Basic LoadLibrary hook.

tarafından **EMO** Çarş. Ağus. 10, 2011 12:13 pm

[QUOTE=Jason;4601942][SIZE="2"]Been reading up on SCHiMs hooking tuts in the CA section and decided to write a base to hook loadlibrary and filter out some unsavory dlls being injected.

Obviously, this will only work if an injector is using the standard LoadLibrary calling method (which most do, seeing as everyone leeches the same source).

Basically all this does is filter the .dlls being injected against a list of accepted .dll names. As I said at the beginning, this is a base...not to be used as-is as getting around it is a simple matter of renaming your injected file to one that the program uses (i.e just rename any file to d3d9.dll and you'll get around this) but a more useful way would to create a list of SHA256 hashes or MD5s or something, then do a quick hash of every file as it comes in, and compare. Either that or use the absolute paths instead of just the filenames, but still seems a tad sketchy to me.

The "in_array" method is of course not optimized, using a simple sequential sort 'cos I was too lazy to write a sorting and binary searching method.

Anyway, comments are welcome, day 2 of C++ so I hope I'm not doing too badly Smile

Kod:: #include <windows.h> #include <string> /*** GLOBALS ***/ DWORD numberOfSafeMods = 1; //number of safe modules (must match the SafeModules array) LPCSTR SafeModules[] = {"d3d9.dll"}; //your safe modules, woeful protection, but it's the building block...could replace this list with SHA256 hashes or w/e. DWORD *CurrentPtr; //the LoadLibrary pointer. DWORD LoadLibraryAddress; //the value that the LoadLibrary pointer is SUPPOSED to point to :P /** METHOD SIGNATURES **/ void main(); void SetPointer(DWORD*,DWORD*); void SetHook(); void __stdcall LoadLibraryHook(LPCSTR); bool in_array(LPCSTR[], LPCSTR, int); /** METHODS **/ BOOL APIENTRY DllMain(HMODULE hMod, DWORD dwReason, LPVOID homo) { if (dwReason == DLL_PROCESS_ATTACH) { //kick off the main method. CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&main, NULL, NULL, NULL); return TRUE; } } void main() { SetHook(); //make CurrentPtr point to our function. LoadLibraryAddress = *CurrentPtr; //now I'll store the value that LoadLibrary originally pointed to, so we can use it again. SetPointer(CurrentPtr, (DWORD*)&LoadLibraryHook); //make the LoadLibrary pointer point to our function instead. } void __stdcall LoadLibraryHook(LPCSTR hModule) { //in this case I just compared file names (not paths), it's way too easy to detour this if you knew that it //only checked names, because you can have multiple files with the same names. A better way would be to //create a list of accepted MD5s /SHA1's, but cbf figuring out how to calculate an MD5 in C++. std::string rawName = std::string(hModule); rawName = rawName.substr(rawName.find_last_of("\\") + 1); LPCSTR Filename = (const char*)rawName.c_str(); if (in_array(SafeModules, Filename, numberOfSafeMods)) //if it's a safe module.. { SetPointer(CurrentPtr, (DWORD*)LoadLibraryAddress); //make the LoadLibrary pointer point to the correct location. LoadLibrary(hModule); //call LoadLibrary (without our hook interupting) SetPointer(CurrentPtr, (DWORD*)&LoadLibraryHook); //set the hook back to redirect any other LoadLibrary calls. } } void SetPointer(DWORD *Address, DWORD *Hook) { *Address = (DWORD)Hook; //set the value that Address points to point at Hook. return; } void SetHook() { _asm { lea eax, LoadLibrary; mov CurrentPtr, eax; } } bool in_array(LPCSTR haystack[], LPCSTR needle, int sz) { //sz is the number of elements in the haystack array. //check if the needle is in the haystack, straightforward sequential searching. for(int i = 0; i < sz ; i++) { if (strcmp(haystack[i], needle) == 0) { return true; } } return false; //if we made it here without returning true, we couldn't find it so return false. }

Cheers.[/SIZE][/QUOTE]