EMO Style ForumPro - Hos Geldiniz
Giriş yap

Şifremi unuttum

Istatistikler
Toplam 202 kayıtlı kullanıcımız var
Son kaydolan kullanıcımız: AnthonyFurey3

Kullanıcılarımız toplam 1186 mesaj attılar bunda 862 konu
Tarıyıcı
 Kapı
 Indeks
 Üye Listesi
 Profil
 SSS
 Arama
Arama
 
 

Sonuç :
 


Rechercher çıkıntı araştırma

RSS akısı


Yahoo! 
MSN 
AOL 
Netvibes 
Bloglines 


Kimler hatta?
Toplam 5 kullanıcı online :: 0 Kayıtlı, 0 Gizli ve 5 Misafir

Yok

[ Bütün listeye bak ]


Sitede bugüne kadar en çok 92 kişi Paz Ağus. 28, 2016 6:58 am tarihinde online oldu.
En son konular
» İnternetten Para Kazandıran Oyun ! Ödeme Alt Limiti Yok ! DEV KONU
Cuma Ağus. 29, 2014 8:33 am tarafından Hello EMO

» goldenchase.net maden yaparak para kazanma
Cuma Ağus. 29, 2014 8:18 am tarafından Hello EMO

» etichal hacker görsel egitim seti
Çarş. Ağus. 06, 2014 4:57 am tarafından Hello EMO

» KO TBL Source C#
Ptsi Ara. 09, 2013 6:36 am tarafından Hello EMO

» x86 Registers
C.tesi Ağus. 24, 2013 5:02 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de WYD
Çarş. Tem. 10, 2013 7:25 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de CS Metodo²
Çarş. Tem. 10, 2013 7:23 am tarafından Hello EMO

» [Tutorial] Aprendendo basico deASM OLLYDBG
Çarş. Tem. 10, 2013 7:22 am tarafından Hello EMO

» Basic C# DLL injector
Ptsi Tem. 08, 2013 7:48 am tarafından Hello EMO

Reklam

Basic LoadLibrary hook.

Önceki başlık Sonraki başlık Aşağa gitmek

Basic LoadLibrary hook.

Mesaj tarafından EMO Bir Çarş. Ağus. 10, 2011 12:13 pm

[QUOTE=Jason;4601942][SIZE="2"]Been reading up on SCHiMs hooking tuts in the CA section and decided to write a base to hook loadlibrary and filter out some unsavory dlls being injected.

Obviously, this will only work if an injector is using the standard LoadLibrary calling method (which most do, seeing as everyone leeches the same source).

Basically all this does is filter the .dlls being injected against a list of accepted .dll names. As I said at the beginning, this is a base...not to be used as-is as getting around it is a simple matter of renaming your injected file to one that the program uses (i.e just rename any file to d3d9.dll and you'll get around this) but a more useful way would to create a list of SHA256 hashes or MD5s or something, then do a quick hash of every file as it comes in, and compare. Either that or use the absolute paths instead of just the filenames, but still seems a tad sketchy to me.

The "in_array" method is of course not optimized, using a simple sequential sort 'cos I was too lazy to write a sorting and binary searching method.

Anyway, comments are welcome, day 2 of C++ so I hope I'm not doing too badly Smile

Kod:

#include <windows.h>
#include <string>

/*** GLOBALS ***/
DWORD numberOfSafeMods = 1; //number of safe modules (must match the SafeModules array)
LPCSTR SafeModules[] = {"d3d9.dll"}; //your safe modules, woeful protection, but it's the building block...could replace this list with SHA256 hashes or w/e.

DWORD *CurrentPtr; //the LoadLibrary pointer.
DWORD LoadLibraryAddress; //the value that the LoadLibrary pointer is SUPPOSED to point to :P

/** METHOD SIGNATURES **/
void main();
void SetPointer(DWORD*,DWORD*);
void SetHook();
void __stdcall LoadLibraryHook(LPCSTR);
bool in_array(LPCSTR[], LPCSTR, int);

/** METHODS **/

BOOL APIENTRY DllMain(HMODULE hMod, DWORD dwReason, LPVOID homo)
{
   if (dwReason == DLL_PROCESS_ATTACH)
   {
      //kick off the main method.
      CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&main, NULL, NULL, NULL);
      return TRUE;
   }
}

void main()
{
   SetHook(); //make CurrentPtr point to our function.
   LoadLibraryAddress = *CurrentPtr; //now I'll store the value that LoadLibrary originally pointed to, so we can use it again.
   SetPointer(CurrentPtr, (DWORD*)&LoadLibraryHook); //make the LoadLibrary pointer point to our function instead.
}

void __stdcall LoadLibraryHook(LPCSTR hModule)
{
   //in this case I just compared file names (not paths), it's way too easy to detour this if you knew that it
   //only checked names, because you can have multiple files with the same names. A better way would be to
   //create a list of accepted MD5s /SHA1's, but cbf figuring out how to calculate an MD5 in C++.
   std::string rawName = std::string(hModule);
   rawName = rawName.substr(rawName.find_last_of("\\") + 1);
   LPCSTR Filename = (const char*)rawName.c_str();

   if (in_array(SafeModules, Filename, numberOfSafeMods)) //if it's a safe module..
   {
      SetPointer(CurrentPtr, (DWORD*)LoadLibraryAddress); //make the LoadLibrary pointer point to the correct location.
      LoadLibrary(hModule); //call LoadLibrary (without our hook interupting)
      SetPointer(CurrentPtr, (DWORD*)&LoadLibraryHook); //set the hook back to redirect any other LoadLibrary calls.
   }
}

void SetPointer(DWORD *Address, DWORD *Hook)
{
   *Address = (DWORD)Hook; //set the value that Address points to point at Hook.
   return;
}

void SetHook()
{
   _asm
   {
      lea eax, LoadLibrary;
      mov CurrentPtr, eax;
   }
}

bool in_array(LPCSTR haystack[], LPCSTR needle, int sz)
{
   //sz is the number of elements in the haystack array.
   //check if the needle is in the haystack, straightforward sequential searching.
   for(int i = 0; i < sz ; i++)
   {
      if (strcmp(haystack[i], needle) == 0) { return true; }
   }
   return false; //if we made it here without returning true, we couldn't find it so return false.
}

Cheers.[/SIZE]
[/QUOTE]
avatar
EMO
EMO Team
EMO Team

Cinsiyet : Erkek
Burçlar : Yay
Yılan
Mesaj Sayısı : 184
Puan : 109043
Rep Puanı : 5
Doğum tarihi : 28/11/89
Kayıt tarihi : 18/05/11
Yaş : 27
Nerden : EMO world
İş/Hobiler : RCE Student / Game Hacking / Learn Beginner C#,C++,Delphi
Lakap : EMO

Kullanıcı profilini gör

Sayfa başına dön Aşağa gitmek

Önceki başlık Sonraki başlık Sayfa başına dön

- Similar topics

 
Bu forumun müsaadesi var:
Bu forumdaki mesajlara cevap veremezsiniz