-
October 26th, 2015, 11:16 AM
#1
Anti dll Injection with API Hooking "Access Violation writing location 0x0000000000"
Hi,
I'm using the JMP instruction tecnique for try make a Anti-Dll Injection with detour when LdrLoadDll api is called inside my program. I found a Delphi code that works perfectly, but this VC++ 2013 version for this code, crashes with a "Access Violation writing location 0x0000000000" with showed below.
So, how I can solve this trouble? Someone can help me please?
Thanks in advance.
Delphi version:
Code:
procedure hook(target, newfunc:pointer);
var
jmpto:dword;
OldProtect: Cardinal; // old protect in memory
begin
jmpto:=dword(newfunc)-dword(target)-5;
VirtualProtect(target, 5, PAGE_EXECUTE_READWRITE, @OldProtect);
pbyte(target)^:=$e9;
pdword(dword(target)+1)^:=jmpto;
end;
procedure myLdrLoadDll(PathToFile:PAnsiChar; Flags:variant; ModuleFileName:PAnsiChar; var ModuleHandle:THandle);
begin
MessageBox(0, 'I have blocked your attempt to inject a dll file!!', 'WARNING!', MB_OK);
ModuleHandle:=0;
end;
procedure Main;
begin
Hook(GetProcAddress(GetModuleHandle('ntdll.dll'), 'LdrLoadDll'), @myLdrLoadDll);
end;
begin
end.
Trying translate for VC++ 2013 version:
Code:
// Anti_DLLInjection.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <string>
#include <memory>
using namespace std;
BOOL TrampolineAPI(HMODULE hModule, LPCWSTR DllName, LPCSTR ProcName, DWORD dwReplaced)
{
DWORD dwReturn;
DWORD dwOldProtect;
DWORD dwAddressToHook = (DWORD)GetProcAddress(GetModuleHandle(DllName), ProcName);
BYTE *pbTargetCode = (BYTE *)dwAddressToHook;
BYTE *pbReplaced = (BYTE *)dwReplaced;
VirtualProtect((LPVOID)dwAddressToHook, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
*pbTargetCode++ = 0xE9; // My trouble is here
*((signed int*)(pbTargetCode)) = pbReplaced - (pbTargetCode + 4);
VirtualProtect((LPVOID)dwAddressToHook, 5, PAGE_EXECUTE, &dwOldProtect);
dwReturn = dwAddressToHook + 5;
FlushInstructionCache(GetCurrentProcess(), NULL, NULL);
return TRUE;
}
void WINAPI Replaced(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
printf("Invasion!!");
}
int _tmain(int argc, _TCHAR* argv[])
{
while (true)
{
TrampolineAPI(GetModuleHandle(0), (LPCWSTR)"ntdll.DLL", "LdrLoadDLL", (DWORD)Replaced);
}
return 0;
}
Last edited by FL4SHC0D3R; October 26th, 2015 at 11:40 AM.
-
October 27th, 2015, 09:12 AM
#2
Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000
You are quite deluding yourself if you think this makes your program 100% safe from injection.
-There are other ways to inject dlls.
-There are ways to inject code that isn't even in a DLL.
-
October 27th, 2015, 10:39 AM
#3
Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000
Are you compiling as 32 or 64 bit?
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
October 27th, 2015, 10:47 AM
#4
Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000
>> (LPCWSTR)"ntdll.DLL"
That is not a wide string. Casting it to one does not change that fact.
You have zero error checking.
gg
-
October 29th, 2015, 02:14 PM
#5
Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000
if this line fails (which it probably is):
Code:
DWORD dwAddressToHook = (DWORD)GetProcAddress(GetModuleHandle(DllName), ProcName);
then
so
Code:
BYTE *pbTargetCode = (BYTE *)dwAddressToHook;
and then as a result
and
Code:
*pbTargetCode++ = 0xE9; // My trouble is here
is where you will have a memory exception when you try to write
0xE9 to the memory address 0x00000000.
I agree Codeplug, good hint. I suggest you go through and implement
error checking, by looking at the return values of each functions as
well as the values of the reference parameters to see if they are correct in code.
Last edited by ahoodin; October 29th, 2015 at 02:43 PM.
ahoodin
To keep the plot moving, that's why.
-
October 29th, 2015, 02:33 PM
#6
Re: Anti dll Injection with API Hooking "Access Violation writing location 0x00000000
Originally Posted by Codeplug
>> (LPCWSTR)"ntdll.DLL"
That is not a wide string. Casting it to one does not change that fact.
You have zero error checking.
gg
Have a look here at how the author of this article uses error checking in a
similar application
http://www.codeguru.com/cpp/w-p/dll/...-Interface.htm
If you had error checking, you most likely would know exactly what line the true problem was caused by and maybe
already fixed it.
ahoodin
To keep the plot moving, that's why.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|