EMO Style ForumPro - Hos Geldiniz
Giriş yap

Şifremi unuttum

Toplam 203 kayıtlı kullanıcımız var
Son kaydolan kullanıcımız: posta59

Kullanıcılarımız toplam 1186 mesaj attılar bunda 862 konu
 Üye Listesi

Sonuç :

Rechercher çıkıntı araştırma

RSS akısı




Kimler hatta?
Toplam 4 kullanıcı online :: 0 Kayıtlı, 0 Gizli ve 4 Misafir


[ Bütün listeye bak ]

Sitede bugüne kadar en çok 217 kişi C.tesi Tem. 29, 2017 1:46 am tarihinde online oldu.
En son konular
» İnternetten Para Kazandıran Oyun ! Ödeme Alt Limiti Yok ! DEV KONU
Cuma Ağus. 29, 2014 8:33 am tarafından Hello EMO

» goldenchase.net maden yaparak para kazanma
Cuma Ağus. 29, 2014 8:18 am tarafından Hello EMO

» etichal hacker görsel egitim seti
Çarş. Ağus. 06, 2014 4:57 am tarafından Hello EMO

» KO TBL Source C#
Ptsi Ara. 09, 2013 6:36 am tarafından Hello EMO

» x86 Registers
C.tesi Ağus. 24, 2013 5:02 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de WYD
Çarş. Tem. 10, 2013 7:25 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de CS Metodo²
Çarş. Tem. 10, 2013 7:23 am tarafından Hello EMO

» [Tutorial] Aprendendo basico deASM OLLYDBG
Çarş. Tem. 10, 2013 7:22 am tarafından Hello EMO

» Basic C# DLL injector
Ptsi Tem. 08, 2013 7:48 am tarafından Hello EMO


Basic LoadLibrary hook.

Önceki başlık Sonraki başlık Aşağa gitmek

Basic LoadLibrary hook.

Mesaj tarafından EMO Bir Çarş. Ağus. 10, 2011 12:13 pm

[QUOTE=Jason;4601942][SIZE="2"]Been reading up on SCHiMs hooking tuts in the CA section and decided to write a base to hook loadlibrary and filter out some unsavory dlls being injected.

Obviously, this will only work if an injector is using the standard LoadLibrary calling method (which most do, seeing as everyone leeches the same source).

Basically all this does is filter the .dlls being injected against a list of accepted .dll names. As I said at the beginning, this is a base...not to be used as-is as getting around it is a simple matter of renaming your injected file to one that the program uses (i.e just rename any file to d3d9.dll and you'll get around this) but a more useful way would to create a list of SHA256 hashes or MD5s or something, then do a quick hash of every file as it comes in, and compare. Either that or use the absolute paths instead of just the filenames, but still seems a tad sketchy to me.

The "in_array" method is of course not optimized, using a simple sequential sort 'cos I was too lazy to write a sorting and binary searching method.

Anyway, comments are welcome, day 2 of C++ so I hope I'm not doing too badly Smile


#include <windows.h>
#include <string>

/*** GLOBALS ***/
DWORD numberOfSafeMods = 1; //number of safe modules (must match the SafeModules array)
LPCSTR SafeModules[] = {"d3d9.dll"}; //your safe modules, woeful protection, but it's the building block...could replace this list with SHA256 hashes or w/e.

DWORD *CurrentPtr; //the LoadLibrary pointer.
DWORD LoadLibraryAddress; //the value that the LoadLibrary pointer is SUPPOSED to point to :P

void main();
void SetPointer(DWORD*,DWORD*);
void SetHook();
void __stdcall LoadLibraryHook(LPCSTR);
bool in_array(LPCSTR[], LPCSTR, int);

/** METHODS **/

   if (dwReason == DLL_PROCESS_ATTACH)
      //kick off the main method.
      CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&main, NULL, NULL, NULL);
      return TRUE;

void main()
   SetHook(); //make CurrentPtr point to our function.
   LoadLibraryAddress = *CurrentPtr; //now I'll store the value that LoadLibrary originally pointed to, so we can use it again.
   SetPointer(CurrentPtr, (DWORD*)&LoadLibraryHook); //make the LoadLibrary pointer point to our function instead.

void __stdcall LoadLibraryHook(LPCSTR hModule)
   //in this case I just compared file names (not paths), it's way too easy to detour this if you knew that it
   //only checked names, because you can have multiple files with the same names. A better way would be to
   //create a list of accepted MD5s /SHA1's, but cbf figuring out how to calculate an MD5 in C++.
   std::string rawName = std::string(hModule);
   rawName = rawName.substr(rawName.find_last_of("\\") + 1);
   LPCSTR Filename = (const char*)rawName.c_str();

   if (in_array(SafeModules, Filename, numberOfSafeMods)) //if it's a safe module..
      SetPointer(CurrentPtr, (DWORD*)LoadLibraryAddress); //make the LoadLibrary pointer point to the correct location.
      LoadLibrary(hModule); //call LoadLibrary (without our hook interupting)
      SetPointer(CurrentPtr, (DWORD*)&LoadLibraryHook); //set the hook back to redirect any other LoadLibrary calls.

void SetPointer(DWORD *Address, DWORD *Hook)
   *Address = (DWORD)Hook; //set the value that Address points to point at Hook.

void SetHook()
      lea eax, LoadLibrary;
      mov CurrentPtr, eax;

bool in_array(LPCSTR haystack[], LPCSTR needle, int sz)
   //sz is the number of elements in the haystack array.
   //check if the needle is in the haystack, straightforward sequential searching.
   for(int i = 0; i < sz ; i++)
      if (strcmp(haystack[i], needle) == 0) { return true; }
   return false; //if we made it here without returning true, we couldn't find it so return false.

EMO Team
EMO Team

Cinsiyet : Erkek
Burçlar : Yay
Mesaj Sayısı : 184
Puan : 120793
Rep Puanı : 5
Doğum tarihi : 28/11/89
Kayıt tarihi : 18/05/11
Yaş : 28
Nerden : EMO world
İş/Hobiler : RCE Student / Game Hacking / Learn Beginner C#,C++,Delphi
Lakap : EMO

Kullanıcı profilini gör

Sayfa başına dön Aşağa gitmek

Önceki başlık Sonraki başlık Sayfa başına dön

- Similar topics

Bu forumun müsaadesi var:
Bu forumdaki mesajlara cevap veremezsiniz