (sponsored)