Anti dll Injection with API Hooking "Access Violation writing location 0x0000000000"

[FL4SHC0D3R]

Hi,

I'm using the JMP instruction tecnique for try make a Anti-Dll Injection with detour when LdrLoadDll api is called inside my program. I found a Delphi code that works perfectly, but this VC++ 2013 version for this code, crashes with a "Access Violation writing location 0x0000000000" with showed below.

So, how I can solve this trouble? Someone can help me please?

Thanks in advance.

Delphi version:

Code:

procedure hook(target, newfunc:pointer); 
var 
  jmpto:dword; 
    OldProtect: Cardinal; // old protect in memory 
begin 
  jmpto:=dword(newfunc)-dword(target)-5; 
  VirtualProtect(target, 5, PAGE_EXECUTE_READWRITE, @OldProtect); 
  pbyte(target)^:=$e9; 
  pdword(dword(target)+1)^:=jmpto; 
end; 

procedure myLdrLoadDll(PathToFile:PAnsiChar; Flags:variant; ModuleFileName:PAnsiChar; var ModuleHandle:THandle); 
begin 
  MessageBox(0, 'I have blocked your attempt to inject a dll file!!', 'WARNING!', MB_OK); 
  ModuleHandle:=0; 
end; 

procedure Main; 
begin 
Hook(GetProcAddress(GetModuleHandle('ntdll.dll'), 'LdrLoadDll'), @myLdrLoadDll); 
end; 

begin 
end.

Trying translate for VC++ 2013 version:

Code:

// Anti_DLLInjection.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <string>
#include <memory>

using namespace std;

BOOL TrampolineAPI(HMODULE hModule, LPCWSTR DllName, LPCSTR ProcName, DWORD dwReplaced)
{
	DWORD dwReturn;
	DWORD dwOldProtect;
	DWORD dwAddressToHook = (DWORD)GetProcAddress(GetModuleHandle(DllName), ProcName);
	BYTE *pbTargetCode = (BYTE *)dwAddressToHook;
	BYTE *pbReplaced = (BYTE *)dwReplaced;
	VirtualProtect((LPVOID)dwAddressToHook, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
	*pbTargetCode++ = 0xE9;   // My trouble is here
	*((signed int*)(pbTargetCode)) = pbReplaced - (pbTargetCode + 4);
	VirtualProtect((LPVOID)dwAddressToHook, 5, PAGE_EXECUTE, &dwOldProtect);
	dwReturn = dwAddressToHook + 5;
	FlushInstructionCache(GetCurrentProcess(), NULL, NULL);
	return TRUE;
}

void WINAPI Replaced(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
	printf("Invasion!!");
}



int _tmain(int argc, _TCHAR* argv[])
{

	while (true)
	{
		TrampolineAPI(GetModuleHandle(0), (LPCWSTR)"ntdll.DLL", "LdrLoadDLL", (DWORD)Replaced);
		
	}
	
	
	return 0;
}

[OReubens]

You are quite deluding yourself if you think this makes your program 100% safe from injection.
-There are other ways to inject dlls.
-There are ways to inject code that isn't even in a DLL.

[2kaud]

Are you compiling as 32 or 64 bit?

[Codeplug]

>> (LPCWSTR)"ntdll.DLL"
That is not a wide string. Casting it to one does not change that fact.

You have zero error checking.

gg

[ahoodin]

if this line fails (which it probably is):

Code:

DWORD dwAddressToHook = (DWORD)GetProcAddress(GetModuleHandle(DllName), ProcName);

then

Code:

dwAddressToHook=0

so

Code:

BYTE *pbTargetCode = (BYTE *)dwAddressToHook;

and then as a result

Code:

pbTargetCode=0

and

Code:

*pbTargetCode++ = 0xE9;   // My trouble is here

is where you will have a memory exception when you try to write
0xE9 to the memory address 0x00000000.

I agree Codeplug, good hint. I suggest you go through and implement
error checking, by looking at the return values of each functions as
well as the values of the reference parameters to see if they are correct in code.

[ahoodin]

>> (LPCWSTR)"ntdll.DLL"
That is not a wide string. Casting it to one does not change that fact.

You have zero error checking.

gg

Have a look here at how the author of this article uses error checking in a
similar application
http://www.codeguru.com/cpp/w-p/dll/...-Interface.htm

If you had error checking, you most likely would know exactly what line the true problem was caused by and maybe
already fixed it.