A forum for reverse engineering, OS internals and malware analysis 

Search found 48 matches

 Go to advanced search

Re: Dll injection prevention

 by listito ¦  Sat Oct 01, 2011 12:12 pm ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

i'd never expect a win internals pro coding in dephi hehe, just kidding, thanks brock

Re: Dll injection prevention

 by listito ¦  Sat Oct 01, 2011 10:33 am ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

That is a forced FreeLibrary you refer to. FreeLibrary API needs a valid module handle, more importantly, a module which a PE header is not say zeroed out for example or modified. Some might try and decommit the pages and free them via the loaded module base, but this will just cause issues in the ...

Re: Dll injection prevention

 by listito ¦  Sat Oct 01, 2011 10:10 am ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

well, that reminds me a thing i tried to do some time ago with no success, it was unmapping a dll from memory, freelibrary can't do that, how can we force the dll to be unmapped from the current process address space?

Re: Dll injection prevention

 by listito ¦  Fri Sep 30, 2011 2:43 pm ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

actually I was thinking about to protect all processes from and specific dll to be injected, that could be acomplished with a notify kernel callback registration i guess, i dont have much experience in ring0 but i'm gonna try to do it :)

Re: Dll injection prevention

 by listito ¦  Fri Sep 30, 2011 9:18 am ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

my driver preventing any kind of injection so winxp sp1 and sp2 can have diferent callback indexes? damn :( There's another thing, when i overwrite the callback clientloadlibrary, at the moment it is called the dll string is located at [esi+1c], can this index change from diferent versions of ntdll....

Re: Detect hooks set with SetWindowsHookEx

 by listito ¦  Fri Sep 30, 2011 8:01 am ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

i'm very impressed, i'd not imagine to find such a table like this in usermode even in a million years, thanks guys :twisted: But i'm very curious to know, only dlls injected with setwindowshookex calls this this pointer at this table(peb->kcall)? that's amazing :shock: This is some sort of very ol...

Re: Detect hooks set with SetWindowsHookEx

 by listito ¦  Thu Sep 29, 2011 4:21 pm ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

i'm very impressed, i'd not imagine to find such a table like this in usermode even in a million years, thanks guys :twisted:

But i'm very curious to know, only dlls injected with setwindowshookex calls this this pointer at this table(peb->kcall)? that's amazing :shock:

Re: Detect hooks set with SetWindowsHookEx

 by listito ¦  Wed Sep 28, 2011 9:12 pm ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

well i've found kinda stupid solution, it was hooking loadlibraryexw, but it doesn't work in other versions of kernel32.dll, holy crap, isn't there any good detours engine around?

because i don't know what to do to make a good portable hook...

Dll injection prevention

 by listito ¦  Wed Sep 28, 2011 10:56 am ¦  Forum: User-Mode Development ¦  Topic: Dll injection prevention ¦  Replies: 19 ¦  Views: 20663

One very interesting thing about this function is that all process with user32.dll are monitored, the ones who haven't are not, so what about hiding user32.dll? hehe I remember i tried to hide it a couple of months ago with NTIlusion method, but no success against setwindowshookex and process explor...

Re: Find what terminated your process..

 by listito ¦  Tue Sep 27, 2011 12:13 pm ¦  Forum: Newbie Questions ¦  Topic: Find what terminated your process.. ¦  Replies: 5 ¦  Views: 5291

would xuert detect setwindowshookex as a ring3 hook?

how can process monitor help to detect what terminated my process?