Stop or Detection dll injection loadlibrary

3.5k views Asked by At

I want to detect dll injector.below code work as dll injector.I need Your help in c# source code which help me to detect then i will close my application.i search in google.com a lots but tired to get solution.please help and give me source code in c#

public partial class Form1 : Form
{
    [DllImport("kernel32")]
    public static extern IntPtr CreateRemoteThread(
      IntPtr hProcess,
      IntPtr lpThreadAttributes,
      uint dwStackSize,
      UIntPtr lpStartAddress, // raw Pointer into remote process  
      IntPtr lpParameter,
      uint dwCreationFlags,
      out IntPtr lpThreadId
    );

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(
        UInt32 dwDesiredAccess,
        Int32 bInheritHandle,
        Int32 dwProcessId
        );


    [DllImport("kernel32.dll")]
    public static extern Int32 CloseHandle(
    IntPtr hObject
    );

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern bool VirtualFreeEx(
        IntPtr hProcess,
        IntPtr lpAddress,
        UIntPtr dwSize,
        uint dwFreeType
        );

    [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true)]
    public static extern UIntPtr GetProcAddress(
        IntPtr hModule,
        string procName
        );

    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
    static extern IntPtr VirtualAllocEx(
        IntPtr hProcess,
        IntPtr lpAddress,
        uint dwSize,
        uint flAllocationType,
        uint flProtect
        );


    [DllImport("kernel32.dll")]
    static extern bool WriteProcessMemory(
        IntPtr hProcess,
        IntPtr lpBaseAddress,
        string lpBuffer,
        UIntPtr nSize,
        out IntPtr lpNumberOfBytesWritten
    );

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public static extern IntPtr GetModuleHandle(
        string lpModuleName
        );

    [DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
    internal static extern Int32 WaitForSingleObject(
        IntPtr handle,
        Int32 milliseconds
        );

    public Int32 GetProcessId(String proc)
    {
        Process[] ProcList;
        ProcList = Process.GetProcessesByName(proc);
        return ProcList[0].Id;
    }
    public void InjectDLL(IntPtr hProcess, String strDLLName, Process proc)
    {
        IntPtr bytesout;

        // Length of string containing the DLL file name +1 byte padding
        Int32 LenWrite = strDLLName.Length + 1;
        // Allocate memory within the virtual address space of the target process
        IntPtr AllocMem = (IntPtr)VirtualAllocEx(hProcess, (IntPtr)null, (uint)LenWrite, 0x1000, 0x40); //allocation pour WriteProcessMemory

        // Write DLL file name to allocated memory in target process
        WriteProcessMemory(hProcess, AllocMem, strDLLName, (UIntPtr)LenWrite, out bytesout);
        // Function pointer "Injector"
        UIntPtr Injector = (UIntPtr)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

        if (Injector == null)
        {
            Console.WriteLine(" Injector Error! \n ");
            // return failed
            return;
        }

        // Create thread in target process, and store handle in hThread
        IntPtr hThread = (IntPtr)CreateRemoteThread(hProcess, (IntPtr)null, 0, Injector, AllocMem, 0, out bytesout);
        // Make sure thread handle is valid
        if (hThread == null)
        {
            //incorrect thread handle ... return failed
            Console.WriteLine(" hThread [ 1 ] Error! \n ");
            return;
        }
        // Time-out is 10 seconds...
        int Result = WaitForSingleObject(hThread, 10 * 1000);
        // Check whether thread timed out...
        if (Result == 0x00000080L || Result == 0x00000102L || Result == 0xFFFFFFFF)
        {
            /* Thread timed out... */
            Console.WriteLine(" hThread [ 2 ] Error! \n ");
            // Make sure thread handle is valid before closing... prevents crashes.
            if (hThread != null)
            {
                //Close thread in target process
                CloseHandle(hThread);
            }
            return;
        }
        // Sleep thread for 1 second
        Thread.Sleep(1000);
        // Clear up allocated space ( Allocmem )
        VirtualFreeEx(hProcess, AllocMem, (UIntPtr)0, 0x8000);
        // Make sure thread handle is valid before closing... prevents crashes.
        if (hThread != null)
        {
            //Close thread in target process
            CloseHandle(hThread);
        }
        // return succeeded
        return;
    }
    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {

    }

    private void button1_Click(object sender, EventArgs e)
    {
        String strDLLName = @"C:\Users\muhammad.qasim\Desktop\qasim\testdllinject\testdllinject\bin\Debug\testdllinject.dll";
        String strProcessName = "notepad";

        Int32 ProcID = GetProcessId(strProcessName);
        Process proc = Process.GetProcessById(ProcID);

        if (ProcID >= 0)
        {
            IntPtr hProcess = (IntPtr)OpenProcess(0x1F0FFF, 1, ProcID);
            if (hProcess == null)
            {
                MessageBox.Show("OpenProcess() Failed!");
                return;
            }
            else
            {
                InjectDLL(hProcess, strDLLName, proc);
                MessageBox.Show("injected");

            }
        }
    }
}

}

1

There are 1 answers

0
Marwen Trabelsi On

There are many scenario to achieve DLL injection(Hooking), you need to learn more about how stuff works behind every method and make protection against it, the most common one is by using CreateRemoteThread() API function, for instance you can inject your security DLL on each running processes and hook/redirect/deny any call to CreateRemoteThread() or any "dangerous" API call.

PS: since you're writing C# code, you may interested in EasyHook.

BUT keep in your mind(if you really trying to make a security software):

user-mode hooking can NEVER be an option to apply additional security checks in any safe manner. If you only want to “sandbox” a dedicated process, you know well about, and the process in fact doesn’t know about EasyHook, this might succeed! But don’t ever attempt to write any security software based on user mode hooking. It won’t work, I promise you…

UPDATE EasyHook moved to github: https://github.com/EasyHook/EasyHook